MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57a8a0d5da162faec3142018c0f37be3a9d548330968519f15da92f372653185. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57a8a0d5da162faec3142018c0f37be3a9d548330968519f15da92f372653185
SHA3-384 hash: b27154f0de045d8ab91c7c5e01dbaf65b1074b19d844a35232a1d3e3d2cfadd35d47703b922570ed60ab64ece18dfbb5
SHA1 hash: d35fab3194db666deb7320c4060ef88a9cd0851b
MD5 hash: 636b214405d58bda3312528f0b8ce098
humanhash: sink-fillet-oscar-august
File name:Nxbuctb_Bwfhawmb.exe
Download: download sample
Signature zgRAT
Create hunting rule
File size:1'253'376 bytes
First seen:2022-05-02 12:34:25 UTC
Last seen:2022-05-02 13:36:18 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 12288:w2L5ENK2z+iw2ZMz3xSegxkm6e3g2trnval6VjptIzwRv1/9l53X1fbxsdB/+Q6x:wme9rMYzvDlHv1/v53XsdSS3bGK0bt
Threatray 6 similar samples on MalwareBazaar
TLSH T11A453B8262EABF73C50D8B36D0E5152C4FF2C6519643F70BA59636645C867EACE0BC0E
TrID 83.7% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
4.6% (.SCR) Windows screen saver (13101/52/3)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter pr0xylife
Tags:dll SnakeKeylogger zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/268214/
Detection(s):
SecuriteInfo.com.MALWARE_Win_zgRAT.32625.25486.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/626fd0092b32b1c37c84b312/reports/0a183f24-f576-4770-a91d-3db9e63333fc/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/843787fe-04b7-4f84-8c4c-f0e6b8a410f3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/986481
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 618977 Sample: Nxbuctb_Bwfhawmb.exe Startdate: 02/05/2022 Architecture: WINDOWS Score: 68 13 Malicious sample detected (through community Yara rule) 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 .NET source code contains potential unpacker 2->17 19 2 other signatures 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57a8a0d5da162faec3142018c0f37be3a9d548330968519f15da92f372653185/
Threat name:
ByteCode-MSIL.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-05-02 12:35:16 UTC
File Type:
PE (.Net Dll)
Extracted files:
3
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
52e86edaba718d1876ad5fb921a189e705cf3a72887c63db49ea9faf8e85ea7e
zgRAT
6f40028f8cc674a39ca5564371ec08400e09c0f04cb55dba2f2791292e80920c
zgRAT
d08b7126b81c09be7e54774cc35399faceef0c2d4732cbbca5d46c48d89a2f51
zgRAT
f32ff0f8fe78ad69e72c054fe28f44e6ce6b9d4109b909fa917a3a526f1c84cb
zgRAT
f486b6333668a874fe5b507a183008dcb43f32f6f26a0173481d571f78fba4eb
zgRAT
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220502-psby6aafc2/
Unpacked files
SH256 hash:
57a8a0d5da162faec3142018c0f37be3a9d548330968519f15da92f372653185
MD5 hash:
636b214405d58bda3312528f0b8ce098
SHA1 hash:
d35fab3194db666deb7320c4060ef88a9cd0851b
Link:
https://www.unpac.me/results/cf986361-1777-40cc-b06c-44cbd347fb7a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/57a8a0d5da162faec3142018c0f37be3a9d548330968519f15da92f372653185

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_zgRAT
Create hunting rule
Author:ditekSHen
Description:Detects zgRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/268214/

Comments