MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad7af6aca0ba3d2fe9adb3f391800420800c0f6aa00db064fc1292232a6d881e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad7af6aca0ba3d2fe9adb3f391800420800c0f6aa00db064fc1292232a6d881e
SHA3-384 hash: 7226774c5080f55e69916e76bf8252fa427e97deb674ee3557b3874971f42ed266450c6012d29546f99dd412928b5e86
SHA1 hash: eefadc4b8a8a720aa27d42b0dad8a1912c9fdb62
MD5 hash: 6274ee7c346dede5e1c350da912f7784
humanhash: maryland-delaware-mockingbird-missouri
File name:6274ee7c346dede5e1c350da912f7784.exe
Download: download sample
Signature zgRAT
Create hunting rule
File size:2'264'064 bytes
First seen:2023-11-12 16:03:46 UTC
Last seen:2023-11-12 17:26:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:cOhe+/SQh2fG22rrvNb/0Efm6kAyr7sA4WQbNyqRB7:grfqrrvNblfSAyr7b4
Threatray 2'077 similar samples on MalwareBazaar
TLSH T1A2A5F153A798D327D6BE0B7EB1910509A7B0C14A7247A76B2580B3F4BCC73246D8E17E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
333
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.10272.24449.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Restart of the analyzed sample
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6550f773946b6ab2245fcf93/reports/75dcd362-50c2-4058-bf60-be29c6f0da8d/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/ad7af6aca0ba3d2fe9adb3f391800420800c0f6aa00db064fc1292232a6d881e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/90eba836-5e52-4ec8-8890-4c5dda5ac7ee
Result
Threat name:
zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1341373
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1341373 Sample: pdMmg5rksj.exe Startdate: 12/11/2023 Architecture: WINDOWS Score: 100 52 windowsupdatebg.s.llnwi.net 2->52 54 nickshort.ug 2->54 56 3 other IPs or domains 2->56 62 Multi AV Scanner detection for domain / URL 2->62 64 Antivirus detection for URL or domain 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 8 other signatures 2->68 9 pdMmg5rksj.exe 5 2->9         started        13 IsNull.exe 3 2->13         started        15 powershell.exe 23 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 50 C:\Users\user\AppData\...\BLUfjyghcmz.exe, PE32 9->50 dropped 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->86 88 Injects a PE file into a foreign processes 9->88 19 BLUfjyghcmz.exe 3 9->19         started        22 pdMmg5rksj.exe 1 9->22         started        90 Multi AV Scanner detection for dropped file 13->90 92 Machine Learning detection for dropped file 13->92 94 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->94 24 IsNull.exe 13->24         started        96 Potential dropper URLs found in powershell memory 15->96 26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        30 IsNull.exe 17->30         started        signatures6 process7 signatures8 70 Multi AV Scanner detection for dropped file 19->70 72 Machine Learning detection for dropped file 19->72 74 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->74 32 BLUfjyghcmz.exe 5 19->32         started        35 BLUfjyghcmz.exe 19->35         started        37 BLUfjyghcmz.exe 19->37         started        39 dialer.exe 22->39         started        76 Writes to foreign memory regions 24->76 78 Injects a PE file into a foreign processes 24->78 43 MSBuild.exe 24->43         started        process9 dnsIp10 48 C:\Users\user\AppData\Local\...\IsNull.exe, PE32 32->48 dropped 58 fallout.top 146.255.188.137, 443, 49704, 49705 UNINET-ASSoprusepst145FI unknown 39->58 80 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 39->80 82 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 43->82 84 Injects a PE file into a foreign processes 43->84 45 MSBuild.exe 43->45         started        file11 signatures12 process13 dnsIp14 60 nickshort.ug 103.212.81.156, 49706, 49707, 49710 KANTIPUR-AS-APKantipurPublicationPvtLtdNP Bangladesh 45->60
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ad7af6aca0ba3d2fe9adb3f391800420800c0f6aa00db064fc1292232a6d881e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad7af6aca0ba3d2fe9adb3f391800420800c0f6aa00db064fc1292232a6d881e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-12 16:04:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 36 (63.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vv5pnlfaxi6s72nnwpzzdaaeecaayd3kuag3azh4ckjcgktnrapa._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
