MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6aecca7d8f0cf861ae32b0ce54822e1d3c82e94685861b130c842f602b9d7db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6aecca7d8f0cf861ae32b0ce54822e1d3c82e94685861b130c842f602b9d7db
SHA3-384 hash: 3199c9e72062abaa5288005b40f8296279cdb1ec6579694a3bac76701e10abde4b0fe45765357cd4334911363e32a8f5
SHA1 hash: 37c3233503068ba139bddcd9569ebaa068265590
MD5 hash: 21d1df1da2e98a9ab9268712b8448e84
humanhash: alanine-pizza-failed-xray
File name:Para Transferi Bilgilendirmesi-dekont.exe
Download: download sample
Signature zgRAT
Create hunting rule
File size:914'844 bytes
First seen:2023-12-12 07:48:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (21 x SnakeKeylogger, 13 x MassLogger, 11 x CryptOne)
ssdeep 24576:K5xolYQY65XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXA:dYkXXXXXXXXXXXXXXXXXXXXXXXXXXXXQ
Threatray 3'563 similar samples on MalwareBazaar
TLSH T1D715E02BED14A11ED873C7F06426A6A67B352E211A81DD4BABC366D63070B03B5F131F
TrID 45.2% (.RLL) Microsoft Resource Library (x86) (177572/6/26)
20.9% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
18.6% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
7.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
2.6% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 65626363c383e221 (3 x SnakeKeylogger, 1 x zgRAT)
Reporter abuse_ch
Tags:exe geo TUR zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
334
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/466343/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Malware.Swisyn-9942393-0
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Malware.Swisyn-6803865-0
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Setting a single autorun event
Launching the process to create tasks for the scheduler
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun
Enabling a "Do not show hidden files" option
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
explorer hook lolbin overlay packed packed shell32
Link:
https://www.filescan.io/uploads/657810743636548f374c238f/reports/5ad38983-e861-4373-973b-3b5d8feb4c4d/overview
Verdict:
Malicious
Labled as:
Trojan.Swisyn
Link:
https://www.hybrid-analysis.com/sample/a6aecca7d8f0cf861ae32b0ce54822e1d3c82e94685861b130c842f602b9d7db
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4cda0238-db0a-4407-a05b-0206d7167776
Result
Threat name:
CryptOne, AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1359801
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
PE file has a writeable .text section
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1359801 Sample: Para_Transferi_Bilgilendirm... Startdate: 12/12/2023 Architecture: WINDOWS Score: 100 77 zxq.net 2->77 79 vccmd01.zxq.net 2->79 81 8 other IPs or domains 2->81 95 Found malware configuration 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 Antivirus detection for URL or domain 2->99 101 12 other signatures 2->101 12 Para_Transferi_Bilgilendirmesi-dekont.exe 1 4 2->12         started        16 explorer.exe 2->16         started        18 svchost.exe 1 1 2->18         started        signatures3 process4 dnsIp5 69 para_transferi_bil...ndirmesi-dekont.exe, PE32 12->69 dropped 71 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 12->71 dropped 129 Installs a global keyboard hook 12->129 21 icsys.icn.exe 3 12->21         started        25 para_transferi_bilgilendirmesi-dekont.exe 3 12->25         started        83 127.0.0.1 unknown unknown 18->83 file6 signatures7 process8 file9 65 C:\Windows\System\explorer.exe, PE32 21->65 dropped 111 Antivirus detection for dropped file 21->111 113 Machine Learning detection for dropped file 21->113 115 Drops executables to the windows directory (C:\Windows) and starts them 21->115 117 2 other signatures 21->117 27 explorer.exe 3 22 21->27         started        32 para_transferi_bilgilendirmesi-dekont.exe 25->32         started        signatures10 process11 dnsIp12 85 vccmd01.t35.com 27->85 87 vccmd01.zxq.net 51.81.194.202, 443, 49714, 49715 OVHFR United States 27->87 93 4 other IPs or domains 27->93 73 C:\Windows\System\spoolsv.exe, PE32 27->73 dropped 75 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 27->75 dropped 131 Antivirus detection for dropped file 27->131 133 System process connects to network (likely due to code injection or exploit) 27->133 135 Creates an undocumented autostart registry key 27->135 143 3 other signatures 27->143 34 spoolsv.exe 2 27->34         started        89 ftp.aksumer.com 46.20.7.175, 21, 49709, 49783 AS43260TR Turkey 32->89 91 api4.ipify.org 173.231.16.77, 443, 49706 WEBNXUS United States 32->91 137 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->137 139 Tries to steal Mail credentials (via file / registry access) 32->139 141 Tries to harvest and steal browser information (history, passwords, etc) 32->141 file13 signatures14 process15 file16 63 C:\Windows\System\svchost.exe, PE32 34->63 dropped 103 Antivirus detection for dropped file 34->103 105 Machine Learning detection for dropped file 34->105 107 Drops executables to the windows directory (C:\Windows) and starts them 34->107 109 2 other signatures 34->109 38 svchost.exe 3 3 34->38         started        signatures17 process18 file19 67 C:\Users\user\AppData\Local\stsys.exe, PE32 38->67 dropped 119 Antivirus detection for dropped file 38->119 121 Detected CryptOne packer 38->121 123 Creates an undocumented autostart registry key 38->123 125 4 other signatures 38->125 42 spoolsv.exe 38->42         started        45 at.exe 38->45         started        47 at.exe 38->47         started        49 25 other processes 38->49 signatures20 process21 signatures22 127 Installs a global keyboard hook 42->127 51 conhost.exe 45->51         started        53 conhost.exe 47->53         started        55 conhost.exe 49->55         started        57 conhost.exe 49->57         started        59 conhost.exe 49->59         started        61 22 other processes 49->61 process23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a6aecca7d8f0cf861ae32b0ce54822e1d3c82e94685861b130c842f602b9d7db
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6aecca7d8f0cf861ae32b0ce54822e1d3c82e94685861b130c842f602b9d7db/
Threat name:
Win32.Trojan.Golsys
Create hunting rule
Status:
Malicious
First seen:
2023-12-12 07:49:07 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
23 of 23 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u2xmzj6y6dhymgxdfmgoksbc4hj4qluunbmgdmjqzbbpmavz27nq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
222aedbf7c1a8e5d3b7b48549ab96dd38de83fe5a562f4735101963436bdc1e2
zgRAT
47288109ffdc20ef6cc5f098dba87af97203312f952f63cabbb504d97a03ceaf
zgRAT
49cbd743a040465d6757e0e5d408d674624053368967940cd8c51ac97925bfc8
zgRAT
7906ee05067f6ef5bfb9e5ea9ddd16575ca0830d465bc06a3cfedafaf6167192
zgRAT
d71c1598f04d52b66983f6e7341b1f940e4732a6acd57bf021f9f00f85235d42
zgRAT
e9767c506d805d84d30aba139bb06e03f96f3043e902e28d4b36255e9171095b
zgRAT
+ 3'553 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:zgrat evasion keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/231212-jnpfsshbgj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies Installed Components in the registry
AgentTesla
Detect ZGRat V1
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
ZGRat
Unpacked files
SH256 hash:
502e55c7b8307586a97c3553fa12f6b2e3937af4ec6e3694321c93c05ae85bc8
MD5 hash:
5a453970f67febd0f419c18851a1140d
SHA1 hash:
bcfcedc7fb8d2353bc9e24c9785e4e6e9bf8b3a6
Link:
https://www.unpac.me/results/301d44b2-0af6-4957-8dd8-325b8a3e4ebf/
SH256 hash:
5b3f185093bbabbfbcfeeccd361f1d03242d35a63478f544cff09246d5582562
MD5 hash:
4c401858f706f2bfbc67915f92f4b2b2
SHA1 hash:
9cf4d2bcce791e37089d3d4bbc41de97c14adbf4
Detections:
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
MALWARE_Win_AgentTeslaV2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/301d44b2-0af6-4957-8dd8-325b8a3e4ebf/
SH256 hash:
ac74b6323686a1559af60949f559ff4248b008b592f0a0bc8bc7bca56c5af51b
MD5 hash:
a040a3815da269207ec8617ef9659caa
SHA1 hash:
731f018aa62abc957a2e53fe9047ee3247b5d9f5
Detections:
MALWARE_Win_zgRAT
Create hunting rule
Link:
https://www.unpac.me/results/301d44b2-0af6-4957-8dd8-325b8a3e4ebf/
Parent samples :
6f13cda874c2c4679ecc9be84fb66cb7aeb0e41175257ff093f353206ee07a2a
c70c391c3da0b64bb0f82437b3ebe6b18efa3cf871c2d890820725a060474bf1
116471f0d1acaf2e16533a66e0f53eb4c281e5a58a20533724ee6eab2a355f8f
73748ac07ab22e04c4c950cac58d559e8fcceeb7b919fb6b933cd20201c29fce
b5deb3a04bc823e2177189360ba4b1cacaf393633d88512a338baccf2a8ac306
f850cc8baaa282f21dd826e56b17b9eed05fb28d0d5acabaa7ac22b42bf33a5f
64140612ad5497b44f9ec5b6b65013f817cd4db10171ee66e88a7ce721597b30
a321afdf7017aa7e545bbea6ff63ed34b98769f54baf61874d7d05a2671dd152
1c1ffe1a97f66ee3f36058ba41beda34fe52b2a4ff3e10dbf487d3ead8ca8432
3f479de77fd65ff82d89c44b941aedd81d9afe93093699e40ba82b02e058719a
bd8eb863926c72554215411e9b181419ddb5b4215ed739a153bc3dc5409f6b72
083488944d0efc342bbb4bdb7881822e14781b3888ea58d1f7121dea52933373
5a62ce1ce44bcaed2a0fddb1aadfa7bc0fcc3a63eadfc0016fb4038975bf4ebe
22fe993d3d069bbd257db91dd0bc76cffabc3a67ac535e0cadc7e58649f78f49
a50c08375ddd2954e1f0082afddecbe511c8cd55111471b34d9820f2874cdf04
e9f88073d5491f31b1adfaea06537b8601075e4cf5990a415248ae0508240126
eb2e77542e2aa39e9b1dab537b748205b21e2f97667d6d0f4705db08bbed0674
44b93183c3adf1687380f0c5dc8af00571fb0f882fef49f5d649ecc8149d98d3
cf07ccee4a997c438225cd4b3ca7f706fbc9be102e979da877390d3c9bf1d4ea
4a5c1ecaabfa1e8421a4a975593f1563f5170f538daa982ea2050e902bd7dd28
e6dae7830360bb68c07346c6d4d1a34fbad395f816f555ebac96c683adf12008
9c0346e08a28cec8ab5be231e650450bbf64ebc42a14169e755ed9badef3b630
ae86206a568d280d3e030ec9649148ff98b59c6e3cd25e78094cc53631b674d7
70a65c589b3b46ed049d952785c5f21d709c7b1558bce2b0646e54927a93da38
1ff764ec5a79ed2072a558af6de49b863e9e5683e63b3c070e86c9d1b7814f4d
41430a71d6847e8c25206b5101164baa53b098ca1ee9c8d71a33ceb09e672927
0368245b094c8052f505d99d1ced140ba11a1146febb512934b4bbd2a6820b4e
660196e4bd02b5121c4ff5ef3eb9713372d5d812ff74caac219f51b68a4d7262
8ba8416d095006be656b4b4e0eaa987cd84a5236641020ebaf22b0cdf08b24ef
a89ba38f7ceffe3e59803a0208dee82349f86c7d72aaec093f8ca310c5d20c9b
a6aecca7d8f0cf861ae32b0ce54822e1d3c82e94685861b130c842f602b9d7db
6fe2539dc4c6ada59a03070d58d4d7cdcdae0b9f5ef44be83d73f76bd534fd93
000dd50b2f3df84aa499e38e8a88994b92c14556c517cd26237eacede1130c3b
b4603870f2a94658bd915f7255062c0629fd8b756e96ad465871f9173a7a0379
bdf5c86fd79318fbe9c3e2bbf9234fb5d3ea093047e0b290244659f9c08c9ebe
7f382cc5928a8adf09033a4412af83f103fe25384f7fb39343344432fc71f8c1
4ac078a48ff7d80ccbc37c526e395b51f900c8206afe29e27b2a84bd2cd84532
54c2f9f13b1dfcc142740e1839215c536f913a802681be17a38f47881057ebd9
392fd8412e2fb96a3a9c54cd0aa32cf6c3bea21432e1ee46690412580055c214
355dd2c151a8acc04968060f9a92ddfe6d35839b63cae0a5e4f275ed7b5af945
db43a9c81339b049a202446b1839d6bc2561f1e337de20848f3b3966bb121313
be5ea75b6b003e8d06764370ba6a89be22845dec6bcf25a6f2d50c2d478dd214
b4cbf684e8873e04a1ff54c62bdb9eb5782d1cea507edc3cef13ac280f049a2f
efc775c58c7eae3c979f2548bad92d3665733aad94ca3977562aad3c098d28c7
8c3df75077ed123924224935250b7ea35f29f38bee3f2e2fa40e3cbbd3d81a69
98ab9015ecdc96f72bf9002e753b766c1d5d2526e8b2b8a18899d1c91ad6e7b9
c331f95e895af34cdef56c25798f1e1fe8ab448af4267e2a26ac4e46290fc2dc
83027993477c55431189f73dfb877084df278ea4f14e8681b08550c699cc3f6e
28cae570f064be5296ab1494ac94ac33772fd78f411f1c73386795778e428ae9
5c3a1a44e8f69e87acc9b95aa6798fcecbc33dc8f11a96b89bea796236887f92
9824b822a689518c8db4e0c8ab997a7bd149c57618bdc7790d1dc121a2493a86
9f21f1f91edaa634509595d3a70956e4d6c140a00c8b3b4dc7941ad394185b6a
e3845082f1e4162bc8f91eadb13e63a07d7b985e7322144c0867f364157ea490
059f60cd43b55dc2cadcd89ea57b8b7c48ca2677e8dea439ac6a7d7b6d9593bb
SH256 hash:
c34dfbc328de247d25d670c3b7853f1dddd2ec2607d5dbb0480743b45a15ea64
MD5 hash:
85b87384830444e6ab86a4a692ce96cc
SHA1 hash:
0d7d4614cf31d27e68ebf48e76fb1d308cc08152
Link:
https://www.unpac.me/results/301d44b2-0af6-4957-8dd8-325b8a3e4ebf/
SH256 hash:
a6aecca7d8f0cf861ae32b0ce54822e1d3c82e94685861b130c842f602b9d7db
MD5 hash:
21d1df1da2e98a9ab9268712b8448e84
SHA1 hash:
37c3233503068ba139bddcd9569ebaa068265590
Detections:
SUSP_Imphash_Mar23_2
Create hunting rule
Link:
https://www.unpac.me/results/301d44b2-0af6-4957-8dd8-325b8a3e4ebf/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a6aecca7d8f0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6aecca7d8f0cf861ae32b0ce54822e1d3c82e94685861b130c842f602b9d7db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zgRAT

Executable exe a6aecca7d8f0cf861ae32b0ce54822e1d3c82e94685861b130c842f602b9d7db

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/466343/

Comments