MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35285d5b859dd9b900b3fa09955edb78f80e7c707f4d3c2afb8c23de379fb37b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35285d5b859dd9b900b3fa09955edb78f80e7c707f4d3c2afb8c23de379fb37b
SHA3-384 hash: 9e9676dc14e5d2c0e35d9ddcce0f107a3e992d6a00d03d41d2d6018066834bcb875a718cf7063b9c276d3a2c6066ceb1
SHA1 hash: 5e856bacdf110b0efd28501009976ff7e5aa2ea0
MD5 hash: b81650b91cc0319357855d71b8e19cd0
humanhash: india-cola-thirteen-vegan
File name:Credit_Details1450542312200022.exe
Download: download sample
Signature zgRAT
Create hunting rule
File size:1'365'504 bytes
First seen:2022-10-19 07:22:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:GsK046J+h6yAXS5UOtOIiQgNYcpTSRqoS/KgNtfY/e:A046J+hFAXS5UQOAgNYhRqBKgNY
Threatray 3'450 similar samples on MalwareBazaar
TLSH T13C55ADB525DA8607D5583135C4C7D2F32BFB9E606162D2CB2AD32F6FBC012BB9542386
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 498ba7450b0f4920 (2 x zgRAT)
Reporter GovCERT_CH
Tags:exe zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Credit_Details1450542312200022.exe
Verdict:
Malicious activity
Analysis date:
2022-10-19 07:26:37 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/98e1888a-5bfd-41e6-9c11-4b548dde59bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321623/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1617.21589.7466.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/634fa5d7fdf6478a15af9384/reports/cbdf2705-4dff-4cd4-95a0-861a4d0505bd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/98829ff4-3ed7-46a6-9e12-bcd1d4707bc5
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1093286
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 725908 Sample: Credit_Details1450542312200... Startdate: 19/10/2022 Architecture: WINDOWS Score: 100 45 eaidali101.ddns.net 2->45 51 Multi AV Scanner detection for domain / URL 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 9 other signatures 2->57 8 Credit_Details1450542312200022.exe 7 2->8         started        12 YlbjnC.exe 5 2->12         started        signatures3 process4 file5 35 C:\Users\user\AppData\Roaming\YlbjnC.exe, PE32 8->35 dropped 37 C:\Users\user\...\YlbjnC.exe:Zone.Identifier, ASCII 8->37 dropped 39 C:\Users\user\AppData\Local\...\tmp1637.tmp, XML 8->39 dropped 41 C:\...\Credit_Details1450542312200022.exe.log, ASCII 8->41 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 8->59 61 Adds a directory exclusion to Windows Defender 8->61 14 Credit_Details1450542312200022.exe 2 2 8->14         started        19 powershell.exe 19 8->19         started        21 schtasks.exe 1 8->21         started        63 Multi AV Scanner detection for dropped file 12->63 65 Machine Learning detection for dropped file 12->65 67 Injects a PE file into a foreign processes 12->67 23 schtasks.exe 1 12->23         started        25 YlbjnC.exe 12->25         started        27 YlbjnC.exe 12->27         started        signatures6 process7 dnsIp8 47 eaidali101.ddns.net 85.209.134.59, 49695, 49696, 49697 CMCSUS Germany 14->47 43 C:\ProgramData\remcos\logs.dat, data 14->43 dropped 49 Installs a global keyboard hook 14->49 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35285d5b859dd9b900b3fa09955edb78f80e7c707f4d3c2afb8c23de379fb37b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-14 02:32:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=guuf2w4ftxm3saft7iezkxw3pd4a47dqp5gtykx3rqr54n47wn5q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
