MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b614a4b5b02994b6900991eed28ee0a76a753d9e134eab400cccfc9ecd37e0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b614a4b5b02994b6900991eed28ee0a76a753d9e134eab400cccfc9ecd37e0a
SHA3-384 hash: 76e955aff489bb8fcf2bc61e7ecaff31511697d3996aafd62598127fd460ed87d54cb60a9da0b29255c6be5a3ae97475
SHA1 hash: c1143579024c008809e0235959386e2b9441f773
MD5 hash: 97aad1b740159056b4765d3cc1689d4a
humanhash: pizza-south-spaghetti-maine
File name:SecuriteInfo.com.Win32.MalwareX-gen.1541.20531
Download: download sample
Signature zgRAT
Create hunting rule
File size:995'840 bytes
First seen:2023-12-01 09:24:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:0zdTQ/xBJyNrtjK3d0DbxUIBlA9DERHyK8zubL:EmBPRoRn
Threatray 902 similar samples on MalwareBazaar
TLSH T14225E150A7CE0997F16E06FA9331172483B9A217B357F3476AF2D6E80D933854A853CB
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b28e96968ce8b2a2 (1 x AsyncRAT, 1 x zgRAT)
Reporter SecuriteInfoCom
Tags:exe zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461671/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Launching a process
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/5b614a4b5b02994b6900991eed28ee0a76a753d9e134eab400cccfc9ecd37e0a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6b6346fa-1df3-4a2b-a3ad-70676f1e2cf7
Result
Threat name:
zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1351280
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b614a4b5b02994b6900991eed28ee0a76a753d9e134eab400cccfc9ecd37e0a/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2023-12-01 09:25:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lnquus23akmuw2iatepo2khobj3kou6z4e2ovnaazth4t3gtpyfa._file
Verdict:
malicious
Similar samples:
00fb52d7792f50ec51460c7e8ddc9bc9d951747b5f2f2c5abc246feb7ca2691b
zgRAT
5b614a4b5b02994b6900991eed28ee0a76a753d9e134eab400cccfc9ecd37e0a
zgRAT
82462ee2fb0ae11dc2f7658c57f61c4218af321bdc73903601613869e9a47f60
zgRAT
afd0d6d2b9cd517f73b578b5845d729c88876910e359034a3f15dcd93c5e506e
zgRAT
dbb832a8e39eadb4dff92c86785f16fc52682f8acfe0a831a4ce8b6a958e93ea
zgRAT
f7f5e52a83cf839d901b6579c9df98755953dae650a43ed9aff8a57cf3b41382
zgRAT
+ 892 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat persistence rat
Link:
https://tria.ge/reports/231201-ldqxzsgg2t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
92958c78087a406f3bc8e5de281aa47a8a29a8466835342f345145aa319e4e03
MD5 hash:
794dd5121f06f6c125c979bf40950672
SHA1 hash:
5209be7971ee43d1b8c326edce4c16818d964e6f
Link:
https://www.unpac.me/results/b99f6241-f921-4c92-8a05-d16d0800824e/
SH256 hash:
81dbf5b6473a95c7b7ba9e1031cec7c780542e3716693bf68f8a79a17292f2ef
MD5 hash:
1354415bc0bffbc18cc0da772f47479c
SHA1 hash:
c22806ec06a320b2ba56900567ee13cc098109b6
Link:
https://www.unpac.me/results/b99f6241-f921-4c92-8a05-d16d0800824e/
SH256 hash:
3c878315953d21953213b72014c8231d307e2334961e05f36e1cafb7e3d2de95
MD5 hash:
cca2417bbf8dcef783e74c9329d3d681
SHA1 hash:
b290d919b72610e446048053d1c85f7904db10db
Link:
https://www.unpac.me/results/b99f6241-f921-4c92-8a05-d16d0800824e/
SH256 hash:
19aeded06266675348c896e42b5965377080c373c5b82d6587d17c50007e6444
MD5 hash:
b25cad5ff6fd362b7d262ae8fb100727
SHA1 hash:
9d8d2ac62f0e70e8396751ff9e438f7719e3355b
Link:
https://www.unpac.me/results/b99f6241-f921-4c92-8a05-d16d0800824e/
SH256 hash:
46c2066ca164ba7c93fa72a67eeed1fdc85dae3a291cd5b61fb57ad4f190ae50
MD5 hash:
3dfcb339f65aed102ffad44ec633b45b
SHA1 hash:
6a5f4451590fb58218676c07722e4c333242d3bb
Link:
https://www.unpac.me/results/b99f6241-f921-4c92-8a05-d16d0800824e/
SH256 hash:
20105f5ec701fcc271f5314ed864e25a95a804676cec43f14555cf216d6b24de
MD5 hash:
7dcda65fae0b71baacc514ac689986a7
SHA1 hash:
3659348278aeb11e3c3b93652937dd369f2bbc11
Detections:
Saudi_Phish_Trojan
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/b99f6241-f921-4c92-8a05-d16d0800824e/
SH256 hash:
5b614a4b5b02994b6900991eed28ee0a76a753d9e134eab400cccfc9ecd37e0a
MD5 hash:
97aad1b740159056b4765d3cc1689d4a
SHA1 hash:
c1143579024c008809e0235959386e2b9441f773
Link:
https://www.unpac.me/results/b99f6241-f921-4c92-8a05-d16d0800824e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b614a4b5b02994b6900991eed28ee0a76a753d9e134eab400cccfc9ecd37e0a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe 5b614a4b5b02994b6900991eed28ee0a76a753d9e134eab400cccfc9ecd37e0a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/461671/
  
URLhaus
https://urlhaus.abuse.ch/url/2736473/
  
Delivery method
Distributed via web download

Comments