MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bf51ccb2646d38af6778a0712c78415e113b1393509afdc16c97a0bfb91eb55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8bf51ccb2646d38af6778a0712c78415e113b1393509afdc16c97a0bfb91eb55
SHA3-384 hash: a4c4276b6d8207f007ec2025d321a07801232a6f9d2d6f72cff626f4c02ff79f0832db9c546ca560280c6ad4d1337d06
SHA1 hash: 0da95887908b6ada23c698de6cf2f3f986655721
MD5 hash: 10243ce788b5dcbbf248058fe196f371
humanhash: mockingbird-fix-double-lion
File name:10243ce788b5dcbbf248058fe196f371.exe
Download: download sample
Signature zgRAT
Create hunting rule
File size:510'464 bytes
First seen:2023-10-30 05:45:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:nicNb5chlOMdRL8m6alMG/njrPIRp4tbhknaSJ8XC0x:tqhPRL8m6alMG/njrPIRp496aLXC0
Threatray 138 similar samples on MalwareBazaar
TLSH T18CB42915E3027505D8FCAB728FBFE7F02250ABAF5A614206BD8435FA44E939D25C3AC5
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon a460f2d1f87cf860 (1 x zgRAT)
Reporter abuse_ch
Tags:exe zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
10243ce788b5dcbbf248058fe196f371.exe
Verdict:
Malicious activity
Analysis date:
2023-10-30 07:40:10 UTC
Tags:
evasion snake
Link:
https://app.any.run/tasks/e4c36314-0edd-4de0-bce6-6f8319e129d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457011/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Win.Packed.njRAT-9938210-1
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a UDP request
Launching a service
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
njrat packed
Link:
https://www.filescan.io/uploads/653f431e72356e4f29e8fbbb/reports/b16c681b-dd0d-4b05-a0ba-8ae48828b9aa/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/8bf51ccb2646d38af6778a0712c78415e113b1393509afdc16c97a0bfb91eb55
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/dccd2143-6a24-484c-bb20-1625bd712360
Result
Threat name:
Snake Keylogger, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1334037
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1334037 Sample: 3vj5tYFb6a.exe Startdate: 30/10/2023 Architecture: WINDOWS Score: 100 44 checkip.dyndns.org 2->44 46 www.google.com 2->46 48 3 other IPs or domains 2->48 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for dropped file 2->60 62 8 other signatures 2->62 8 3vj5tYFb6a.exe 6 2->8         started        signatures3 process4 file5 40 C:\Users\user\AppData\Roaming\...\chronv.exe, PE32 8->40 dropped 42 C:\Users\user\AppData\...\aspnet_compiler.exe, PE32 8->42 dropped 64 Creates an undocumented autostart registry key 8->64 66 Writes to foreign memory regions 8->66 68 Allocates memory in foreign processes 8->68 70 Injects a PE file into a foreign processes 8->70 12 powershell.exe 7 8->12         started        15 aspnet_compiler.exe 15 2 8->15         started        18 powershell.exe 7 8->18         started        20 6 other processes 8->20 signatures6 process7 dnsIp8 72 Uses ipconfig to lookup or modify the Windows network settings 12->72 22 conhost.exe 12->22         started        24 ipconfig.exe 1 12->24         started        50 checkip.dyndns.com 193.122.6.168, 49720, 80 ORACLE-BMC-31898US United States 15->50 52 ipbase.com 104.21.28.190, 443, 49722 CLOUDFLARENETUS United States 15->52 54 freegeoip.app 172.67.160.84, 443, 49721 CLOUDFLARENETUS United States 15->54 26 WerFault.exe 15->26         started        28 conhost.exe 18->28         started        30 ipconfig.exe 1 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 20->34         started        36 conhost.exe 20->36         started        38 2 other processes 20->38 signatures9 process10
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8bf51ccb2646d38af6778a0712c78415e113b1393509afdc16c97a0bfb91eb55
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8bf51ccb2646d38af6778a0712c78415e113b1393509afdc16c97a0bfb91eb55/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2023-10-28 23:00:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rp2rzszgi3jyv5txridrfr4ecxqrhmjzgue27xawzf5ax64r5nkq._file
Verdict:
malicious
Similar samples:
2fe5f7997c9111800c88d2383cd3b62cb0c72eeb2bec3c5d72b5c1ac62d9145c
zgRAT
5b95adb9af5a6630725927c956e8ead9b5493242ac33478e3f8f417658b6ad9f
zgRAT
7480bd6a54b0197851bc35b0e4b7a330336348c0ecaa4f2f0c67f28c16a7488c
zgRAT
a290ce75c6c6b37af077b72dc9c2c347a2eede4fafa6551387fa8469539409c7
zgRAT
af9fe480abc56cf1e1354eb243ec9f5bee9cac0d75df38249d1c64236132ceab
zgRAT
b0409e5acf0d927f046c33befc48b2653ad0ee098e2d4a5764eb9af8126e539f
zgRAT
+ 128 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:zgrat keylogger rat stealer
Link:
https://tria.ge/reports/231030-ggayqada25/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect ZGRat V1
Snake Keylogger
Snake Keylogger payload
ZGRat
Unpacked files
SH256 hash:
8bf51ccb2646d38af6778a0712c78415e113b1393509afdc16c97a0bfb91eb55
MD5 hash:
10243ce788b5dcbbf248058fe196f371
SHA1 hash:
0da95887908b6ada23c698de6cf2f3f986655721
Link:
https://www.unpac.me/results/19dc54d3-0376-464a-8491-5d6667a61633/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8bf51ccb2646d38af6778a0712c78415e113b1393509afdc16c97a0bfb91eb55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Reverse_DOS_header
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects an reversed DOS header
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/457011/

Comments