MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64bd38bb45ba075c9e953cd8c4fca9cd9ab2462bbb0effced10ac2581afc4117. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

zgRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	64bd38bb45ba075c9e953cd8c4fca9cd9ab2462bbb0effced10ac2581afc4117
SHA3-384 hash:	9fb44e2ce9315aad5fdfb84802ec501cea2d5fdcc8a4d7e67c2101efc4dec9fa2166a12903a05255195af7133621a4b8
SHA1 hash:	1006bae717668ad651794bd950d94edf16104124
MD5 hash:	be1f1f5052a28f33a78dc2172e082025
humanhash:	zebra-princess-september-washington
File name:	SecuriteInfo.com.Win64.SpywareX-gen.12278.17084
Download:	download sample
Signature	zgRAT Create hunting rule
File size:	146'944 bytes
First seen:	2024-01-26 03:22:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a61c6a7c70d96521c2bff14915509046 (4 x PureLogsStealer, 3 x DCRat, 1 x zgRAT)
ssdeep	768:6cllE+i6we7QONfG8f+PJRlNhSP00e3ywhqBkm5SusuffMo1XgjcVCCpFpYlvVXR:6OC5RZ8cPJ7NhSP00JtBkOvdwjwqBaK
Threatray	26 similar samples on MalwareBazaar
TLSH	T13EE360076784CCA5E26246B9891A47C181667C0077B0FE9F62D876ED0BB3BF1D96B343
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
dhash icon	68c8b064c2b0188b (4 x PureLogsStealer, 3 x DCRat, 1 x zgRAT)
Reporter	SecuriteInfoCom
Tags:	exe zgRAT

Intelligence

File Origin

# of uploads :

# of downloads :

316

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/472977/

Detection(s):

SecuriteInfo.com.Win64.SpywareX-gen.12278.17084.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint packed stealer

Link:

https://www.filescan.io/uploads/65b325991dcf0cd54472edbc/reports/1598b091-82d0-49c0-aaeb-3c13b41199e7/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/64bd38bb45ba075c9e953cd8c4fca9cd9ab2462bbb0effced10ac2581afc4117

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/795b4053-f85a-45a0-bc8a-c48ac720613c

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1381476

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to inject threads in other processes

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/64bd38bb45ba075c9e953cd8c4fca9cd9ab2462bbb0effced10ac2581afc4117

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/64bd38bb45ba075c9e953cd8c4fca9cd9ab2462bbb0effced10ac2581afc4117/

Threat name:

Win64.Trojan.SpywareX

Status:

Malicious

First seen:

2024-01-05 06:47:28 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ms6tro2fxidvzhuvhtmmj7fjzwnlerrlxmhp7twrblbfqgx4ielq._file

Verdict:

malicious

zgRAT

1d594311e4d7dae3812674927df0fdf132fb5ab2d9613b445777282f7a3ee170

zgRAT

3dac62638ef8d58e1be2d0223fb621d305618e93d32cff71e11d732163cbf48e

zgRAT

4c86ccb0e56ae053fcd5fd332c9ca51df7ff7fd6171599f36a3c217ca9ad6c8d

zgRAT

5f128372f9c1f1d8a89fd56f6ade2e9172aba92e2cb694e45673bff2631c3f4c

zgRAT

7a3025be41b188ca3b4b5390f218074c6d639392b59efc9aae370e7b083b3798

zgRAT

c873ac8f98e791ee111b47e6be7a6c6d9ead818dab7821ae9b801c660a98a37b

zgRAT

+ 16 additional samples on MalwareBazaar

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:dcrat family:redline family:zgrat infostealer rat spyware

Link:

https://tria.ge/reports/240126-dxf8wsecdr/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Downloads MZ/PE file

DCRat payload

DcRat

Detect ZGRat V1

RedLine

RedLine payload

ZGRat

Unpacked files

SH256 hash:

64bd38bb45ba075c9e953cd8c4fca9cd9ab2462bbb0effced10ac2581afc4117

MD5 hash:

be1f1f5052a28f33a78dc2172e082025

SHA1 hash:

1006bae717668ad651794bd950d94edf16104124

Link:

https://www.unpac.me/results/9fb589f4-bbb2-495e-b4c5-525a3c0a924c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/64bd38bb45ba075c9e953cd8c4fca9cd9ab2462bbb0effced10ac2581afc4117

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/472977/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample