MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 410c8bc5b17fb67b7c217494b71ba13063fa592114388ae31cb9ec1d006f30a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

zgRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 7 File information Comments

SHA256 hash:	410c8bc5b17fb67b7c217494b71ba13063fa592114388ae31cb9ec1d006f30a5
SHA3-384 hash:	250ddc7291309431451b78529233f71b5213039a5b97d3840421e45144e55f0ac3afef13fe54c6dc7542e19fadbd008c
SHA1 hash:	a6560e24ffb071b08c57babff1fee32ad76c06d4
MD5 hash:	588682e43e6cd70177050c8a5462a011
humanhash:	ack-magnesium-one-pennsylvania
File name:	indeedsection.exe
Download:	download sample
Signature	zgRAT Create hunting rule
File size:	1'061'792 bytes
First seen:	2023-11-07 20:10:07 UTC
Last seen:	2023-11-07 21:42:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:M44AVy9OQOCodNypkfTNk3XZAf33qnAhZNmVydxxhDIY8WuCjW:xy5SNtfTGZAinAhPmmxzltuCK
Threatray	3'582 similar samples on MalwareBazaar
TLSH	T1E9350257FA4B99E3C2580FF7C68396A0432CEE87FA63C61ABA49771601737D66C1110B
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	00c84800c4e8e000 (1 x zgRAT)
Reporter	malwarelabnet
Tags:	exe zgRAT

Intelligence

File Origin

# of uploads :

# of downloads :

324

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

indeedsection.exe

Verdict:

Suspicious activity

Analysis date:

2023-11-08 05:15:19 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ac6b6928-4ba2-4e81-b470-bd390632cc66

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.17437.5446.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

Launching a process

Using the Windows Management Instrumentation requests

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/654a99d73b0c3d6626073890/reports/490d9950-be7f-49a9-b1e7-3ddec7cdd9f6/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/410c8bc5b17fb67b7c217494b71ba13063fa592114388ae31cb9ec1d006f30a5

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/82594f8f-58e1-406a-870c-7b89bd58ca9b

Result

Threat name:

zgRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1338541

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Drops PE files to the document folder of the user

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/410c8bc5b17fb67b7c217494b71ba13063fa592114388ae31cb9ec1d006f30a5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/410c8bc5b17fb67b7c217494b71ba13063fa592114388ae31cb9ec1d006f30a5/

Threat name:

ByteCode-MSIL.Trojan.Injuke

Status:

Malicious

First seen:

2023-11-07 19:52:26 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

13 of 37 (35.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=iegixrnrp63hw7bbosklog5bgbr7uwjbcq4ivyy4xhwb2adpgcsq._file

Verdict:

malicious

zgRAT

22224f65c07515b2f61e29f7f1a14005d0de54378aa925d9e017bb2ac26b5395

zgRAT

410c8bc5b17fb67b7c217494b71ba13063fa592114388ae31cb9ec1d006f30a5

zgRAT

4239478f1ff05d0014ba2492e155e733b661473d7299cbf98eb8f81bbf6e719a

zgRAT

74622dee4841085cd64da27da09c697236e5846915736d7d43200874927b6bc8

zgRAT

87e8d20c870fe87533ab89f6cdbaeaab2efc2151884cda3d3a3f72080765055d

zgRAT

8868ea6af3214fc758c93c1cb909231a76e22e718a4917aae5f2a60cf12af094

zgRAT

9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf

zgRAT

f76c7d8841a467f13ab5d2c39b56d297a2fa94867973c201d40f877355849092

zgRAT

+ 3'572 additional samples on MalwareBazaar

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:zgrat persistence rat

Link:

https://tria.ge/reports/231107-yx89wsha39/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Detect ZGRat V1

ZGRat

Unpacked files

SH256 hash:

212de69b8ad7cdcf7977bba635b320cbc0028199f389a5ec334b2908942519e1

MD5 hash:

925d226377ea018f55df3a4ebbf3eb66

SHA1 hash:

d6ac3c28020645ca7cb8ad50f5ac8101090d6058

Link:

https://www.unpac.me/results/7f94cc8b-a272-40a2-a353-b0574dbb5ff2/

SH256 hash:

06866de3c3fb83d9808ffb20ac6bdec24a93abbcf6e4e5d5dfbd413af7ea23bd

MD5 hash:

dd933eb3c5bb271e70216be547ca8af2

SHA1 hash:

6f5d03ae506a6d8b907f225d0efd01e7f29ba37f

Link:

https://www.unpac.me/results/7f94cc8b-a272-40a2-a353-b0574dbb5ff2/

SH256 hash:

1318c63c0ca52f309ee22b582275edced8559ef958b09c6a6d704a199e3ff8fa

MD5 hash:

7764570e532b1c47c58f0f9ef2c45df1

SHA1 hash:

10afcac355c592fcf22c4fdaae16d6db7a06447b

Link:

https://www.unpac.me/results/7f94cc8b-a272-40a2-a353-b0574dbb5ff2/

SH256 hash:

2aa1329c95ea7bf6670179c59c8d95a9332271be5d841959d6b8859375180788

MD5 hash:

e96dafc2f3639faf2893e63e6d6d3c4b

SHA1 hash:

f41554e9bf70f7b25640e51288f5c0b693e650b9

Link:

https://www.unpac.me/results/7f94cc8b-a272-40a2-a353-b0574dbb5ff2/

SH256 hash:

add97ce3947d9aa62cf2a46f2977101219c0e67431242bb9a687422f16d75a61

MD5 hash:

04c7aea279a8958ce0a2a18f5362956a

SHA1 hash:

f25a9dc78bb68d3e6969e52f221cae5865ed4bdc

Link:

https://www.unpac.me/results/7f94cc8b-a272-40a2-a353-b0574dbb5ff2/

SH256 hash:

86932d06233efd2131423695dfb9df28cbd71867d967941935a57cee7bc04cd7

MD5 hash:

3181fc3f3de002804a1085079bd49dfe

SHA1 hash:

a051fe394c53ccb39bb46bdc86096166a4cc261f

Link:

https://www.unpac.me/results/7f94cc8b-a272-40a2-a353-b0574dbb5ff2/

SH256 hash:

410c8bc5b17fb67b7c217494b71ba13063fa592114388ae31cb9ec1d006f30a5

MD5 hash:

588682e43e6cd70177050c8a5462a011

SHA1 hash:

a6560e24ffb071b08c57babff1fee32ad76c06d4

Link:

https://www.unpac.me/results/7f94cc8b-a272-40a2-a353-b0574dbb5ff2/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/410c8bc5b17f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

zgRAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/410c8bc5b17fb67b7c217494b71ba13063fa592114388ae31cb9ec1d006f30a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_01803bc7537a1818c4ab135469963c10 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample