MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 576449483e9522dc46f4815bbccd02fed4d908cce0c8edd56131c206eeb90cf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 576449483e9522dc46f4815bbccd02fed4d908cce0c8edd56131c206eeb90cf5
SHA3-384 hash: 59e6606bc40dda6b5ff51fdc220e7d7ae9828655fae1ec50851b1773cde3a28902c5ea23fa65fcfc5665e98186cf2609
SHA1 hash: 4fcba484c2ab88565ca5cf793cf243d30790ece8
MD5 hash: d33260365436afa22dbdfc5109d4f8a8
humanhash: island-uncle-tango-edward
File name:d33260365436afa22dbdfc5109d4f8a8
Download: download sample
Signature zgRAT
Create hunting rule
File size:1'187'840 bytes
First seen:2023-02-18 04:42:11 UTC
Last seen:2023-02-18 07:27:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:RtTwMFkTAB4f27kovjgUpf7yJ1rga/v7fFsuwB:RtTh2wR7Srf
Threatray 60 similar samples on MalwareBazaar
TLSH T1C6456C417BE8EA27D15E5772F4A241244BF0D806B753EB4F27A8A5AD1C43740BC892FB
TrID 55.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.SCR) Windows screen saver (13097/50/3)
8.0% (.EXE) Win64 Executable (generic) (10523/12/4)
7.6% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
5.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter zbetcheckin
Tags:32 exe zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d33260365436afa22dbdfc5109d4f8a8
Verdict:
Malicious activity
Analysis date:
2023-02-18 04:43:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8e410a54-04b0-4839-9aca-fab81f16b6da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/367842/
Detection(s):
SecuriteInfo.com.Variant.Lazy.290691.21675.15210.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Forced shutdown of a system process
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f05756b8f7cb97bffdf32d/reports/c8d24044-75d1-4388-b7b5-d24585e2c397/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/576449483e9522dc46f4815bbccd02fed4d908cce0c8edd56131c206eeb90cf5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bce83eb0-48b9-4da6-90ea-af78733d558e
Result
Threat name:
zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1178365
Signature
Antivirus detection for URL or domain
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 811191 Sample: Y3eiofEXSj.exe Startdate: 18/02/2023 Architecture: WINDOWS Score: 76 22 Malicious sample detected (through community Yara rule) 2->22 24 Antivirus detection for URL or domain 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 2 other signatures 2->28 6 Y3eiofEXSj.exe 15 3 2->6         started        process3 dnsIp4 20 195.178.120.24, 49699, 80 HEXAGLOBE-ASFR unknown 6->20 18 C:\Users\user\AppData\...\Y3eiofEXSj.exe.log, ASCII 6->18 dropped 10 RegSvcs.exe 6->10         started        12 RegSvcs.exe 6->12         started        14 RegSvcs.exe 6->14         started        16 2 other processes 6->16 file5 process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/576449483e9522dc46f4815bbccd02fed4d908cce0c8edd56131c206eeb90cf5/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2023-02-16 02:11:51 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k5sessb6surnyrxuqfn3ztic73knscgm4deo3vlbghban3vzbt2q._file
Verdict:
malicious
Similar samples:
28d49f808aff8eb63c0bc5fb52e2202d8e8ca8f1f62532bcf4a19b4447d335c5
zgRAT
42a10c0bae7bbd73fbe08676013624992c323b635a320c905d63877641b00f57
zgRAT
47f55d901f3a0fcc649afa6e44bd4307fffd877ac92a33fde21992a93e54b27d
zgRAT
5b3a9d0cfad981c3f67db128224c435b683b39701a5e3eb601b46dfaf61d4d6a
zgRAT
8b6246a2b1d2bf17d9e31bb330446aaa43210e5240ce436e5ba2f5ce08c6d5e6
zgRAT
8c333b7328e876046988ec1e7e487f4cdebd62cbf0a4a595b31d87b0c1892037
zgRAT
91845e50a50ac3f00d103ea6773e6824c0b997c755d8a176b91b51431204b29d
zgRAT
9a693191c99ec28e49e610cd89af5137fb077ad8b4d7452828dbabd055e65384
zgRAT
a85e849cf68891e4f827c15324e601e6a4c5d9df3b944fea96ab157c29c9091a
zgRAT
e93540ce0c3366d9205b2bd6d173682fba9955b3b00541ed295fb139af8cbf65
zgRAT
+ 50 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230218-fb8r5aad6x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
576449483e9522dc46f4815bbccd02fed4d908cce0c8edd56131c206eeb90cf5
MD5 hash:
d33260365436afa22dbdfc5109d4f8a8
SHA1 hash:
4fcba484c2ab88565ca5cf793cf243d30790ece8
Link:
https://www.unpac.me/results/4b505fb5-91e4-49ca-a04c-2fc0d815b24d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/576449483e9522dc46f4815bbccd02fed4d908cce0c8edd56131c206eeb90cf5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe 576449483e9522dc46f4815bbccd02fed4d908cce0c8edd56131c206eeb90cf5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2543598/
Cape
Cape
https://www.capesandbox.com/analysis/367842/

Comments


Avatar
zbet commented on 2023-02-18 04:42:15 UTC

url : hxxp://195.178.120.24/5546Encrypted.exe