MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e684d3f9529b34396c708fafca492a2333d50222042c3a5f8b7fb0573c96251. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e684d3f9529b34396c708fafca492a2333d50222042c3a5f8b7fb0573c96251
SHA3-384 hash: 3d774ccb2beb5c005864bfede4d0932ec1939e54f14e1af476d34be58f898befa8a4bcc416cd10a907dece749e8ef33d
SHA1 hash: 2d5ec68d1d43e34d0864711983bc92f0e0cd67bd
MD5 hash: dc195f2ddc9c30d28d5fb3a2649f560c
humanhash: table-snake-leopard-east
File name:dc195f2ddc9c30d28d5fb3a2649f560c
Download: download sample
Signature zgRAT
Create hunting rule
File size:1'018'352 bytes
First seen:2023-11-26 06:35:07 UTC
Last seen:2023-11-26 09:31:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:+4LIn/I6LyM8Kgq0Wwmcyw5bJeVjTkLZcK:CQ2yM8Kgq0Wwmcyw5bJakLB
Threatray 46 similar samples on MalwareBazaar
TLSH T1A225A2440A9D4697F40E1678F02DD37A1BA1CD3962DAAB8769C1BDB3397D322FB36041
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon f08e9686dad89ac4 (5 x zgRAT, 4 x PureLogsStealer, 3 x Amadey)
Reporter zbetcheckin
Tags:64 exe zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
305
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460233/
Detection(s):
SecuriteInfo.com.Win64.Trojan.Agent.O91IJH.26967.4296.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lolbin overlay packed replace
Link:
https://www.filescan.io/uploads/6562e7522efa450749a5ecc2/reports/f451a241-fd8f-4461-893e-d156da7c685c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/8e684d3f9529b34396c708fafca492a2333d50222042c3a5f8b7fb0573c96251
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ecf7b84b-8534-4ba9-b771-742e05c3704f
Result
Threat name:
Vidar, Xmrig, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1347882
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected Stratum mining protocol
Downloads files with wrong headers with respect to MIME Content-Type
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Yara detected Vidar
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1347882 Sample: J536Sd0EOM.exe Startdate: 26/11/2023 Architecture: WINDOWS Score: 100 91 xmr.2miners.com 2->91 93 t.me 2->93 95 3 other IPs or domains 2->95 113 Sigma detected: Xmrig 2->113 115 Multi AV Scanner detection for domain / URL 2->115 117 Malicious sample detected (through community Yara rule) 2->117 119 13 other signatures 2->119 10 TypeId.exe 2->10         started        13 J536Sd0EOM.exe 14 3 2->13         started        16 XsdType.exe 14 3 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 163 Multi AV Scanner detection for dropped file 10->163 165 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->165 167 Modifies the context of a thread in another process (thread injection) 10->167 20 TypeId.exe 10->20         started        111 79.137.196.104, 49705, 49706, 49707 PSKSET-ASRU Russian Federation 13->111 169 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->169 171 Injects a PE file into a foreign processes 13->171 23 umrvdn.exe 13->23         started        25 J536Sd0EOM.exe 6 13->25         started        28 XsdType.exe 2 16->28         started        173 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 18->173 30 jtnitrm.exe 18->30         started        32 wzmgwmky.exe 18->32         started        35 XsdType.exe 18->35         started        37 wzmgwmky.exe 18->37         started        signatures6 process7 dnsIp8 127 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->127 129 Writes to foreign memory regions 20->129 131 Modifies the context of a thread in another process (thread injection) 20->131 39 MSBuild.exe 20->39         started        133 Multi AV Scanner detection for dropped file 23->133 135 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->135 42 umrvdn.exe 23->42         started        46 umrvdn.exe 23->46         started        73 C:\Users\user\AppData\Local\...\XsdType.exe, PE32+ 25->73 dropped 137 Found many strings related to Crypto-Wallets (likely being stolen) 25->137 139 Injects a PE file into a foreign processes 28->139 48 InstallUtil.exe 14 3 28->48         started        75 C:\Users\user\AppData\Roaming\...\TypeId.exe, PE32+ 30->75 dropped 87 connv2.proxies.tv 51.79.32.112, 49736, 49738, 49769 OVHFR Canada 32->87 89 ip.allproxy.io 172.67.159.225 CLOUDFLARENETUS United States 32->89 77 C:\Users\user\AppData\...