MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 769c5f497f142d38e72c13783c0459a2fa4345826a4b1bf8118b35fb84f812c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Zyklon


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 769c5f497f142d38e72c13783c0459a2fa4345826a4b1bf8118b35fb84f812c3
SHA3-384 hash: ca7dcae707f83aeb63999cb4aaf8fce10f4cb1bf93851bda6ef78e934d7c62e2bc6031825ac18a6d50be8e7b9252a222
SHA1 hash: a5ec402eeb9b7e0751c17cf93d9b10dfb145ea1c
MD5 hash: af7609aa27210fe58d49fc673ad0984b
humanhash: mango-india-romeo-wolfram
File name:af7609aa27210fe58d49fc673ad0984b.exe
Download: download sample
Signature Zyklon
Create hunting rule
File size:2'703'872 bytes
First seen:2023-12-04 16:45:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 49152:RZfXoANNaXy7o+0Yxr02zS94Wo4X00G9SgY6VATvt:RZfYANNP7o+Vx4394WXiYKAD
Threatray 91 similar samples on MalwareBazaar
TLSH T198C5D01655928E3BD26597324057403E8290CB7639B2EB1F361F25E26903BB9CE731FB
TrID 40.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
32.2% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
7.3% (.SCR) Windows screen saver (13097/50/3)
5.8% (.EXE) Win64 Executable (generic) (10523/12/4)
3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter abuse_ch
Tags:exe Zyklon


Avatar
abuse_ch
Zyklon C2:
http://666541cm.nyashland.top/eternalJslowProcessflowergeneratordownloads.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
af7609aa27210fe58d49fc673ad0984b.exe
Verdict:
Malicious activity
Analysis date:
2023-12-04 16:45:48 UTC
Tags:
dcrat rat stealer
Link:
https://app.any.run/tasks/8883d455-a749-4601-9958-72376356e46d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462402/
Detection(s):
Win.Packed.Uztuby-10009381-0
Create hunting rule

Win.Packed.Uztuby-10015486-0
Create hunting rule

Win.Packed.Uztuby-10015800-0
Create hunting rule

Win.Packed.Uztuby-10015902-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/656e02723c6ae873fb8825ac/reports/4cbb1a71-b21e-44d3-ab16-5c368d68bdab/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/769c5f497f142d38e72c13783c0459a2fa4345826a4b1bf8118b35fb84f812c3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a4adef7b-e7b7-4307-8218-318e1a853cb3
Result
Threat name:
DCRat, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1353337
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates processes via WMI
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1353337 Sample: nePba57ysb.exe Startdate: 04/12/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Antivirus detection for URL or domain 2->51 53 Antivirus detection for dropped file 2->53 55 10 other signatures 2->55 7 nePba57ysb.exe 4 30 2->7         started        11 WmiPrvSE.exe 3 2->11         started        13 csrss.exe 2->13         started        15 24 other processes 2->15 process3 file4 41 C:\Users\user\Desktop\zzREvJYc.log, PE32 7->41 dropped 43 C:\Users\user\Desktop\zJoEfwrZ.log, PE32 7->43 dropped 45 C:\Users\user\Desktop\vSyNXzrg.log, PE32 7->45 dropped 47 12 other malicious files 7->47 dropped 57 Adds a directory exclusion to Windows Defender 7->57 59 Creates processes via WMI 7->59 61 Drops PE files with benign system names 7->61 17 cmd.exe 7->17         started        19 powershell.exe 7->19         started        21 powershell.exe 7->21         started        23 16 other processes 7->23 63 Antivirus detection for dropped file 11->63 65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 signatures5 process6 process7 25 conhost.exe 17->25         started        27 chcp.com 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        35 conhost.exe 23->35         started        37 conhost.exe 23->37         started        39 13 other processes 23->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/769c5f497f142d38e72c13783c0459a2fa4345826a4b1bf8118b35fb84f812c3/
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-11-29 21:31:21 UTC
File Type:
PE (.Net Exe)
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o2of6sl7cqwtrzzmcn4dybczul5egrmcnjfrx6arrm27xbhyclbq._file
Verdict:
malicious
Similar samples:
13caf72860e00c295fda55bb96e743fbb46819ccebf86cd3f32ccb5752a208d6
Zyklon
9cd351bd4b3c17ece37ff8603e030b4980cddf1cd55efee810c7ce5b102cc6e3
Zyklon
b95da950b192a24ecf7fdd74fb8e2020a5f89e48b6193f5042321b7050447b10
Zyklon
b9bf86ca557127ec61bbbaf9675686ee155186f3b4f4d1d80bf94b17a04b7371
Zyklon
fc07e1f14fe415abbf50144169406b444d1a70a06332892004d29e286da08f37
Zyklon
+ 81 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat spyware stealer
Link:
https://tria.ge/reports/231204-t9ylpsda77/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Detect ZGRat V1
Process spawned unexpected child process
ZGRat
Unpacked files
SH256 hash:
769c5f497f142d38e72c13783c0459a2fa4345826a4b1bf8118b35fb84f812c3
MD5 hash:
af7609aa27210fe58d49fc673ad0984b
SHA1 hash:
a5ec402eeb9b7e0751c17cf93d9b10dfb145ea1c
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/8afe3603-feb1-43ba-9995-7ac9838c12a9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/769c5f497f14/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/769c5f497f142d38e72c13783c0459a2fa4345826a4b1bf8118b35fb84f812c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/462402/

Comments