MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93ad313374f7b6cab1fcc2e3d069a6932abd5b70aa5313da8d3c912983b66f7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

zgRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 8 File information Comments 1

SHA256 hash:	93ad313374f7b6cab1fcc2e3d069a6932abd5b70aa5313da8d3c912983b66f7a
SHA3-384 hash:	ab9fdb3f2ea28665d15365acc34b4b99b5c56840216d335a3e5a3271800e8ea6c12dc571b830a3c94954af11b49de386
SHA1 hash:	514acfe962e76ec4a6cad479e36627a09446f3b1
MD5 hash:	46c0e34ddfde46cdcf8bde9398c4d958
humanhash:	seventeen-timing-mirror-cold
File name:	46c0e34ddfde46cdcf8bde9398c4d958
Download:	download sample
Signature	zgRAT Create hunting rule
File size:	985'768 bytes
First seen:	2023-11-27 11:52:40 UTC
Last seen:	2023-11-27 13:17:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:0SOcQjuwnVXY+7FgkH5uHTEsHEiwt3goxp1CQ:PUnFYE6k0hkPZbCQ
Threatray	3'948 similar samples on MalwareBazaar
TLSH	T1C325238867CD9D22CBABFBFC23E914211BB0778016D3C21AD7A595D01AA1BD37853B53
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	zbetcheckin
Tags:	32 exe zgRAT

Intelligence

File Origin

# of uploads :

# of downloads :

286

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

46c0e34ddfde46cdcf8bde9398c4d958

Verdict:

Suspicious activity

Analysis date:

2023-11-27 11:53:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cd6e2d30-a3c4-4e5f-ae6f-5c15dd3094a5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/460657/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.24315.28725.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Creating a window

Searching for the window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/656483252efa450749a90be8/reports/ed00e29b-f2f1-4f75-b9eb-65dddb59408e/overview

Verdict:

Malicious

Labled as:

Marsilia.Generic

Link:

https://www.hybrid-analysis.com/sample/93ad313374f7b6cab1fcc2e3d069a6932abd5b70aa5313da8d3c912983b66f7a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/805cbc7d-21f3-4fcc-ae41-8b45435bf69c

Result

Threat name:

zgRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1348506

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/93ad313374f7b6cab1fcc2e3d069a6932abd5b70aa5313da8d3c912983b66f7a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/93ad313374f7b6cab1fcc2e3d069a6932abd5b70aa5313da8d3c912983b66f7a/

Threat name:

ByteCode-MSIL.Trojan.Marsilia

Status:

Malicious

First seen:

2023-11-23 16:38:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 23 (69.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sowtcm3u663mvmp4ylr5a2ngsmvl2w3qvjjrhwunhsista5wn55a._file

Verdict:

malicious

zgRAT

3337faf918dbf673268d01fc2eee9cdd5f0996a050e37114bc54e25a1d44c157

zgRAT

795e333056f12db05a5c212318e3f1e3d915a8e7f88737fc34321465a6c1bfad

zgRAT

93ad313374f7b6cab1fcc2e3d069a6932abd5b70aa5313da8d3c912983b66f7a

zgRAT

9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf

zgRAT

c1bd141a8c2a27b5c7318229556282a4259a9caba1b3768ec58a83dc2d7afdca

zgRAT

cfa592b0128bc126fbf3fb66c551a8d87223b196f5e0cd87e60b88bdc688c6e0

zgRAT

f76c7d8841a467f13ab5d2c39b56d297a2fa94867973c201d40f877355849092

zgRAT

fc0b9d2a311a40467281c79ec0822d2fce7a156a9970fc98eb57fd55c71764e6

zgRAT

+ 3'938 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/231127-n2bt3sgc68/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Unpacked files

SH256 hash:

e449cad332b48beb6961cba329e2f7553357b907251e221e1d5d97aaed054ee1

MD5 hash:

16ca802c8810ac21497961ffde7238e2

SHA1 hash:

c2b0156fb07fad92681d97beb9b4413cf6d84e8d

Link:

https://www.unpac.me/results/43c6479d-2ee2-4678-b44c-fa8f0046e9d8/

SH256 hash:

72c8202a7de7a55d492d4f72fae373396e6ec97273c6284909d61d60393ac234

MD5 hash:

56d93f755dc543df7f89ba17d0ee318b

SHA1 hash:

af499685d87a7f7358b34493abd07864aa9af8a9

Link:

https://www.unpac.me/results/43c6479d-2ee2-4678-b44c-fa8f0046e9d8/

SH256 hash:

93bb87ba5ffb930f4c2b8e0401c775f7fbe17415ff7d4991185aef0ab265ffb9

MD5 hash:

5d9b80b68f849e2c2a9d890438b5f755

SHA1 hash:

5a7d77450593bd56f34f44d31073d2a521042b97

Link:

https://www.unpac.me/results/43c6479d-2ee2-4678-b44c-fa8f0046e9d8/

SH256 hash:

cd0aa79ebeacea3d2a6dc965a4316d8c50b81a45b5ecc35dceef9fe9ffc29a21

MD5 hash:

5f107c49648477428b898105f643e50a

SHA1 hash:

f01a9d242ef95c7679b725d8702fe40a0c96f8c7

Link:

https://www.unpac.me/results/43c6479d-2ee2-4678-b44c-fa8f0046e9d8/

SH256 hash:

b1bbc3515509a41256f95b9544cc49242ecf5764fd9078f2ade4bb1da1be1588

MD5 hash:

0b67c5ffd43936f68a3649dbeae714e2

SHA1 hash:

b118d2c9fb3b3c48ac5f8423c49756763dc2aa5c

Link:

https://www.unpac.me/results/43c6479d-2ee2-4678-b44c-fa8f0046e9d8/

SH256 hash:

b93ea29fc8ae517d0768f753feb10da2d988fda73cc484f26e351866ad18ed94

MD5 hash:

f29bbe39b7ad37b5a6c0b24b8489aa67

SHA1 hash:

a1df0685ae9b1a089375c16ac8708807d4cd21f4

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/43c6479d-2ee2-4678-b44c-fa8f0046e9d8/

SH256 hash:

005f765b21ddf9211513e402e05a69f205d3086b7bb4f20314ca11450ea55e28

MD5 hash:

870bd782881522c96a4cd7f2ef8b95cd

SHA1 hash:

66dc08e70ff4b86db018b965de66ecf4f1b8cea1

Link:

https://www.unpac.me/results/43c6479d-2ee2-4678-b44c-fa8f0046e9d8/

SH256 hash:

19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372

MD5 hash:

4e29f75c0c51b9dec76955f0382d9541

SHA1 hash:

4899aa8e3f57339cbaec8faab777897a76fe1c3a

Link:

https://www.unpac.me/results/43c6479d-2ee2-4678-b44c-fa8f0046e9d8/

SH256 hash:

93ad313374f7b6cab1fcc2e3d069a6932abd5b70aa5313da8d3c912983b66f7a

MD5 hash:

46c0e34ddfde46cdcf8bde9398c4d958

SHA1 hash:

514acfe962e76ec4a6cad479e36627a09446f3b1

Link:

https://www.unpac.me/results/43c6479d-2ee2-4678-b44c-fa8f0046e9d8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/93ad313374f7b6cab1fcc2e3d069a6932abd5b70aa5313da8d3c912983b66f7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

exe 93ad313374f7b6cab1fcc2e3d069a6932abd5b70aa5313da8d3c912983b66f7a

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2735548/

Cape

https://www.capesandbox.com/analysis/460657/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-11-27 11:52:41 UTC

url : hxxp://pmjo.fra1.cdn.digitaloceanspaces.com/Zdznzuwlua.exe