MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d9463fdeeaa97e29dbace69e8ed261d858b47b9bf20e8d7b68ee862b9ae3218. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

zgRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	6d9463fdeeaa97e29dbace69e8ed261d858b47b9bf20e8d7b68ee862b9ae3218
SHA3-384 hash:	0f7f91cf361fa95323480f4e7881980fad51a1b856950e31b0348c472ce73b620c9ad7ed649bc5555e4c9c5864b19eab
SHA1 hash:	cb92df80b4767179cdebb244f04144d2900c8edb
MD5 hash:	b01be8ef39a8d997bf0e1ca1bc36e9cb
humanhash:	green-sad-friend-mobile
File name:	Hsbc _ swift _ 103_ copy 0382328364891237 PDF.exe
Download:	download sample
Signature	zgRAT Create hunting rule
File size:	1'574'400 bytes
First seen:	2024-02-05 14:41:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:cN4DYDuGXDq7cmQ7FoES42ODcd9+2SuYsHgyWVzK9bN+8C9Gkh+p+UQQyfIEKI01:0YYDuPcmQh9COQ9NYsVszCTirBQyhU
Threatray	105 similar samples on MalwareBazaar
TLSH	T1A27501567B260A32C769AB35DA7B9300071AF6B2D163D30B73D8623A60173BF1F95742
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	abuse_ch
Tags:	exe HSBC zgRAT

Intelligence

File Origin

# of uploads :

# of downloads :

282

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/474731/

Detection(s):

Win.Trojan.EmbeddedDotNetBinary-9940868-0

Win.Trojan.EmbeddedReversedDLL-9940922-0

Win.Trojan.Generic-10014419-0

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/65c0f3c219fc380914225302/reports/67b287e5-cc84-4f0a-a8a0-d0e34e052595/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6d9463fdeeaa97e29dbace69e8ed261d858b47b9bf20e8d7b68ee862b9ae3218

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a61b92f3-46b6-4cb1-8cdd-1c6b48a8028f

Result

Threat name:

PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1386855

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Costura Assembly Loader

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6d9463fdeeaa97e29dbace69e8ed261d858b47b9bf20e8d7b68ee862b9ae3218

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6d9463fdeeaa97e29dbace69e8ed261d858b47b9bf20e8d7b68ee862b9ae3218/

Threat name:

ByteCode-MSIL.Trojan.ZgRAT

Status:

Malicious

First seen:

2024-02-04 22:47:28 UTC

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nwkgh7povkl6fhn2zzu6r3jgdwcywr5zx4qorv5wr3ugfonogima._file

Verdict:

malicious

zgRAT

3298664374264a54bf1478c665c3d1bd92042a7bd41c60c8374ac88a9e5c9123

zgRAT

83c927ee7be29bc9002512ec371d11211fa96a5ec577336bca4fe789d9419104

zgRAT

859beadc69ed87ed6a706cb57d8a46f502cca1b826afe66672475c41f11f8055

zgRAT

b1398b586db65eb82d0cb0ab8bc6065c987fbbbfa6c11678f0393a2842a3f793

zgRAT

d7a2ae6d4c8ab5d13d4298334e9d95f82770ace62b3bb62cd683d3017f768da6

zgRAT

dce0b953b9201d59cd92a30bce45190f9c763690a09a7a279024d8cf4b8ce171

zgRAT

fefc63a2948e070ff4447b44700b1a83eef1ab7607338e969e16859b69ab6b20

zgRAT

+ 95 additional samples on MalwareBazaar

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:zgrat collection rat spyware stealer

Link:

https://tria.ge/reports/240205-r2354sacb6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Reads user/profile data of web browsers

Detect ZGRat V1

ZGRat

Unpacked files

SH256 hash:

6d9463fdeeaa97e29dbace69e8ed261d858b47b9bf20e8d7b68ee862b9ae3218

MD5 hash:

b01be8ef39a8d997bf0e1ca1bc36e9cb

SHA1 hash:

cb92df80b4767179cdebb244f04144d2900c8edb

Detections:

Typical_Malware_String_Transforms

Link:

https://www.unpac.me/results/fc1cac10-1544-4ba1-8420-897b7f629d4c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6d9463fdeeaa/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

zgRAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6d9463fdeeaa97e29dbace69e8ed261d858b47b9bf20e8d7b68ee862b9ae3218

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zgRAT

exe 6d9463fdeeaa97e29dbace69e8ed261d858b47b9bf20e8d7b68ee862b9ae3218

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/474731/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample