MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a481b300f1cf5ec873245d16c0e0fdfc18f681cf2ee682b23d47dd0b122c4998. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a481b300f1cf5ec873245d16c0e0fdfc18f681cf2ee682b23d47dd0b122c4998
SHA3-384 hash: 91aa5ec9167ccee6152ff3dca2b1a437e4a5f38bb4fc36c193dbda2865782c5e99e701e13cb6426ab0101c1816718dcc
SHA1 hash: a405bafadae7f27a3dbe108e8690034fe45b3330
MD5 hash: eace63ea1948f012941dd4a9b3ac3c94
humanhash: emma-eleven-hamper-fifteen
File name:eace63ea1948f012941dd4a9b3ac3c94
Download: download sample
Signature zgRAT
Create hunting rule
File size:930'304 bytes
First seen:2023-11-28 05:30:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:emL7X62LBPsHdB3irLKfM9WCjC3NnOBk5/s0v1n3:JW2LBECUCjC5l5k0v
Threatray 891 similar samples on MalwareBazaar
TLSH T1A01533DA676DFE0EC59E5CB9C693C6348BF880F45A23EB1D9DA844EF041B8D97440389
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:64 exe zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://mumayizat.com/wp-content/litespeed/reliase1_9.rar
Verdict:
Malicious activity
Analysis date:
2023-11-28 12:10:35 UTC
Tags:
privateloader evasion loader risepro stealer redline ransomware stop stealc smoke smokeloader sinkhole socks5systemz rat backdoor dcrat remote miner g0njxa
Link:
https://app.any.run/tasks/8b2c30f2-867c-4c49-82d4-a1a2b80b4772

