MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87e8d20c870fe87533ab89f6cdbaeaab2efc2151884cda3d3a3f72080765055d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87e8d20c870fe87533ab89f6cdbaeaab2efc2151884cda3d3a3f72080765055d
SHA3-384 hash: bc533efbea6e9ed98821174fa4050bbaafb9c47cc99436368e7062fe270c22639aa974bb154b3416a581eaf34480d10f
SHA1 hash: 878318547d8de66f8c496f5d9dd4dbd84d6436a7
MD5 hash: 7a00f8ffbda8df4e59653defb251ad88
humanhash: one-speaker-maine-finch
File name:7a00f8ffbda8df4e59653defb251ad88
Download: download sample
Signature zgRAT
Create hunting rule
File size:3'059'712 bytes
First seen:2023-11-04 04:33:37 UTC
Last seen:2023-11-04 07:14:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:T1pztbA8TWkgggyXgDKwJsFunMsGb7LpBqX4TeC2j9WZCnEEurN3PaWOPO9BD0js:RBGWWksywDLZApMyJ2phuZ/VEO3B
TLSH T10EE53316FA7B7661C5840BBBCCDA89D503BCC3623A5BC2FF398E913321867D54865C1A
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:64 exe zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
445
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://baramode.com/wp-includes/server/File.rar
Verdict:
Malicious activity
Analysis date:
2023-11-01 21:37:03 UTC
Tags:
privateloader evasion opendir loader risepro stealer redline stealc oski ransomware stop smoke sinkhole amadey botnet kelihos trojan lumma miner arkei vidar raccoon recordbreaker g0njxa
Link:
https://app.any.run/tasks/d46db0da-c4d1-466d-a294-136db798b80b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a process from a recently created file
Launching a process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6545c9bb0adeb034334f9458/reports/a8234c1b-e652-4b67-9bf6-4d157c2100e0/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/87e8d20c870fe87533ab89f6cdbaeaab2efc2151884cda3d3a3f72080765055d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8f83924-8e46-4072-8984-16932fd3798a
Result
Threat name:
Amadey, zgRAT
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1337053
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Instant Messenger accounts or passwords
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1337053 Sample: KgQJ0dIs3A.exe Startdate: 04/11/2023 Architecture: WINDOWS Score: 100 110 Multi AV Scanner detection for domain / URL 2->110 112 Found malware configuration 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 14 other signatures 2->116 10 kkrpp.exe 2->10         started        14 ContinuationOptions.exe 3 2->14         started        16 giysuh.exe 2->16         started        19 8 other processes 2->19 process3 dnsIp4 86 C:\Users\user\AppData\Local\...\Utsysc.exe, PE32 10->86 dropped 142 Multi AV Scanner detection for dropped file 10->142 144 Machine Learning detection for dropped file 10->144 146 Contains functionality to inject code into remote processes 10->146 21 Utsysc.exe 10->21         started        148 Antivirus detection for dropped file 14->148 150 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->150 152 Modifies the context of a thread in another process (thread injection) 14->152 26 ContinuationOptions.exe 2 14->26         started        94 91.193.43.180 ITFPL Belgium 16->94 154 Injects a PE file into a foreign processes 16->154 28 giysuh.exe 16->28         started        156 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->156 30 zycud.exe 19->30         started        32 KgQJ0dIs3A.exe 6 19->32         started        34 ContinuationOptions.exe 19->34         started        file5 signatures6 process7 dnsIp8 96 185.196.8.176, 49735, 49736, 49739 SIMPLECARRER2IT Switzerland 21->96 74 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 21->74 dropped 76 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 21->76 dropped 78 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 21->78 dropped 80 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 21->80 dropped 126 Multi AV Scanner detection for dropped file 21->126 128 Creates an undocumented autostart registry key 21->128 130 Machine Learning detection for dropped file 21->130 132 Uses schtasks.exe or at.exe to add and modify task schedules 21->132 36 rundll32.exe 21->36         started        38 rundll32.exe 21->38         started        41 cmd.exe 21->41         started        43 schtasks.exe 21->43         started        134 Writes to foreign memory regions 26->134 136 Modifies the context of a thread in another process (thread injection) 26->136 138 Injects a PE file into a foreign processes 26->138 45 MSBuild.exe 3 26->45         started        82 C:\Users\user\AppData\Roaming\...\TypeId.exe, PE32+ 28->82 dropped 140 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->140 47 WerFault.exe 30->47         started        84 C:\Users\user\...\ContinuationOptions.exe, PE32+ 32->84 dropped file9 signatures10 process11 signatures12 49 rundll32.exe 36->49         started        118 System process connects to network (likely due to code injection or exploit) 38->118 52 conhost.exe 41->52         started        54 cmd.exe 41->54         started        56 cacls.exe 41->56         started        64 4 other processes 41->64 58 conhost.exe 43->58         started        120 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 45->120 122 Modifies the context of a thread in another process (thread injection) 45->122 124 Injects a PE file into a foreign processes 45->124 60 MSBuild.exe 15 5 45->60         started        process13 dnsIp14 102 Tries to steal Instant Messenger accounts or passwords 49->102 104 Uses netsh to modify the Windows network and firewall settings 49->104 106 Tries to harvest and steal ftp login credentials 49->106 108 2 other signatures 49->108 66 netsh.exe 49->66         started        68 tar.exe 49->68         started        98 80.85.241.193, 49729, 49731, 49732 MEDIAL-ASRU Russian Federation 60->98 100 77.91.70.80, 49730, 49733, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 60->100 88 C:\Users\user\AppData\Local\Temp\zycud.exe, PE32+ 60->88 dropped 90 C:\Users\user\AppData\Local\Temp\kkrpp.exe, PE32 60->90 dropped 92 C:\Users\user\AppData\Local\Temp\giysuh.exe, PE32+ 60->92 dropped file15 signatures16 process17 process18 70 conhost.exe 66->70         started        72 conhost.exe 68->72         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/87e8d20c870fe87533ab89f6cdbaeaab2efc2151884cda3d3a3f72080765055d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87e8d20c870fe87533ab89f6cdbaeaab2efc2151884cda3d3a3f72080765055d/
Threat name:
ByteCode-MSIL.Trojan.ScarletFlash
Create hunting rule
Status:
Malicious
First seen:
2023-11-01 20:31:49 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
5
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q7unedehb7uhkm5lrh3m3oxkvmxpyikrrbgnupj2h5zaqb3favoq._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/231104-e64afscd6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Executes dropped EXE
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
87e8d20c870fe87533ab89f6cdbaeaab2efc2151884cda3d3a3f72080765055d
MD5 hash:
7a00f8ffbda8df4e59653defb251ad88
SHA1 hash:
878318547d8de66f8c496f5d9dd4dbd84d6436a7
Link:
https://www.unpac.me/results/5d451b8c-b1c6-43be-8b77-cc86a30ea755/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/87e8d20c870f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87e8d20c870fe87533ab89f6cdbaeaab2efc2151884cda3d3a3f72080765055d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe 87e8d20c870fe87533ab89f6cdbaeaab2efc2151884cda3d3a3f72080765055d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2727765/

Comments


Avatar
zbet commented on 2023-11-04 04:33:38 UTC

url : hxxp://77.91.70.80/amer.exe