MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a1cb4b73917ff451c7c30ac38de585d93649faafe963fe60f601d618e2db505. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a1cb4b73917ff451c7c30ac38de585d93649faafe963fe60f601d618e2db505
SHA3-384 hash: 8eb8000219bd9db4b06755e72d34fa4dae3457d3f2ff879bdc3714370b1e133684b758f231edf5769bb3a31e79972b9d
SHA1 hash: 502b51f93f1c01cd1ca7ef29f897a5588db70db3
MD5 hash: 8a388d87667cbbdfb74df1fb27cf242b
humanhash: speaker-carbon-kitten-ack
File name:8a388d87667cbbdfb74df1fb27cf242b
Download: download sample
Signature zgRAT
Create hunting rule
File size:604'160 bytes
First seen:2023-11-10 14:08:25 UTC
Last seen:2023-11-10 15:14:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:kdegdLtSHFw1DWhOQKzHWwskl/JQT0F/AyQqvkwCa7t:iegdLtSm1QOQKLWwFJa2zvH/
Threatray 267 similar samples on MalwareBazaar
TLSH T120D42352B0804D02F777DBF9EA957089DB15067BF7721CEC18DB1AA024F894086EB76E
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:64 exe zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
285
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8a388d87667cbbdfb74df1fb27cf242b
Verdict:
Malicious activity
Analysis date:
2023-11-10 14:09:25 UTC
Tags:
loader pureloader zgrat
Link:
https://app.any.run/tasks/d4a6943b-eaf0-4451-b2b6-f7a17f0d7693

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2148.28803.5966.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
Creating a file
Forced system process termination
Creating a process from a recently created file
Deleting a recently created file
Launching a process
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/654e39803b0c3d66260883a4/reports/52ffc381-c8c1-4c13-89f9-4df60da24388/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/5a1cb4b73917ff451c7c30ac38de585d93649faafe963fe60f601d618e2db505
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/70b334e4-40eb-4077-840b-7446d14c53bf
Result
Threat name:
Xmrig, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1340670
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Detected Stratum mining protocol
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Xmrig
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1340670 Sample: gHLuZAKVSB.exe Startdate: 10/11/2023 Architecture: WINDOWS Score: 100 51 Sigma detected: Xmrig 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 13 other signatures 2->57 7 IsCompleted.exe 2->7         started        10 InheritanceFlags.exe 3 2->10         started        12 afbcxcoqm.exe 5 2->12         started        15 6 other processes 2->15 process3 file4 69 Antivirus detection for dropped file 7->69 71 Multi AV Scanner detection for dropped file 7->71 73 Machine Learning detection for dropped file 7->73 75 Injects a PE file into a foreign processes 7->75 17 AddInUtil.exe 7->17         started        77 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->77 79 Writes to foreign memory regions 10->79 81 Modifies the context of a thread in another process (thread injection) 10->81 21 InstallUtil.exe 15 3 10->21         started        43 C:\Users\user\AppData\...\IsCompleted.exe, PE32+ 12->43 dropped 45 C:\Users\user\...\InheritanceFlags.exe, PE32+ 15->45 dropped 83 Potential dropper URLs found in powershell memory 15->83 24 conhost.exe 15->24         started        26 conhost.exe 15->26         started        28 conhost.exe 15->28         started        signatures5 process6 dnsIp7 39 C:\Users\user\AppData\Local\Temp\bwcxx.exe, PE32+ 17->39 dropped 59 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->59 61 Writes to foreign memory regions 17->61 63 Modifies the context of a thread in another process (thread injection) 17->63 65 Injects a PE file into a foreign processes 17->65 30 bwcxx.exe 17->30         started        33 AddInProcess.exe 17->33         started        35 AddInProcess.exe 17->35         started        37 5 other processes 17->37 47 91.92.244.36, 49729, 49731, 49732 THEZONEBG Bulgaria 21->47 49 163.123.142.171, 39001, 49730, 49746 ILIGHT-NETUS Reserved 21->49 41 C:\Users\user\AppData\Local\...\afbcxcoqm.exe, PE32+ 21->41 dropped file8 67 Detected Stratum mining protocol 47->67 signatures9 process10 signatures11 85 Antivirus detection for dropped file 30->85 87 Multi AV Scanner detection for dropped file 30->87 89 Machine Learning detection for dropped file 30->89 91 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 30->91 93 Query firmware table information (likely to detect VMs) 33->93
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5a1cb4b73917ff451c7c30ac38de585d93649faafe963fe60f601d618e2db505
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a1cb4b73917ff451c7c30ac38de585d93649faafe963fe60f601d618e2db505/
Threat name:
ByteCode-MSIL.Trojan.Crysan
Create hunting rule
Status:
Malicious
First seen:
2023-11-08 18:36:00 UTC
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lioljnzzc77ukhd4gcwdrxsylwjwjh5k72ld7zqpmaowddrnwucq._file
Verdict:
malicious
Similar samples:
0c7de462833b7b4703c368f1a30b2cb20010211f91928e1f15dbac3e357210bc
zgRAT
14ed823d0f5b4a6074fd3e70646505cda2918d403a6b2fd9e5b0705f933e5f08
zgRAT
22224f65c07515b2f61e29f7f1a14005d0de54378aa925d9e017bb2ac26b5395
zgRAT
59ed6405e3f3ef450c65aeefd031426c39b014505555b4e7341be27916351436
zgRAT
5a1cb4b73917ff451c7c30ac38de585d93649faafe963fe60f601d618e2db505
zgRAT
8868ea6af3214fc758c93c1cb909231a76e22e718a4917aae5f2a60cf12af094
zgRAT
a22f38c26dc96fa285efd4c0732a22e9bb81b105ad65c75c609a478dd551ac13
zgRAT
e15157101bd327603b208ceed5daf8b58b8feb2913569dfe35b444b1a48167e5
zgRAT
e844192fb4c52758db729e18e8898fe0921bdbe1e2d3ac3da6a6b5d2cedecb71
zgRAT
+ 257 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/231110-rf4jragd5x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in System32 directory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
5a1cb4b73917ff451c7c30ac38de585d93649faafe963fe60f601d618e2db505
MD5 hash:
8a388d87667cbbdfb74df1fb27cf242b
SHA1 hash:
502b51f93f1c01cd1ca7ef29f897a5588db70db3
Link:
https://www.unpac.me/results/58701c88-ae06-4995-83dc-97be3a56881f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5a1cb4b73917/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a1cb4b73917ff451c7c30ac38de585d93649faafe963fe60f601d618e2db505

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe 5a1cb4b73917ff451c7c30ac38de585d93649faafe963fe60f601d618e2db505

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2729701/

Comments


Avatar
zbet commented on 2023-11-10 14:08:26 UTC

url : hxxp://163.123.142.171:8080/file/1699458184-explorer(1).exe