MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acd49294aa9aaf8f0a8b057438a3783038822868c8eb98a4289bb7f4ec54268e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: acd49294aa9aaf8f0a8b057438a3783038822868c8eb98a4289bb7f4ec54268e
SHA3-384 hash: 379a4bfcfab8b63657f0f5e7fb1d30061c6a1b6c3802319a7f1db2b9b394da499d4eb6f1cc5ebf14a4e46ea08b29d1f0
SHA1 hash: 69fa96f58fa91819603bd332d5bbbc5231ace6ba
MD5 hash: 7aef8db3a5b16340e6f7a5d543d174d6
humanhash: jupiter-cat-uncle-timing
File name:7aef8db3a5b16340e6f7a5d543d174d6
Download: download sample
Signature zgRAT
Create hunting rule
File size:1'049'088 bytes
First seen:2023-12-05 16:29:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:nlWsmh5s+QJJRbd9t2FMKZRAHjXJeZLqd9:nnmhdQRjKZRyj5f9
Threatray 978 similar samples on MalwareBazaar
TLSH T1DD25F11FB78685B0C1981737C5E61B9C17B2FB92B6A3D71E748B27DA08437F5AE00186
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:64 exe zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
d0c59443e41e1160209139841fa39c9f
Verdict:
Malicious activity
Analysis date:
2023-12-05 10:05:01 UTC
Tags:
socks5systemz loader smoke smokeloader opendir risepro stealer evasion miner
Link:
https://app.any.run/tasks/c4976a1c-fc6a-424e-ae94-69656760f5d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462666/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Win.Trojan.Generic-10014419-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a process from a recently created file
Launching a process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/656f500eeba1080314857714/reports/30276ac1-2109-4f24-8671-8f8973f2803e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/acd49294aa9aaf8f0a8b057438a3783038822868c8eb98a4289bb7f4ec54268e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a0fa63b7-f5f1-4065-a333-0d5f187a3bac
Result
Threat name:
Amadey, Xmrig, zgRAT
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1354067
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Found malware configuration
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Instant Messenger accounts or passwords
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1354067 Sample: 7t2n8N2UNW.exe Startdate: 05/12/2023 Architecture: WINDOWS Score: 100 116 yeahweliftbro.cz 2->116 118 107.143.13.0.in-addr.arpa 2->118 120 3 other IPs or domains 2->120 138 Found malware configuration 2->138 140 Malicious sample detected (through community Yara rule) 2->140 142 Antivirus detection for dropped file 2->142 144 17 other signatures 2->144 11 wcnpyu.exe 2->11         started        15 TypeId.exe 2->15         started        17 ContextProperties.exe 3 2->17         started        19 6 other processes 2->19 signatures3 process4 file5 106 C:\Users\user\AppData\Local\...\Utsysc.exe, PE32 11->106 dropped 196 Antivirus detection for dropped file 11->196 198 Multi AV Scanner detection for dropped file 11->198 200 Machine Learning detection for dropped file 11->200 202 Contains functionality to inject code into remote processes 11->202 21 Utsysc.exe 11->21         started        26 conhost.exe 11->26         started        204 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->204 206 Modifies the context of a thread in another process (thread injection) 15->206 208 Injects a PE file into a foreign processes 15->208 28 TypeId.exe 15->28         started        210 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->210 212 Uses schtasks.exe or at.exe to add and modify task schedules 17->212 30 ContextProperties.exe 2 17->30         started        108 C:\Users\user\AppData\Roaming\Vikgwkax.exe, PE32+ 19->108 dropped 214 Creates multiple autostart registry keys 19->214 216 Tries to harvest and steal WLAN passwords 19->216 218 Sample uses process hollowing technique 19->218 32 vvwrmat.exe 19->32         started        34 yrwnwoks.exe 19->34         started        36 7t2n8N2UNW.exe 6 19->36         started        38 2 other processes 19->38 signatures6 process7 dnsIp8 122 185.196.8.195, 49724, 49725, 80 SIMPLECARRER2IT Switzerland 21->122 124 brodoyouevenlift.co.za 89.191.234.91, 49726, 80 MIRHOSTINGRU Russian Federation 21->124 92 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 21->92 dropped 94 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 21->94 dropped 96 C:\Users\user\AppData\Roaming\...\base98.exe, PE32 21->96 dropped 104 10 other malicious files 21->104 dropped 164 Antivirus detection for dropped file 21->164 166 Multi AV Scanner detection for dropped file 21->166 168 Creates an undocumented autostart registry key 21->168 180 3 other signatures 21->180 40 rundll32.exe 21->40         started        42 Ygmpogts.exe 21->42         started        45 rundll32.exe 21->45         started        51 7 other processes 21->51 170 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->170 172 Writes to foreign memory regions 28->172 174 Modifies the context of a thread in another process (thread injection) 28->174 47 RegAsm.exe 28->47         started        176 Sample uses process hollowing technique 30->176 178 Injects a PE file into a foreign processes 30->178 49 InstallUtil.exe 3 30->49         started        98 C:\Users\user\AppData\Roaming\...