MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b7c71c299faeabcbe450a3a14da0579db63dcb86be807c1ab47389205048712. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

zgRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	9b7c71c299faeabcbe450a3a14da0579db63dcb86be807c1ab47389205048712
SHA3-384 hash:	c3c8588f4ff6cc287e2196adf6b66451a873f38d8d4cdf20adc18685a1aa33dbf2ed7f97ba9f3feb8d83d95f4bf5dde4
SHA1 hash:	92d6ab58ac492ed6a5819663c729678d37c4a16b
MD5 hash:	d840a2c72a512dd1216b6a9d55064bdb
humanhash:	idaho-lima-network-spring
File name:	file
Download:	download sample
Signature	zgRAT Create hunting rule
File size:	3'938'816 bytes
First seen:	2023-02-01 12:24:07 UTC
Last seen:	2023-02-02 10:39:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:5zD5WoDpbTNjS0kfrdX77+p4N+WaB0+X0smhKpcE0RMfAGea1713LBpN8Xw/d:HWX77+PV0bsoKpcE0VGean3LRSg
Threatray	3'038 similar samples on MalwareBazaar
TLSH	T1F1060ECD725071DEC513C576DA641D28E7A0A666430F9223D05B13EBAE0EBABDF580F2
TrID	54.8% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 20.3% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 3.6% (.SCR) Windows screen saver (13097/50/3) 2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
Reporter	andretavare5
Tags:	exe zgRAT

andretavare5

Sample downloaded from https://vk.com/doc712319849_660885895?hash=bWtG6Ou9cqgWaSoyh6g3kRpf9LLiQwmPUoYZDPdfBWD&dl=G4YTEMZRHE4DIOI:1675243013:9o0lODyaaEM2AHBlWztPxdknTUdYrUQNXVaqUSWcB7s&api=1&no_preview=1#1231413

Intelligence

File Origin

# of uploads :

# of downloads :

219

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2023-02-01 12:26:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5091d4e0-be7c-4f18-b999-0d379262cad4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

zgRAT

Link:

https://www.capesandbox.com/analysis/358968/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a window

Running batch commands

Creating a process with a hidden window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

greyware packed packed

Link:

https://www.filescan.io/uploads/63da5a20447edb203a025eca/reports/8a0244a0-ba8a-461e-8d1a-9d7e3d023b6f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

MassLogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/df0cd749-bd4f-4a8a-a154-7681a2d76b44

Result

Threat name:

Vidar, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1163157

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to compare user and computer (likely to detect sandboxes)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Vidar stealer

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9b7c71c299faeabcbe450a3a14da0579db63dcb86be807c1ab47389205048712/

Threat name:

ByteCode-MSIL.Trojan.Johnnie

Status:

Malicious

First seen:

2023-02-01 12:25:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 26 (53.85%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tn6hdquz7lvlzpsfbi5bjwqfphnwhxfynpuapqnli44jebieq4ja._file

Verdict:

malicious

zgRAT

395684a702c00aab157831c4a22745a500a07494272e138cb48675da4635452b

zgRAT

59cb024dac79e0a360f7feab234c5dfe59881d1934a42a9d4ffec1862682e78d

zgRAT

5cf09ada20a1467a9f031f8253ca916e3a61d1a399ad64153e63d6ed140f7ee3

zgRAT

605ade46e2008848c5d97ab59b76fa42ae845e3833545bf933b945ae6db9839f

zgRAT

abe4dfebcc520433a7e9d2f95b0cd46ff6e05c754b046cdb8fd0a72583259332

zgRAT

b206c2d164d66dcd9fad4cffdcb28d73eb64d2f663f1de6fb90cc10b47665c41

zgRAT

+ 3'028 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:886 spyware stealer

Link:

https://tria.ge/reports/230201-pll6jsfa6w/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

.NET Reactor proctector

Vidar

Malware Config

C2 Extraction:

https://t.me/mantarlars
https://steamcommunity.com/profiles/76561199474840123

Unpacked files

SH256 hash:

9b7c71c299faeabcbe450a3a14da0579db63dcb86be807c1ab47389205048712

MD5 hash:

d840a2c72a512dd1216b6a9d55064bdb

SHA1 hash:

92d6ab58ac492ed6a5819663c729678d37c4a16b

Detections:

VidarStealer

Link:

https://www.unpac.me/results/dde25a3a-39da-4939-803d-5e0f79e5f1fc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9b7c71c299faeabcbe450a3a14da0579db63dcb86be807c1ab47389205048712

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	MALWARE_Win_zgRAT Create hunting rule
Author:	ditekSHen
Description:	Detects zgRAT

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Links Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/358968/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample