MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 838aa14bf3e65c1be78e79b9ab18731e2cf7f331658504a200a8d14eb78030cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 838aa14bf3e65c1be78e79b9ab18731e2cf7f331658504a200a8d14eb78030cf
SHA3-384 hash: 180e1860820f37e78745fa265a20f3c20afba3eb2d0738c902032167ecb9ea6586e7c33c51ac2bb5d99af2198e7a1a6e
SHA1 hash: ca2e07911bd93ade43465869a4c98efd29bb8f46
MD5 hash: e9b82259a6eb1ffb987d3e19922aa82b
humanhash: pluto-lemon-hotel-zulu
File name:proforma invoice.zip
Download: download sample
Signature zgRAT
Create hunting rule
File size:638'498 bytes
First seen:2023-12-15 08:02:51 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:YlZpaAcUB9ZcaViIhgawQM1M1KSSoSA6KqNnMqZ7PsdrCw+IOcq2wFY:nUBDcFIw3MKSVSZnrZ7T5za
TLSH T1D3D4232BCCF3371CCABA43CA105BD5D9DC0A7F061DA07A170FB52826B645A8A34469F7
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:DHL INVOICE zgRAT zip


Avatar
cocaman
Malicious email (T1566.001)
From: ""lyla Wang (SZX GTW) (DHL CN)"<lyla.wang@dhl.com>" (likely spoofed)
Received: "from dhl.com (unknown [91.92.243.208]) "
Date: "13 Dec 2023 08:02:33 -0800"
Subject: "RE: 12-8 Hongchi-DHL Handover Order"
Attachment: "proforma invoice.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:proforma invoice.exe
File size:943'104 bytes
SHA256 hash: 4b41260da8f93986ca0bac53fd006dd6e17fb94b81960677221ed9ecc63b0eed
MD5 hash: cdd0fac12ad7f96185181d71647ddb98
MIME type:application/x-dosexec
Signature zgRAT
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_fs3281.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.1995.21425.2709.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.23890.ZipHeur.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/657c0837a6bc59352f29ace8/reports/2f5ba66b-18b3-4cd0-a34d-54a35fef7600/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/838aa14bf3e65c1be78e79b9ab18731e2cf7f331658504a200a8d14eb78030cf
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/838aa14bf3e65c1be78e79b9ab18731e2cf7f331658504a200a8d14eb78030cf
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
100%
Verdict:
Malware
File Type:
Archive
Link:
https://malprob.io/report/838aa14bf3e65c1be78e79b9ab18731e2cf7f331658504a200a8d14eb78030cf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/838aa14bf3e65c1be78e79b9ab18731e2cf7f331658504a200a8d14eb78030cf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-12-13 13:20:25 UTC
File Type:
Binary (Archive)
Extracted files:
33
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qofkcs7t4zobxz4opg42wgdtdywpp4zrmwcqjiqavdiu5n4agdhq._file
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:zgrat collection keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/231215-khkq4abeel/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Detect ZGRat V1
ZGRat
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/838aa14bf3e65c1be78e79b9ab18731e2cf7f331658504a200a8d14eb78030cf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zgRAT

zip 838aa14bf3e65c1be78e79b9ab18731e2cf7f331658504a200a8d14eb78030cf

(this sample)

zgRAT

Executable exe 4b41260da8f93986ca0bac53fd006dd6e17fb94b81960677221ed9ecc63b0eed

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4b41260da8f93986ca0bac53fd006dd6e17fb94b81960677221ed9ecc63b0eed
  
Dropping
zgRAT

Comments