4bd1f385e71c2b0c8bb27ce271cfd26c696e3049e3e92cd150ba62666bc6221f
zgRAT
592f15fec50eda79baadcb6bc5c4cb79de60e5bb285f20fb8e8927477495f065
zgRAT
7f89f38c1c2a3e42e7fe2d1c286816361fe77aa49d1d474de200df6eb2dbda81
zgRAT
8e7d1931cfe215a12acad3beb975cd78099a295a721069b35c05b469e2f703f9
zgRAT
9d724226a2a3c8676d4a58b64b636d9dcc178c1d40fcf321309afa14505cf285
zgRAT
e1eb708f47303b831f6eb0ddc846e21782e8f727dcb0088fcb997c3bf0d4dbd3
zgRAT
e76cebc404b8a79e2ab806a3e501b9d2f7260ea1d12f804320c1130be205dff6
zgRAT
+ 3'440 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:2nd-host rat
Link:
https://tria.ge/reports/221019-h7s3nafab4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Remcos
Malware Config
C2 Extraction:
eaidali101.ddns.net:6060
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/efac4627-d704-49a3-af06-5e180903ea4b
Unpacked files
SH256 hash:
303f0d6773074f1d8e7b350b5ca9a6696f38aed4b768c04d66da93e6e1030bd4
MD5 hash:
92d12d86adc90660fe237937666431a7
SHA1 hash:
fc0da306ca5a9d6b11fb8e5ef3e228182f802649
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/f85362b4-42e4-4976-b428-0325c1b077ff/
Parent samples :
35285d5b859dd9b900b3fa09955edb78f80e7c707f4d3c2afb8c23de379fb37b
b27423d7fe1e3ff9aaa24ddd0201535f7c2cfd3722e7e4ff0a71ff28b6504dc1
12050271ba333bbc55aca8540cb433b317c8b043fcc4f49e2013706f03834851
a5e3a5a5abe4d46785deadb6630c0df664155bc61400ccec33881adbee9604d7
a6352db3ea00691d158c0d6b5acf6f84fbb9dbb8f9584c6d722529acdf246eaa
ce371c5ca3163e9bbd957b31ad7aee83a7c3a467188968340d28a52cf2be0b40
c6c950ca8ee414fcb5d1d28227799a1eec9a277f73c7eb0403052563a9f80468
e395bd1544cb6f8eeacdaed668d95be91d479734a2aabe4b2c3e7b2ec5d0d316
a4ff98fa6eba586e41aa9004c4d97d16568fb6a8745a172f96d7a1188fbb0b0d
SH256 hash:
0377e8cd1989428452cc335bf5fae48f117a260a40670edc219a64e2908c4ed7
MD5 hash:
fb40b55d1cb17f8e34b45b398f5f97a5
SHA1 hash:
c89502e795827d8825f72bcd3e64ea089bdcd866
Link:
https://www.unpac.me/results/f85362b4-42e4-4976-b428-0325c1b077ff/
SH256 hash:
c99e63c21a439156ed16358588ab848610ad7c64eee250390ddc24033c1d7c40
MD5 hash:
30d02c1f26880ba8f3b3624e8b465c0b
SHA1 hash:
ea63c1c8b7e578192afa33b6132c93ec50f4d81d
Link:
https://www.unpac.me/results/f85362b4-42e4-4976-b428-0325c1b077ff/
SH256 hash:
af7ac1171b44c9a949ad80bfaf05095048d0b74cfb527f66479e22f47d340110
MD5 hash:
f696dc0e00cb8f70799ac3fcaa5f9f6a
SHA1 hash:
cde2283de5b89639ea52f6388feef8f77efc63ce
Link:
https://www.unpac.me/results/f85362b4-42e4-4976-b428-0325c1b077ff/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/f85362b4-42e4-4976-b428-0325c1b077ff/
SH256 hash:
35285d5b859dd9b900b3fa09955edb78f80e7c707f4d3c2afb8c23de379fb37b
MD5 hash:
b81650b91cc0319357855d71b8e19cd0
SHA1 hash:
5e856bacdf110b0efd28501009976ff7e5aa2ea0
Link:
https://www.unpac.me/results/f85362b4-42e4-4976-b428-0325c1b077ff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35285d5b859dd9b900b3fa09955edb78f80e7c707f4d3c2afb8c23de379fb37b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zgRAT

Executable exe 35285d5b859dd9b900b3fa09955edb78f80e7c707f4d3c2afb8c23de379fb37b

(this sample)

  
Dropped by
zgRAT
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/321623/

Comments