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460841/
Detection(s):
Win.Packed.Dropperx-10015353-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65657b1716b73d8637229d02/reports/288e510a-fc5d-4c6d-8731-f6051f7cbeed/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/a481b300f1cf5ec873245d16c0e0fdfc18f681cf2ee682b23d47dd0b122c4998
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68a89e39-448f-4c2d-953d-23e9535affd0
Result
Threat name:
Vidar, Xmrig, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1349043
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected Stratum mining protocol
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1349043 Sample: vHpbb4Bw72.exe Startdate: 28/11/2023 Architecture: WINDOWS Score: 100 76 xmr.2miners.com 2->76 78 transfer.sh 2->78 80 4 other IPs or domains 2->80 104 Sigma detected: Xmrig 2->104 106 Multi AV Scanner detection for domain / URL 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 14 other signatures 2->110 10 TypeId.exe 2->10         started        13 XsdType.exe 3 2->13         started        15 orxvizmvc.exe 2->15         started        17 9 other processes 2->17 signatures3 process4 dnsIp5 140 Multi AV Scanner detection for dropped file 10->140 142 Machine Learning detection for dropped file 10->142 144 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->144 21 TypeId.exe 10->21         started        146 Antivirus detection for dropped file 13->146 148 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->148 150 Modifies the context of a thread in another process (thread injection) 13->150 24 XsdType.exe 2 13->24         started        152 Injects a PE file into a foreign processes 15->152 26 orxvizmvc.exe 15->26         started        74 qu.ax 83.229.35.104, 443, 49731, 49773 SKYVISIONGB United Kingdom 17->74 54 C:\Users\user\AppData\...\Rwxomcvccn.exe, PE32+ 17->54 dropped 30 vHpbb4Bw72.exe 6 17->30         started        32 tptgqibix.exe 17->32         started        34 xtwdyaho.exe 17->34         started        36 6 other processes 17->36 file6 signatures7 process8 dnsIp9 118 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->118 120 Writes to foreign memory regions 21->120 122 Modifies the context of a thread in another process (thread injection) 21->122 38 MSBuild.exe 21->38         started        124 Injects a PE file into a foreign processes 24->124 41 InstallUtil.exe 3 24->41         started        84 t.me 149.154.167.99, 443, 49719 TELEGRAMRU United Kingdom 26->84 86 94.130.188.133, 49723, 49725, 49726 HETZNER-ASDE Germany 26->86 56 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 26->56 dropped 126 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->126 128 Found many strings related to Crypto-Wallets (likely being stolen) 26->128 130 Tries to harvest and steal ftp login credentials 26->130 132 Tries to harvest and steal browser information (history, passwords, etc) 26->132 58 C:\Users\user\AppData\Local\...\XsdType.exe, PE32+ 30->58 dropped 60 C:\Users\user\AppData\Roaming\...\TypeId.exe, PE32+ 32->60 dropped 62 C:\Users\user\AppData\Roaming\...\TypeId.exe, PE32+ 34->62 dropped 88 connv2.proxies.tv 51.79.32.112, 49756, 49758, 9082 OVHFR Canada 36->88 90 ip.allproxy.io 104.21.58.128 CLOUDFLARENETUS United States 36->90 92 172.67.159.225 CLOUDFLARENETUS United States 36->92 64 C:\Users\user\AppData\...\provisionshare.url, MS 36->64 dropped file10 signatures11 process12 signatures13 134 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->134 136 Modifies the context of a thread in another process (thread injection) 38->136 138 Injects a PE file into a foreign processes 38->138 43 MSBuild.exe 38->43         started        47 InstallUtil.exe 15 6 41->47         started        process14 dnsIp15 94 transfer.sh 144.76.136.153, 443, 49744 HETZNER-ASDE Germany 43->94 96 45.61.138.121, 39001, 49736, 49742 AS40676US United States 43->96 154 Writes to foreign memory regions 43->154 156 Modifies the context of a thread in another process (thread injection) 43->156 158 Injects a PE file into a foreign processes 43->158 50 AddInProcess.exe 43->50         started        98 185.196.9.161, 49708, 49724, 80 SIMPLECARRIERCH Switzerland 47->98 100 185.196.8.238, 49705, 49720, 80 SIMPLECARRER2IT Switzerland 47->100 102 80.85.241.193, 49704, 49706, 49707 MEDIAL-ASRU Russian Federation 47->102 66 C:\Users\user\AppData\Local\...\xtwdyaho.exe, PE32+ 47->66 dropped 68 C:\Users\user\AppData\Local\...\vlqplhvmh.exe, PE32+ 47->68 dropped 70 C:\Users\user\AppData\Local\...\tptgqibix.exe, PE32+ 47->70 dropped 72 C:\Users\user\AppData\Local\...\orxvizmvc.exe, PE32 47->72 dropped file16 signatures17 process18 dnsIp19 82 xmr.2miners.com 162.19.139.184, 2222, 49769 CENTURYLINK-US-LEGACY-QWESTUS United States 50->82 112 Query firmware table information (likely to detect VMs) 50->112 114 Found strings related to Crypto-Mining 50->114 signatures20 116 Detected Stratum mining protocol 82->116
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a481b300f1cf5ec873245d16c0e0fdfc18f681cf2ee682b23d47dd0b122c4998
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a481b300f1cf5ec873245d16c0e0fdfc18f681cf2ee682b23d47dd0b122c4998/
Threat name:
Win64.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-11-28 05:31:05 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=usa3gahrz5pmq4zelulmbyh57qmpnaopf3tifmr5i7oqwermjgma._file
Verdict:
malicious
Similar samples:
34e8f89b08f8eb1ed0a72f0cc584bcc816ed56338ec8164c9f303fb53bb89cf5
zgRAT
5037733d3123c797e4c67a9c4d6aa45d99486f45afb64bc52979c142defa23b3
zgRAT
795e333056f12db05a5c212318e3f1e3d915a8e7f88737fc34321465a6c1bfad
zgRAT
87e8d20c870fe87533ab89f6cdbaeaab2efc2151884cda3d3a3f72080765055d
zgRAT
8e684d3f9529b34396c708fafca492a2333d50222042c3a5f8b7fb0573c96251
zgRAT
a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564
zgRAT
ad7af6aca0ba3d2fe9adb3f391800420800c0f6aa00db064fc1292232a6d881e
zgRAT
+ 881 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/231128-f7pzwsff31/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
a481b300f1cf5ec873245d16c0e0fdfc18f681cf2ee682b23d47dd0b122c4998
MD5 hash:
eace63ea1948f012941dd4a9b3ac3c94
SHA1 hash:
a405bafadae7f27a3dbe108e8690034fe45b3330
Link:
https://www.unpac.me/results/7fba4a61-ffbe-473c-a7b5-c54a4b239fcc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a481b300f1cf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a481b300f1cf5ec873245d16c0e0fdfc18f681cf2ee682b23d47dd0b122c4998

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe a481b300f1cf5ec873245d16c0e0fdfc18f681cf2ee682b23d47dd0b122c4998

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2735880/
Cape
Cape
https://www.capesandbox.com/analysis/460841/

Comments


Avatar
zbet commented on 2023-11-28 05:30:45 UTC

url : hxxp://185.196.8.238/supstrim.exe