\provisionshare.url, MS 32->77 dropped file9 signatures10 process11 dnsIp12 141 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 39->141 143 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 39->143 145 Modifies the context of a thread in another process (thread injection) 39->145 50 MSBuild.exe 39->50         started        105 t.me 149.154.167.99, 443, 49730 TELEGRAMRU United Kingdom 42->105 107 128.140.72.50, 443, 49732, 49737 HETZNER-ASDE Germany 42->107 79 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 42->79 dropped 81 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 42->81 dropped 83 C:\Users\user\AppData\...\softokn3[1].dll, PE32 42->83 dropped 85 10 other files (none is malicious) 42->85 dropped 147 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->147 149 Found many strings related to Crypto-Wallets (likely being stolen) 42->149 151 Tries to harvest and steal ftp login credentials 42->151 153 Tries to harvest and steal browser information (history, passwords, etc) 42->153 155 Injects a PE file into a foreign processes 48->155 54 InstallUtil.exe 48->54         started        file13 signatures14 process15 dnsIp16 97 185.17.0.22, 39001, 49728, 49733 SUPERSERVERSDATACENTERRU Russian Federation 50->97 99 normaleverydayblog.com 217.195.152.207, 443, 49735 SHOCK-1US Netherlands 50->99 121 Writes to foreign memory regions 50->121 123 Modifies the context of a thread in another process (thread injection) 50->123 125 Injects a PE file into a foreign processes 50->125 57 AddInProcess.exe 50->57         started        60 AddInProcess.exe 50->60         started        63 AddInProcess.exe 50->63         started        65 2 other processes 50->65 101 185.196.8.238, 49711, 49720, 49723 SIMPLECARRER2IT Switzerland 54->101 103 80.85.241.193, 49708, 49718, 49719 MEDIAL-ASRU Russian Federation 54->103 67 C:\Users\user\AppData\Local\...\wzmgwmky.exe, PE32+ 54->67 dropped 69 C:\Users\user\AppData\Local\Temp\umrvdn.exe, PE32 54->69 dropped 71 C:\Users\user\AppData\Local\...\jtnitrm.exe, PE32+ 54->71 dropped file17 signatures18 process19 dnsIp20 157 Query firmware table information (likely to detect VMs) 57->157 159 Found strings related to Crypto-Mining 57->159 109 xmr.2miners.com 162.19.139.184, 2222, 49766, 49772 CENTURYLINK-US-LEGACY-QWESTUS United States 60->109 signatures21 161 Detected Stratum mining protocol 109->161
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8e684d3f9529b34396c708fafca492a2333d50222042c3a5f8b7fb0573c96251
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e684d3f9529b34396c708fafca492a2333d50222042c3a5f8b7fb0573c96251/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-11-26 00:27:35 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
19
AV detection:
8 of 23 (34.78%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rzue2p4vfgzuhfwhbd5pzjesuizt2ubcebbmhjpyw75qk46jmjiq._file
Verdict:
malicious
Similar samples:
04e3926ce6762b1dc0ce2ea8107a36e9bdda11673ae5b333bccb81a72690a3a1
zgRAT
42e2ad1b0ae1c68d812cc652e0167b2b51d51fc33712fba712223704ea609435
zgRAT
795e333056f12db05a5c212318e3f1e3d915a8e7f88737fc34321465a6c1bfad
zgRAT
87e8d20c870fe87533ab89f6cdbaeaab2efc2151884cda3d3a3f72080765055d
zgRAT
8e684d3f9529b34396c708fafca492a2333d50222042c3a5f8b7fb0573c96251
zgRAT
a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564
zgRAT
daed3dc9b621dc7d62cd2ab8443e18e1cdf93f5db7131c64135ec76769502b7f
zgRAT
+ 36 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:xmrig family:zgrat miner rat
Link:
https://tria.ge/reports/231126-hcw6tsfd7x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Executes dropped EXE
Downloads MZ/PE file
XMRig Miner payload
Detect ZGRat V1
ZGRat
xmrig
Unpacked files
SH256 hash:
8e684d3f9529b34396c708fafca492a2333d50222042c3a5f8b7fb0573c96251
MD5 hash:
dc195f2ddc9c30d28d5fb3a2649f560c
SHA1 hash:
2d5ec68d1d43e34d0864711983bc92f0e0cd67bd
Link:
https://www.unpac.me/results/d6215bf0-4341-4933-a9c4-72d1e536c32c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8e684d3f9529/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e684d3f9529b34396c708fafca492a2333d50222042c3a5f8b7fb0573c96251

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe 8e684d3f9529b34396c708fafca492a2333d50222042c3a5f8b7fb0573c96251

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2735269/
Cape
Cape
https://www.capesandbox.com/analysis/460233/

Comments


Avatar
zbet commented on 2023-11-26 06:35:08 UTC

url : hxxp://185.196.8.238/LauncherPatchv2.exe