MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3125dcaa097260cc2c569a569bb1ad45a8bb6a9d60cdadcabda5d5e71157e174. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3125dcaa097260cc2c569a569bb1ad45a8bb6a9d60cdadcabda5d5e71157e174
SHA3-384 hash: c221698f0ad89afd23c878af6d6a9b41e9abc912818cfea614175cb95e88833671958a2232159e9b9552e4bc062f5f9b
SHA1 hash: 55c1beb814e6a2d095b7e8f0985066478c816951
MD5 hash: 907c8cc629ae409033ee0a7f89a831f0
humanhash: quebec-lactose-cup-wolfram
File name:Payment_document00591742.exe
Download: download sample
Signature zgRAT
Create hunting rule
File size:794'624 bytes
First seen:2021-08-06 13:36:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:RzegfN/O4FVekt91G5ybCtSGU23RvlFoUMpXZ02sz0YTmklzugw0DNRt2NjFo:0K5eybCEbG3Mn02sNTXI30DNRMNjC
Threatray 599 similar samples on MalwareBazaar
TLSH T1ADF4E1257652C901D3AF2A37CDDF40084FF8F9423A63DF2B799A329D0A523A768465CD
dhash icon 96ceec79f0ec8e96 (5 x Formbook, 5 x AgentTesla, 2 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe RAT zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment_document00591742.exe
Verdict:
Malicious activity
Analysis date:
2021-08-06 13:42:26 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/b56a88aa-a2a9-4029-a5c2-4635a25cebff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177021/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.15158.20447.18919.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4668c16a-d228-4d2b-9b2c-ffce8043d1e7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/828317
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Creates an undocumented autostart registry key
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3125dcaa097260cc2c569a569bb1ad45a8bb6a9d60cdadcabda5d5e71157e174/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 10:40:17 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ges5zkqjojqmylcwtjljxmnniwulw2u5mdg23sv5uxk6oekx4f2a._file
Verdict:
unknown
Similar samples:
1acdc78e037fc8506cc2fb9b9031c33cd23d33a3feffff24d24d80157d488206
zgRAT
3409c1f1c5f2ea8d70638e1719ffe45ce11ff3a4068e180b581ba4befca4d50d
zgRAT
3686ddb8d635e49a9b4e396973aeca3f385a009e3f0265b6679db215776e2c58
zgRAT
5023ffb96d6d21805c48f275dbb208a1671ab8dd7f3c170ca4dba1ac08c075f9
zgRAT
662198412b44e61f7f0b495b939249c6bc05ebb154407de517b422e09145b19b
zgRAT
9c667699c6643d42dd1264b3657141bf3b23b56f47e527e33ae83030d937cb5a
zgRAT
ce1cf72e73bce44e190b5998072b7069653c9afb3fe4499441e8d4d791f56837
zgRAT
da2583a529827b15b05b18370fe5f8bab878fdd0c78e4fde91e2e5c5b476930f
zgRAT
fb800fa4c784f7a5c222ba238bba471b626e75c721cee3bc5fc314364600e70a
zgRAT
+ 589 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/210806-9y3qzeklej/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
suricata: ET MALWARE zgRAT Activity M2
Unpacked files
SH256 hash:
aed00f82f1772e5a403cce9c1349202c8371e67ed9ef19a33cac0bf2a411f3c1
MD5 hash:
c273f926e2a29bd62cc8f27b569a0b2a
SHA1 hash:
e08d302cab3e11d776599a6b0537207fce6f9c51
Link:
https://www.unpac.me/results/a244d43d-dabf-48e7-bda6-5e34d2c20e2b/
SH256 hash:
54e54f4871b0dbfdb6c1f972f40866d61c2908264050797a15a91921ddf94be2
MD5 hash:
7915fc7520194e3d26823598efd6d502
SHA1 hash:
d566892a3e5761ac9a45dc28ef31a7e28665225a
Link:
https://www.unpac.me/results/a244d43d-dabf-48e7-bda6-5e34d2c20e2b/
SH256 hash:
f9871b4f9702da7ecba67176abb6873f3bca6e6674791067b2b8e6a3055c7900
MD5 hash:
7fa05c4307ce0dfe94fad68c4da303ea
SHA1 hash:
511f14679cac159c665ef10b5d6ece8647bc3d32
Link:
https://www.unpac.me/results/a244d43d-dabf-48e7-bda6-5e34d2c20e2b/
SH256 hash:
3125dcaa097260cc2c569a569bb1ad45a8bb6a9d60cdadcabda5d5e71157e174
MD5 hash:
907c8cc629ae409033ee0a7f89a831f0
SHA1 hash:
55c1beb814e6a2d095b7e8f0985066478c816951
Link:
https://www.unpac.me/results/a244d43d-dabf-48e7-bda6-5e34d2c20e2b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3125dcaa097260cc2c569a569bb1ad45a8bb6a9d60cdadcabda5d5e71157e174

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zgRAT

Executable exe 3125dcaa097260cc2c569a569bb1ad45a8bb6a9d60cdadcabda5d5e71157e174

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/177021/

Comments