MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90a24e8cace3fab7ce1638a5cf90684e78715ff098e12dbbebc2a95a3d314b24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90a24e8cace3fab7ce1638a5cf90684e78715ff098e12dbbebc2a95a3d314b24
SHA3-384 hash: b7e1781abf3521c3675adf3c28e05ecf5f83006bdcbbbf7d47ea1c2de488295603a318a9b93898a3cee38740eda6b7e0
SHA1 hash: c1c96057b526eb0643e0d582fe6004a383158266
MD5 hash: 5287b216eb5e9afca5ea8b38ec4b2af0
humanhash: west-eighteen-floor-river
File name:doingCTIrocks_crypted_EASY.exe
Download: download sample
Signature zgRAT
Create hunting rule
File size:689'910 bytes
First seen:2024-03-07 19:34:45 UTC
Last seen:2024-03-07 22:17:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e7d857a6b1d7de1b6c756d2d381fe554 (2 x RedLineStealer, 1 x zgRAT)
ssdeep 12288:0OZlo49VQbkeWL/+Sqw5lRvufnl6jlQhSt1+6OutiY2a:5S4DUOL/+Sqwz4nl6oSt17O0Ia
Threatray 1 similar samples on MalwareBazaar
TLSH T1BAE4BF5BA3A804E5E8B9823CC5A74706A7F1B8211387DBCB1274933DAE37FD42974719
TrID 45.6% (.EXE) InstallShield setup (43053/19/16)
17.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
11.1% (.EXE) Win64 Executable (generic) (10523/12/4)
6.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter g0njxa
Tags:exe KZTEAMREBORN Meta zgRAT

Intelligence

File Origin
# of uploads :
5
# of downloads :
399
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
90a24e8cace3fab7ce1638a5cf90684e78715ff098e12dbbebc2a95a3d314b24.exe
Verdict:
Malicious activity
Analysis date:
2024-03-07 19:37:03 UTC
Tags:
stealer redline
Link:
https://app.any.run/tasks/78a3871f-9877-4c77-a9ba-d3eef1a84a23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.4901.11718.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto evasive lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65ea16ed757c624818a5920b/reports/41b6e60a-b649-42c2-84ac-2d6f5fcd78da/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/90a24e8cace3fab7ce1638a5cf90684e78715ff098e12dbbebc2a95a3d314b24
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f6ccdfb3-26a0-4d7f-a2a6-1cf8c3f3513c
Result
Threat name:
PureLog Stealer, RedLine, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1405052
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/90a24e8cace3fab7ce1638a5cf90684e78715ff098e12dbbebc2a95a3d314b24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90a24e8cace3fab7ce1638a5cf90684e78715ff098e12dbbebc2a95a3d314b24/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-03-07 19:35:09 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=scre5dfm4p5lptqwhcs47edijz4hcx7qtdqs3o7lykuvupjrjmsa._file
Verdict:
malicious
Similar samples:
a7280711eeca44e42613084aa5b1bd8853d44ae5425bd47c27a69e330ba2edfd
zgRAT
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:zgrat brand:microsoft discovery infostealer phishing rat spyware stealer
Link:
https://tria.ge/reports/240307-yanpnsch7z/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Detected potential entity reuse from brand microsoft.
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Detect ZGRat V1
RedLine
RedLine payload
ZGRat
Unpacked files
SH256 hash:
6b942a0f4e1a0984bb03e66d9513ec5fcbbc242812057e2f4bee13914df2780a
MD5 hash:
96349164287f559ad3bf88fd3e6f8d90
SHA1 hash:
656c2345adf832196481fdc99e26ba146c159a3d
Detections:
MALWARE_Win_zgRAT
Create hunting rule
Link:
https://www.unpac.me/results/4dafb041-1239-4a37-80e2-83459699e495/
SH256 hash:
d7152299e7108e0e37cdc26082ccbd1efb846554621300adf62ff4e1e213a782
MD5 hash:
91c9dab6abd012e7110a74409892e82c
SHA1 hash:
e350c85c06faadd38b964dec8eeb880f8323abb5
Link:
https://www.unpac.me/results/4dafb041-1239-4a37-80e2-83459699e495/
SH256 hash:
90a24e8cace3fab7ce1638a5cf90684e78715ff098e12dbbebc2a95a3d314b24
MD5 hash:
5287b216eb5e9afca5ea8b38ec4b2af0
SHA1 hash:
c1c96057b526eb0643e0d582fe6004a383158266
Link:
https://www.unpac.me/results/4dafb041-1239-4a37-80e2-83459699e495/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90a24e8cace3fab7ce1638a5cf90684e78715ff098e12dbbebc2a95a3d314b24

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_MetaStealer
Create hunting rule
Author:ditekSHen
Description:Detects MetaStealer infostealer
Rule name:MALWARE_Win_zgRAT
Create hunting rule
Author:ditekSHen
Description:Detects zgRAT
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_RedLineStealer_6dfafd7b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::FreeConsole

Comments