MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52a1809773419caafe264fc932eb4dc72f45e59401ea3c3e73072665ae1ada6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

zgRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 6 File information Comments

SHA256 hash:	52a1809773419caafe264fc932eb4dc72f45e59401ea3c3e73072665ae1ada6f
SHA3-384 hash:	a2d5dc5ef5e2ccb3618d2358c9eb20acf650f6e946cfc2ffcdfdbd419434f3f5497bc277fe508f864a7b229c28ffa3bf
SHA1 hash:	a5269679ac3c67c26a782cbdaa49ed0b0eaedb1f
MD5 hash:	e5b2eb6d938c08cad96c931c75697d60
humanhash:	timing-august-west-early
File name:	solm.exe
Download:	download sample
Signature	zgRAT Create hunting rule
File size:	235'008 bytes
First seen:	2023-06-16 11:05:24 UTC
Last seen:	2023-06-18 14:09:22 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:ETA1rj44t8kt9KyjEOnOb/OPQnDAda3wn0/R:T1rj44NIQE0fd5c
Threatray	3'719 similar samples on MalwareBazaar
TLSH	T1CB34AD897691728FC857C875C8EA5C6497A1656B533BD303A48722EE8F4D7CBCF006E2
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	cocaman
Tags:	exe Shipping zgRAT

Intelligence

File Origin

# of uploads :

# of downloads :

276

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

solm.exe

Verdict:

Malicious activity

Analysis date:

2023-06-16 11:06:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c9367a19-6166-4bca-8f2c-1d88d41e8fb1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

zgRAT

Link:

https://www.capesandbox.com/analysis/399442/

Detection(s):

SecuriteInfo.com.Win64.PWSX-gen.26774.28521.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Reading critical registry keys

Creating a file in the %AppData% subdirectories

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

confuserex packed packed

Link:

https://www.filescan.io/uploads/648c421ce8a7749a2a2257c7/reports/ee51c327-22e9-440b-8972-97e3052b2fb6/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/52a1809773419caafe264fc932eb4dc72f45e59401ea3c3e73072665ae1ada6f

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d93ce018-fa20-45c7-8474-2bce9000c293

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1255950

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected Telegram RAT

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/52a1809773419caafe264fc932eb4dc72f45e59401ea3c3e73072665ae1ada6f/

Threat name:

Win64.Trojan.Leonem

Status:

Malicious

First seen:

2023-06-16 07:22:20 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kkqybf3tigokv7rgj7etf22ny4xulzmuahvdyptta4tgllq23jxq._file

Verdict:

malicious

Label(s):

agenttesla

zgRAT

40b0a076e904042e87b4cfae93b7ae9ac00db794675cc4bfd2ca57fe55fb0949

zgRAT

4853f6116a561395c5d4950114e750e3f140622e5ebdfb21db1ccbfba1e67941

zgRAT

74d26f4b119393b4528ff36ae1ed9ddf2fd9b6e36f3dbd9c7456ad692687905c

zgRAT

77b72d9e11b5b61983903918dfb822e8c6c1e3a4acd6a5fde5db7a3cf004b445

zgRAT

806d84d7beb73d21f10339e37cc8cad779ab270fb80b79258268aa78fe85f9b0

zgRAT

aa23406d036894ae210e0531e6014c1377bdb409619cde6143e69d0a8dc7b85b

zgRAT

cb55fa293a824686db59be3e107726d2091ba56a62092f79e2d47744535e5e94

zgRAT

eb4b358d784a43733f3b307b562f7d3282cc07d94be7526cd8600bf8a4bee530

zgRAT

+ 3'709 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230616-m7d1ysef48/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5497972920:AAHqqS9EfkxnwYz3pQtCWef33URevfy5tRk/

Unpacked files

SH256 hash:

52a1809773419caafe264fc932eb4dc72f45e59401ea3c3e73072665ae1ada6f

MD5 hash:

e5b2eb6d938c08cad96c931c75697d60

SHA1 hash:

a5269679ac3c67c26a782cbdaa49ed0b0eaedb1f

Link:

https://www.unpac.me/results/a2429342-7d59-4176-87bd-94e3514f6de2/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/52a180977341/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/52a1809773419caafe264fc932eb4dc72f45e59401ea3c3e73072665ae1ada6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	MALWARE_Win_zgRAT Create hunting rule
Author:	ditekSHen
Description:	Detects zgRAT

Rule name:	MSIL_SUSP_OBFUSC_XorStringsNet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:	https://github.com/dr4k0nia/yara-rules

Rule name:	msil_susp_obf_xorstringsnet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it