\TypeId.exe, PE32+ 32->98 dropped 126 connv2.proxies.tv 51.79.32.112 OVHFR Canada 34->126 128 ip.allproxy.io 104.21.58.128 CLOUDFLARENETUS United States 34->128 100 C:\Users\user\AppData\...\provisionshare.url, MS 34->100 dropped 102 C:\Users\user\...\ContextProperties.exe, PE32+ 36->102 dropped file9 signatures10 process11 signatures12 53 rundll32.exe 40->53         started        182 Multi AV Scanner detection for dropped file 42->182 184 Machine Learning detection for dropped file 42->184 56 Ygmpogts.exe 42->56         started        58 rundll32.exe 45->58         started        186 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 47->186 188 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 47->188 190 Modifies the context of a thread in another process (thread injection) 47->190 60 RegAsm.exe 47->60         started        192 Injects a PE file into a foreign processes 49->192 63 InstallUtil.exe 15 5 49->63         started        194 System process connects to network (likely due to code injection or exploit) 51->194 66 rundll32.exe 51->66         started        68 conhost.exe 51->68         started        70 WerFault.exe 51->70         started        process13 dnsIp14 146 Tries to steal Instant Messenger accounts or passwords 53->146 148 Tries to harvest and steal ftp login credentials 53->148 150 Tries to harvest and steal browser information (history, passwords, etc) 53->150 72 netsh.exe 53->72         started        152 Uses netsh to modify the Windows network and firewall settings 58->152 154 Tries to harvest and steal WLAN passwords 58->154 74 netsh.exe 58->74         started        76 tar.exe 58->76         started        130 185.17.0.22 SUPERSERVERSDATACENTERRU Russian Federation 60->130 132 185.196.8.248 SIMPLECARRER2IT Switzerland 60->132 156 Found strings related to Crypto-Mining 60->156 158 Writes to foreign memory regions 60->158 160 Modifies the context of a thread in another process (thread injection) 60->160 162 2 other signatures 60->162 134 91.92.242.251, 49710, 49714, 49722 THEZONEBG Bulgaria 63->134 136 80.85.241.193, 49709, 49712, 49713 MEDIAL-ASRU Russian Federation 63->136 110 C:\Users\user\AppData\Local\...\yrwnwoks.exe, PE32+ 63->110 dropped 112 C:\Users\user\AppData\Local\Temp\wcnpyu.exe, PE32 63->112 dropped 114 C:\Users\user\AppData\Local\...\vvwrmat.exe, PE32+ 63->114 dropped 78 netsh.exe 66->78         started        80 tar.exe 66->80         started        file15 signatures16 process17 process18 82 conhost.exe 72->82         started        84 conhost.exe 74->84         started        86 conhost.exe 76->86         started        88 conhost.exe 78->88         started        90 conhost.exe 80->90         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/acd49294aa9aaf8f0a8b057438a3783038822868c8eb98a4289bb7f4ec54268e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/acd49294aa9aaf8f0a8b057438a3783038822868c8eb98a4289bb7f4ec54268e/
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-12-05 10:29:11 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vtkjfffktkxy6culav2dri3yga4iekdizdvzrjbito37j3cue2ha._file
Verdict:
malicious
Similar samples:
14ed823d0f5b4a6074fd3e70646505cda2918d403a6b2fd9e5b0705f933e5f08
zgRAT
189051c29319fac6a96fefc8158f9d27d61a55b668f3c8e3610a48617649518f
zgRAT
34e8f89b08f8eb1ed0a72f0cc584bcc816ed56338ec8164c9f303fb53bb89cf5
zgRAT
5037733d3123c797e4c67a9c4d6aa45d99486f45afb64bc52979c142defa23b3
zgRAT
8e684d3f9529b34396c708fafca492a2333d50222042c3a5f8b7fb0573c96251
zgRAT
ad7af6aca0ba3d2fe9adb3f391800420800c0f6aa00db064fc1292232a6d881e
zgRAT
f7aaa33843aaca2505b51dc4527be10bb9c3635394e5cfae9ad0910602cfbdc2
zgRAT
+ 968 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/231205-tzsmpscc2t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Executes dropped EXE
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
acd49294aa9aaf8f0a8b057438a3783038822868c8eb98a4289bb7f4ec54268e
MD5 hash:
7aef8db3a5b16340e6f7a5d543d174d6
SHA1 hash:
69fa96f58fa91819603bd332d5bbbc5231ace6ba
Detections:
Typical_Malware_String_Transforms
Create hunting rule
Link:
https://www.unpac.me/results/779aa84f-d318-4441-a9b7-960da29c67a8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/acd49294aa9a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/acd49294aa9aaf8f0a8b057438a3783038822868c8eb98a4289bb7f4ec54268e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe acd49294aa9aaf8f0a8b057438a3783038822868c8eb98a4289bb7f4ec54268e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/462666/
  
URLhaus
https://urlhaus.abuse.ch/url/2737873/

Comments


Avatar
zbet commented on 2023-12-05 16:29:19 UTC

url : hxxp://91.92.242.251/Omnknufm.exe