MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f7f0576163208492f35624e57916b0a6ce9093d75ba32e57ac688435b5240ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f7f0576163208492f35624e57916b0a6ce9093d75ba32e57ac688435b5240ad
SHA3-384 hash: 1e83428e53b6e1719bf85682cf108a0a809f9931e13fa18b4e9111c48668be5a11058276be7662678fb9987a812420d2
SHA1 hash: 0c0ac1bd23849c717ddc49939a6bc679182a4e84
MD5 hash: 2ccc98462f3a07662a4d704be0e62a61
humanhash: early-monkey-oven-moon
File name:SecuriteInfo.com.Trojan.GenericKD.38647839.19202.9979
Download: download sample
Signature zgRAT
Create hunting rule
File size:775'680 bytes
First seen:2022-02-11 16:56:20 UTC
Last seen:2022-02-11 17:53:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:LsQImxYumxMt4LhdZZEw+Lr3P3D4LxciSEJk9tPGOujb1RRlTXqfHvf7TaaIf3:oXmxExIiZZE3fTQsPNujb1zluDVy
Threatray 498 similar samples on MalwareBazaar
TLSH T1F6F4F1F99BF078A1E554207774B2B73C33D75D09E84AC233E68BB14A3452AD578E0A1B
File icon (PE):PE icon
dhash icon 00414f4f4f4f4700 (14 x CoinMiner, 12 x RedLineStealer, 12 x NodeLoader)
Reporter SecuriteInfoCom
Tags:exe zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/240945/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38647839.19202.9979.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
DNS request
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6206956454047500bb4141de/reports/e445c6f6-9f98-4ece-b954-3f87888b83ca/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b51e61b-679c-42ea-a675-7f2f50aef413
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/938486
Signature
.NET source code contains potential unpacker
Encrypted powershell cmdline option found
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 570964 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 11/02/2022 Architecture: WINDOWS Score: 64 26 Multi AV Scanner detection for submitted file 2->26 28 .NET source code contains potential unpacker 2->28 30 Machine Learning detection for sample 2->30 7 SecuriteInfo.com.Trojan.GenericKD.38647839.19202.exe 1 2->7         started        process3 signatures4 32 Encrypted powershell cmdline option found 7->32 10 powershell.exe 9 7->10         started        process5 signatures6 34 Uses ping.exe to check the status of other devices and networks 10->34 13 PING.EXE 1 10->13         started        16 PING.EXE 1 10->16         started        18 conhost.exe 10->18         started        20 PING.EXE 10->20         started        process7 dnsIp8 22 yahoo.com 98.137.11.164 YAHOO-GQ1US United States 13->22 24 98.137.11.163 YAHOO-GQ1US United States 16->24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f7f0576163208492f35624e57916b0a6ce9093d75ba32e57ac688435b5240ad/
Threat name:
Win32.Downloader.PsDownload
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 16:21:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
30 of 43 (69.77%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
05bd6e05fa5cba8cf94a0cfd567351cd15e2d873e9e6ae3a951175e21deddaf4
zgRAT
42287ac393c08dcdae7b2ee2c75dcce8cf0739dc5e8eff36e6da0eefc2388382
zgRAT
6b10f57d5211fa504775f4db4021b74bfee20d6fc6f908fb062044db926c0656
zgRAT
8592d578f269100d67bf1faa464e23de7bf0c1266bad19d2bf6bcce0501158a3
zgRAT
8f9ff0227f4ce6ed3259d5f2f8bfd8c54496e9896ad5f522cdd768911be4b4bc
zgRAT
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
zgRAT
c0ccd75375402c9d18d9fd11207ddf17011449874a2bc3521c6e3b815402b578
zgRAT
c9d7cb68dec80469c3c03b0e90c7af1972462ca7779424db3bfd9d44aebaa624
zgRAT
e53815bde4306397c668c921b03877403c5faae724ec66e1a62f3cc506fdb2ea
zgRAT
+ 488 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220211-vf983seecp/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
75145adbc6851cdf46208a357e86afef8b79d7d52d1ce664e608835be55c45f4
MD5 hash:
ec8b7d7a06f7f8c4cb7762be7ae68959
SHA1 hash:
e3a13ca3e650370a7a52706d20080fff8bc0649d
Link:
https://www.unpac.me/results/3a85add3-fc3c-453d-9bb8-3d8687e9cd27/
SH256 hash:
2267fb9d67f02cac263d9986c915310cd8cc5e0b8a880f2e6ebb04165f529499
MD5 hash:
c0b28f5556afc27e27c08af51e6aa193
SHA1 hash:
f7e41507162f0721debd03cd3f8fd676ec51f284
Link:
https://www.unpac.me/results/3a85add3-fc3c-453d-9bb8-3d8687e9cd27/
SH256 hash:
5f7f0576163208492f35624e57916b0a6ce9093d75ba32e57ac688435b5240ad
MD5 hash:
2ccc98462f3a07662a4d704be0e62a61
SHA1 hash:
0c0ac1bd23849c717ddc49939a6bc679182a4e84
Link:
https://www.unpac.me/results/3a85add3-fc3c-453d-9bb8-3d8687e9cd27/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exec_macros
Create hunting rule
Author:ddvvmmzz
Description:exec macros
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe 5f7f0576163208492f35624e57916b0a6ce9093d75ba32e57ac688435b5240ad

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2040585/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/240945/

Comments