MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d3fe471d5702b4a73c7374dbab85b88fc3c209968c6804440e3322153ad64bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d3fe471d5702b4a73c7374dbab85b88fc3c209968c6804440e3322153ad64bd
SHA3-384 hash: 7fe881b1ac9aa077a88f03425e4879691b9189f32d64f768824bd514df21d947b1f70ea9ec0310bf5eff0c88d5056199
SHA1 hash: 3741ee56a4eef79de2f8549f45947aba7659787e
MD5 hash: 1160bbc769f9c80a256d19bd7281d4fa
humanhash: georgia-carbon-beer-nebraska
File name:SecuriteInfo.com.Variant.Lazy.286599.7821.8237
Download: download sample
Signature zgRAT
Create hunting rule
File size:1'839'616 bytes
First seen:2023-01-18 04:28:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:uW1avI8VPeBP0WmpZdmo9RH645FrPSJ/SwGKCRSkcaR:sJwBP07pZdb645FrOSwGKCRea
Threatray 1'302 similar samples on MalwareBazaar
TLSH T173851200AAA3CA22E2F8AF78C0C65600C7BD8D1752F3D67A7DD833E55A63353D54A647
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c2d0c0a084a18eb8 (1 x a310Logger, 1 x AgentTesla, 1 x zgRAT)
Reporter SecuriteInfoCom
Tags:exe zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Lazy.286599.7821.8237
Verdict:
Malicious activity
Analysis date:
2023-01-18 04:30:43 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/4314e856-912e-4639-8db4-19ac73d96328

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354026/
Detection(s):
SecuriteInfo.com.Variant.Lazy.286599.7821.8237.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c77557afdaca54d438fddc/reports/8731f1cc-47f0-4d1d-ab76-7f5ff0108abe/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/085f553b-b4fb-4862-97af-d91c6460f759
Result
Threat name:
zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1153638
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 786370 Sample: SecuriteInfo.com.Variant.La... Startdate: 18/01/2023 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Sigma detected: Scheduled temp file as task from temp location 2->43 45 Yara detected zgRAT 2->45 47 6 other signatures 2->47 7 SecuriteInfo.com.Variant.Lazy.286599.7821.8237.exe 6 2->7         started        11 KuNFsHLTlSXsX.exe 5 2->11         started        process3 file4 27 C:\Users\user\AppData\...\KuNFsHLTlSXsX.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\...\tmpE114.tmp, XML 7->29 dropped 31 SecuriteInfo.com.V...9.7821.8237.exe.log, ASCII 7->31 dropped 49 May check the online IP address of the machine 7->49 51 Uses schtasks.exe or at.exe to add and modify task schedules 7->51 53 Injects a PE file into a foreign processes 7->53 13 SecuriteInfo.com.Variant.Lazy.286599.7821.8237.exe 15 22 7->13         started        17 schtasks.exe 1 7->17         started        55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 19 KuNFsHLTlSXsX.exe 14 20 11->19         started        21 schtasks.exe 1 11->21         started        signatures5 process6 dnsIp7 33 api.telegram.org 149.154.167.220, 443, 49705, 49706 TELEGRAMRU United Kingdom 13->33 35 ipinfo.io 34.117.59.81, 443, 49703, 49707 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 13->35 39 2 other IPs or domains 13->39 23 conhost.exe 17->23         started        37 162.159.136.232, 443, 49708 CLOUDFLARENETUS United States 19->37 59 Tries to steal Mail credentials (via file / registry access) 19->59 61 Tries to harvest and steal browser information (history, passwords, etc) 19->61 25 conhost.exe 21->25         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d3fe471d5702b4a73c7374dbab85b88fc3c209968c6804440e3322153ad64bd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-18 04:29:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
36
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hu76i4ovoavuu46hg5g3voc3rd6dyieznddiarca4mzccu5nms6q._file
Verdict:
malicious
Similar samples:
33eb01298c822b2c9c60a352e6669aed70b6c35f4245ec3732e2c1fc02a20620
zgRAT
4a8195f159274fb6b2edf61864824e9c686398ce60df94d23fabb21c48d57499
zgRAT
589c67cd28abd40173abc9bfe2fb2b80eaa905bc8bd0be9b70d04c73829a7423
zgRAT
6ba05012dc42370e27fe763cafdd4b4a09b0b198083199090dd1ff1856756d61
zgRAT
842fb6327e8d09667003b87a199aafde3dd0b05b9e603cd154bfefc0fe0c7280
zgRAT
969348318c0a26bb74e7468c4151541043671c232f0839766e479f19941c359c
zgRAT
cb1c9c3891b7dd5a066743c19c415343fa4937a97bda37304ea6abb93d0122a9
zgRAT
ee4c7bdf3abd06150a2c2e6fe94bd41dc4157241c2a9cd4b6b0eb1842c70ee0b
zgRAT
+ 1'292 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230118-e3p9esea41/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
e7ce5e191b800949f22b18d92ef000d922daec7ac9cc923f4e930c19cea36de3
MD5 hash:
29fde3e5f3a8a912ca1f9646a0eb2cc9
SHA1 hash:
9f8335f385455b6d3f12f4878384e719680ef2fd
Link:
https://www.unpac.me/results/9ea1649b-44f1-4cbc-b8f5-a723bd91ba9c/
SH256 hash:
ce68ff3b23252966a8a8020b24739349d806a5d21c3ee7ddcfbfee68b9fa69ff
MD5 hash:
2a611147f4a542b5faffbf38e14a9a33
SHA1 hash:
818161ee3d23f3983944fb94b27f46c96d6ef34f
Link:
https://www.unpac.me/results/9ea1649b-44f1-4cbc-b8f5-a723bd91ba9c/
SH256 hash:
94c2ba257a21a0eb4527346753abdedc7bb2fe3aa72d20642546994626602129
MD5 hash:
874dcc6be499121b1425bfdff1f8ad46
SHA1 hash:
66f83bedc73876b77e152c604b8214bde86d965e
Link:
https://www.unpac.me/results/9ea1649b-44f1-4cbc-b8f5-a723bd91ba9c/
SH256 hash:
3d3fe471d5702b4a73c7374dbab85b88fc3c209968c6804440e3322153ad64bd
MD5 hash:
1160bbc769f9c80a256d19bd7281d4fa
SHA1 hash:
3741ee56a4eef79de2f8549f45947aba7659787e
Link:
https://www.unpac.me/results/9ea1649b-44f1-4cbc-b8f5-a723bd91ba9c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/3d3fe471d5702b4a73c7374dbab85b88fc3c209968c6804440e3322153ad64bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/354026/

Comments