MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a85404fc09ac9b9a1dc9b2470e3582055517254bc3bfc7894a7c37db6b31216. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a85404fc09ac9b9a1dc9b2470e3582055517254bc3bfc7894a7c37db6b31216
SHA3-384 hash: 9900e18f3f1c2de27621e3a6e776fb76f39f30ab93a8edd89d37b291b098251f1710baa59d51609b7495118279ead8be
SHA1 hash: e173c8198569f74d33ca569c892529f36fd56675
MD5 hash: 29620f5d86c39fa73939fdb10803f683
humanhash: nevada-cold-carolina-mirror
File name:29620f5d86c39fa73939fdb10803f683
Download: download sample
Signature zgRAT
Create hunting rule
File size:607'232 bytes
First seen:2023-12-02 13:55:08 UTC
Last seen:2023-12-02 15:17:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:CBMYyhGu8sXrcJlvJRruVl3SlC5ibMCaeihWfwVpJXn5:jFw6cRR6G3b/a9tx
Threatray 1'352 similar samples on MalwareBazaar
TLSH T144D42323971B147BCAC07D73C8BB2876D7B4211BDC6E0C1521F8752AB4B5AC60A6CBE5
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
291
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ee5f333fec231a3858e25a6db292c579
Verdict:
Malicious activity
Analysis date:
2023-12-02 05:16:18 UTC
Tags:
zgrat pureloader loader
Link:
https://app.any.run/tasks/9691a338-a168-4bd7-ba62-a5ff9bc3929d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461884/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.32015.8079.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a file
Forced system process termination
Creating a process from a recently created file
Deleting a recently created file
Launching a process
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/656b624c6d3af192267871f8/reports/7ced6222-2501-4cbd-9673-feef0f556575/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3a85404fc09ac9b9a1dc9b2470e3582055517254bc3bfc7894a7c37db6b31216
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/81f577c5-34ca-4878-94a1-408cb9ad5b67
Result
Threat name:
Xmrig, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1352055
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Detected Stratum mining protocol
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Xmrig
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1352055 Sample: famZWMGl3N.exe Startdate: 02/12/2023 Architecture: WINDOWS Score: 100 55 Sigma detected: Xmrig 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 15 other signatures 2->61 7 DigestAlgorithm.exe 2->7         started        10 TypeId.exe 3 2->10         started        12 ogywaz.exe 5 2->12         started        15 5 other processes 2->15 process3 file4 63 Antivirus detection for dropped file 7->63 65 Machine Learning detection for dropped file 7->65 67 Writes to foreign memory regions 7->67 77 2 other signatures 7->77 17 RegSvcs.exe 7->17         started        69 Multi AV Scanner detection for dropped file 10->69 71 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->71 73 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->73 20 MSBuild.exe 16 3 10->20         started        37 C:\Users\user\AppData\...\DigestAlgorithm.exe, PE32+ 12->37 dropped 39 C:\Users\user\AppData\Local\...\TypeId.exe, PE32 15->39 dropped 75 Potential dropper URLs found in powershell memory 15->75 24 conhost.exe 15->24         started        26 conhost.exe 15->26         started        28 conhost.exe 15->28         started        signatures5 process6 dnsIp7 45 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->45 47 Writes to foreign memory regions 17->47 49 Modifies the context of a thread in another process (thread injection) 17->49 51 Injects a PE file into a foreign processes 17->51 30 AddInProcess.exe 17->30         started        33 AddInProcess.exe 17->33         started        41 163.123.142.171, 39001, 49705, 49718 ILIGHT-NETUS Reserved 20->41 43 91.92.244.36, 49704, 49706, 49707 THEZONEBG Bulgaria 20->43 35 C:\Users\user\AppData\Local\Temp\ogywaz.exe, PE32+ 20->35 dropped file8 53 Detected Stratum mining protocol 41->53 signatures9 process10 signatures11 79 Query firmware table information (likely to detect VMs) 30->79
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3a85404fc09ac9b9a1dc9b2470e3582055517254bc3bfc7894a7c37db6b31216
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a85404fc09ac9b9a1dc9b2470e3582055517254bc3bfc7894a7c37db6b31216/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2023-11-28 13:41:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hkcuat6atle3tio4tmshby2yebkvc4suxq57y6euu7bx3nvtcila._file
Verdict:
malicious
Similar samples:
22224f65c07515b2f61e29f7f1a14005d0de54378aa925d9e017bb2ac26b5395
zgRAT
4239478f1ff05d0014ba2492e155e733b661473d7299cbf98eb8f81bbf6e719a
zgRAT
5037733d3123c797e4c67a9c4d6aa45d99486f45afb64bc52979c142defa23b3
zgRAT
87e8d20c870fe87533ab89f6cdbaeaab2efc2151884cda3d3a3f72080765055d
zgRAT
8e684d3f9529b34396c708fafca492a2333d50222042c3a5f8b7fb0573c96251
zgRAT
a481b300f1cf5ec873245d16c0e0fdfc18f681cf2ee682b23d47dd0b122c4998
zgRAT
ba4d461d394b8345604518df33c0d7b09c2278c9fdf2dd747c28047d0c35cfe8
zgRAT
+ 1'342 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/231202-q8ntbsdd25/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in System32 directory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
e63fe63b4f65160df9c146837dfeaeee66a2cb8745fccec383bbdba388198a5d
MD5 hash:
55b83b728052d188b6fda7b1e6238766
SHA1 hash:
c63c7bd6763483ccac67acfad1cd7fe8fbbf17ec
Link:
https://www.unpac.me/results/a06c4057-7315-4d93-acba-5f76a8098754/
SH256 hash:
06a69281ce625f33244777890174377352d28bad3f8438c5b27881448a9ffeb5
MD5 hash:
640b3648088f502d69e80831844de2da
SHA1 hash:
bbf2c1cd90bf86f6477f77c9381ffe4950d6b84d
Link:
https://www.unpac.me/results/a06c4057-7315-4d93-acba-5f76a8098754/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/a06c4057-7315-4d93-acba-5f76a8098754/
SH256 hash:
adb9b74b1d3653adc2c00c0c227b4bb37334bcf673d362d62a25e7dd431a7d29
MD5 hash:
730ee56124e16a88da6bf4eaf7e2c750
SHA1 hash:
2de814edfeca91e2d7d9c51dd7b8857f9d88a6ce
Link:
https://www.unpac.me/results/a06c4057-7315-4d93-acba-5f76a8098754/
SH256 hash:
3a85404fc09ac9b9a1dc9b2470e3582055517254bc3bfc7894a7c37db6b31216
MD5 hash:
29620f5d86c39fa73939fdb10803f683
SHA1 hash:
e173c8198569f74d33ca569c892529f36fd56675
Link:
https://www.unpac.me/results/a06c4057-7315-4d93-acba-5f76a8098754/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3a85404fc09a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a85404fc09ac9b9a1dc9b2470e3582055517254bc3bfc7894a7c37db6b31216

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe 3a85404fc09ac9b9a1dc9b2470e3582055517254bc3bfc7894a7c37db6b31216

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2736749/
Cape
Cape
https://www.capesandbox.com/analysis/461884/

Comments


Avatar
zbet commented on 2023-12-02 13:55:09 UTC

url : hxxp://163.123.142.171:8080/file/1701007523-Hzxlsavkq.exe