MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3337faf918dbf673268d01fc2eee9cdd5f0996a050e37114bc54e25a1d44c157. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3337faf918dbf673268d01fc2eee9cdd5f0996a050e37114bc54e25a1d44c157
SHA3-384 hash: 47ce5e337946db2cc133ead9fa1f36d5f25f4f9cfaa0601b1e7970a4020c61861a6f604b7b590a9b08afa4e7df0cff6a
SHA1 hash: 6595d33e2bc87a5866ab374bfe69b1016e0e83d6
MD5 hash: 5aaffd3bd21341aabdfdae52e487813b
humanhash: failed-sweet-queen-november
File name:5aaffd3bd21341aabdfdae52e487813b
Download: download sample
Signature zgRAT
Create hunting rule
File size:1'685'048 bytes
First seen:2023-11-21 05:23:27 UTC
Last seen:2023-11-21 09:13:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:A3M/kxJeXxGkdYd5ym7DZ9JrMM2QBukP5Q6l6Ka:GM/rXxfsDdrql
Threatray 3'832 similar samples on MalwareBazaar
TLSH T10A75E0057FE5C237C2BF5B76607283612BB9E94AB3A7D70B169821F81C433464E8467B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e0d29092e1cccec6 (1 x zgRAT)
Reporter zbetcheckin
Tags:32 exe zgRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
369
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5aaffd3bd21341aabdfdae52e487813b
Verdict:
Suspicious activity
Analysis date:
2023-11-21 05:25:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dbd964f1-b859-4cee-b6b7-8e9ebd6fde0f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459427/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.17607.13729.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a window
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/655c3ef415cd82a1c99870ab/reports/e381d83e-0c65-40b7-9602-cb9dd5336143/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/3337faf918dbf673268d01fc2eee9cdd5f0996a050e37114bc54e25a1d44c157
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c4eb4329-5e49-461a-a6c1-c83bec9b7a35
Result
Threat name:
zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1345598
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1345598 Sample: NpvOnx6rF1.exe Startdate: 21/11/2023 Architecture: WINDOWS Score: 100 24 Malicious sample detected (through community Yara rule) 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Yara detected zgRAT 2->28 30 4 other signatures 2->30 6 gfff.exe 3 2->6         started        9 NpvOnx6rF1.exe 3 2->9         started        11 gfff.exe 2 2->11         started        process3 signatures4 32 Multi AV Scanner detection for dropped file 6->32 34 Machine Learning detection for dropped file 6->34 36 Injects a PE file into a foreign processes 6->36 13 gfff.exe 2 6->13         started        38 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->38 15 NpvOnx6rF1.exe 1 4 9->15         started        18 NpvOnx6rF1.exe 9->18         started        20 gfff.exe 2 11->20         started        process5 file6 22 C:\Users\user\AppData\Roaming\...\gfff.exe, PE32 15->22 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3337faf918dbf673268d01fc2eee9cdd5f0996a050e37114bc54e25a1d44c157
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3337faf918dbf673268d01fc2eee9cdd5f0996a050e37114bc54e25a1d44c157/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-11-12 06:17:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gm37v6iy3p3hgjunah6c53u43vpqtfvakdrxcff4ktrfuhkeyflq._file
Verdict:
malicious
Similar samples:
00f99e2925f2ac3ca02397be84c75bba0ef0ec7d7094273f6e5a4f280114e2f5
zgRAT
3337faf918dbf673268d01fc2eee9cdd5f0996a050e37114bc54e25a1d44c157
zgRAT
4239478f1ff05d0014ba2492e155e733b661473d7299cbf98eb8f81bbf6e719a
zgRAT
795e333056f12db05a5c212318e3f1e3d915a8e7f88737fc34321465a6c1bfad
zgRAT
9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
zgRAT
a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564
zgRAT
c1bd141a8c2a27b5c7318229556282a4259a9caba1b3768ec58a83dc2d7afdca
zgRAT
cfa592b0128bc126fbf3fb66c551a8d87223b196f5e0cd87e60b88bdc688c6e0
zgRAT
f76c7d8841a467f13ab5d2c39b56d297a2fa94867973c201d40f877355849092
zgRAT
fc0b9d2a311a40467281c79ec0822d2fce7a156a9970fc98eb57fd55c71764e6
zgRAT
+ 3'822 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/231121-f3p44add2v/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
64d8e39e25b15128887536f0de000af1e775126aa8caf8014c4d8a4f1d14e0b6
MD5 hash:
53507d676ef35dc7c4a4ef11da629c8b
SHA1 hash:
cbe538ba2d0a6388f5e9e84cf7c9f34e7cbd4642
Link:
https://www.unpac.me/results/2299380b-c926-4cba-8fbc-2ec632d0aa7e/
SH256 hash:
0de0d7cd9b0c57c5545b1729f0bda6c51c0ac20efc1cfd15de8b4332d23d2536
MD5 hash:
b01d0f20240fba3b4ab6a3edab226b50
SHA1 hash:
cbda254804a21cef72f1a378964bfe6354ad9276
Link:
https://www.unpac.me/results/2299380b-c926-4cba-8fbc-2ec632d0aa7e/
SH256 hash:
acfe9760ad5a849868ec0193057aa392e4e1e4405f4c73f0226092e786465e73
MD5 hash:
2296b7e8683cf40c2cb6b8b62a1b33c7
SHA1 hash:
37b66388b71d97dd5ba067aa5d0a1bbcfc6fd84c
Link:
https://www.unpac.me/results/2299380b-c926-4cba-8fbc-2ec632d0aa7e/
SH256 hash:
3fd20caca6c20b296c5303177907f3b2283018d2949b6c7d26eea3b9f313b837
MD5 hash:
c801f50d973582d197f1e7dfafaae383
SHA1 hash:
f5f80fcaacd5e784731162d23d34e865baca3682
Link:
https://www.unpac.me/results/2299380b-c926-4cba-8fbc-2ec632d0aa7e/
SH256 hash:
b91fe4696aa803f6f02543699f7dea7d3ce9067bd34aabd600672a7687be880d
MD5 hash:
ecae8f95cdf12e09c54a14f9f5cb33af
SHA1 hash:
ef25f3ea6872aa8450977fa16bad197a9c5c9448
Link:
https://www.unpac.me/results/2299380b-c926-4cba-8fbc-2ec632d0aa7e/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/2299380b-c926-4cba-8fbc-2ec632d0aa7e/
SH256 hash:
e81fafb15982f1fd4b9bc1a63f691c95d939408a116f12a73afb0c651ad1d25d
MD5 hash:
85e995af6a196928d5dc31ac5172d3d3
SHA1 hash:
354cf027fe36b667926a0c8a80dc45a36639f088
Link:
https://www.unpac.me/results/2299380b-c926-4cba-8fbc-2ec632d0aa7e/
SH256 hash:
3337faf918dbf673268d01fc2eee9cdd5f0996a050e37114bc54e25a1d44c157
MD5 hash:
5aaffd3bd21341aabdfdae52e487813b
SHA1 hash:
6595d33e2bc87a5866ab374bfe69b1016e0e83d6
Link:
https://www.unpac.me/results/2299380b-c926-4cba-8fbc-2ec632d0aa7e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3337faf918dbf673268d01fc2eee9cdd5f0996a050e37114bc54e25a1d44c157

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe 3337faf918dbf673268d01fc2eee9cdd5f0996a050e37114bc54e25a1d44c157

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2733272/
Cape
Cape
https://www.capesandbox.com/analysis/459427/

Comments


Avatar
zbet commented on 2023-11-21 05:23:28 UTC

url : hxxp://pmjo.fra1.cdn.digitaloceanspaces.com/Muqpgf.exe