34e8f89b08f8eb1ed0a72f0cc584bcc816ed56338ec8164c9f303fb53bb89cf5
zgRAT
410c8bc5b17fb67b7c217494b71ba13063fa592114388ae31cb9ec1d006f30a5
zgRAT
795e333056f12db05a5c212318e3f1e3d915a8e7f88737fc34321465a6c1bfad
zgRAT
87e8d20c870fe87533ab89f6cdbaeaab2efc2151884cda3d3a3f72080765055d
zgRAT
8868ea6af3214fc758c93c1cb909231a76e22e718a4917aae5f2a60cf12af094
zgRAT
9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
zgRAT
a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564
zgRAT
+ 2'067 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/231112-thxkbsgg3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
10424ac140ee856a94df519f91f5db7dacdb5214e6bd0d47bd50ae2a73262c37
MD5 hash:
cca73029d483f42e8097ffada28e9220
SHA1 hash:
bc370604a0db66446f68e5900635a888a9e076c2
Link:
https://www.unpac.me/results/ff4b8cba-d968-40b7-990a-45df9d424a36/
SH256 hash:
9f5c8bce4cf91c8aef196624bbc8a91204f96e8691c086b7cb5e4d8598d47a09
MD5 hash:
9680a67e378e2af46b3e01c82ed74256
SHA1 hash:
729f9d33ad38a465ceb6591e3ca3d43e83218e49
Link:
https://www.unpac.me/results/ff4b8cba-d968-40b7-990a-45df9d424a36/
SH256 hash:
41f9e7dff76ca5e55e5a8b340e113c03d4e653c8dfa8978eab746ac189b5b1e9
MD5 hash:
602c7c4c2542e4ccee2b1dcbddce3830
SHA1 hash:
5d46f7e27661b6e9e66b91d70779ea6cc4093575
Link:
https://www.unpac.me/results/ff4b8cba-d968-40b7-990a-45df9d424a36/
SH256 hash:
f26e98ec0fd4c3f15bcd0b5917d34be8cf0bb4e7e6ef718a80fc1f596e9bd155
MD5 hash:
040257be7287f40c4cea7b0bcd340d17
SHA1 hash:
ffa40c6c2bf94a03effff730474837db143e9193
Link:
https://www.unpac.me/results/ff4b8cba-d968-40b7-990a-45df9d424a36/
SH256 hash:
417988fc75f97bd526a7240a18cb14a83b679f1311d281fb1fc2790a5928dbe5
MD5 hash:
aae9c582158074669a00ec55f09d2acd
SHA1 hash:
af5be05d2e3ce4ea28fa84ed5295346d0d1532e1
Link:
https://www.unpac.me/results/ff4b8cba-d968-40b7-990a-45df9d424a36/
SH256 hash:
4ceac3f94ed944c79fbf8f4c1b3ebfce0009a37a31bc0634dab61a07673475c7
MD5 hash:
15c6a71c596c73361de807bd73b198fc
SHA1 hash:
9f0f0431c0f53851699e1c7b6c2cd39fbe7e9d8a
Link:
https://www.unpac.me/results/ff4b8cba-d968-40b7-990a-45df9d424a36/
SH256 hash:
7460de6818f63a32e6a115107407452ae70ff93875b66cb770a0f113a79462ce
MD5 hash:
d1c0d897b5e89f97a1bfad67ab7d2f62
SHA1 hash:
3b302255a8f6f16cf83d474c6ae111bd5f959eae
Link:
https://www.unpac.me/results/ff4b8cba-d968-40b7-990a-45df9d424a36/
SH256 hash:
bfc355be366fc5ba2908305c4000bdcfe1deb31109a12d4079d038c129b368d5
MD5 hash:
a36d1b5564035b18743174cfd7bba2b4
SHA1 hash:
09dbc8f32891c9bd5fe550eb2b7a53528076ead8
Link:
https://www.unpac.me/results/ff4b8cba-d968-40b7-990a-45df9d424a36/
SH256 hash:
ebe13f0a86a1883731d1d18218d5d335726f3ea209ebebb24cd34d52ce9b9853
MD5 hash:
c56ef6c1cbe7f32978ed5e94cbf86d81
SHA1 hash:
8fd5f3c558c83edebb3f76fe4fafdd1b2511fb99
Link:
https://www.unpac.me/results/ff4b8cba-d968-40b7-990a-45df9d424a36/
SH256 hash:
c2f35f03505a959645c0b9e8617be94053cb3c2552af0f209f02578d0d7775e0
MD5 hash:
2bc73429a365d2573afdcd697ea0758b
SHA1 hash:
72dcb6a58af3a88a69357e9a1e01b3fe73c42192
Link:
https://www.unpac.me/results/ff4b8cba-d968-40b7-990a-45df9d424a36/
SH256 hash:
a6e3dbaccc49a3a64a23f90911e44521ee4936abd21777c4a641ac3b3b51cea6
MD5 hash:
aaf01bba89f37c6c1e1ab6b1e015ed2d
SHA1 hash:
66316beca4c25bdaee5aa1954d72489eeb5e1ecd
Link:
https://www.unpac.me/results/ff4b8cba-d968-40b7-990a-45df9d424a36/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/ff4b8cba-d968-40b7-990a-45df9d424a36/
SH256 hash:
ad7af6aca0ba3d2fe9adb3f391800420800c0f6aa00db064fc1292232a6d881e
MD5 hash:
6274ee7c346dede5e1c350da912f7784
SHA1 hash:
eefadc4b8a8a720aa27d42b0dad8a1912c9fdb62
Link:
https://www.unpac.me/results/ff4b8cba-d968-40b7-990a-45df9d424a36/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ad7af6aca0ba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad7af6aca0ba3d2fe9adb3f391800420800c0f6aa00db064fc1292232a6d881e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe ad7af6aca0ba3d2fe9adb3f391800420800c0f6aa00db064fc1292232a6d881e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2578024/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1514313/
  
URLhaus
https://urlhaus.abuse.ch/url/1514297/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
URLhaus
https://urlhaus.abuse.ch/url/2271066/
  
URLhaus
https://urlhaus.abuse.ch/url/2654454/
  
URLhaus
https://urlhaus.abuse.ch/url/2441296/
  
URLhaus
https://urlhaus.abuse.ch/url/2271067/
  
URLhaus
https://urlhaus.abuse.ch/url/1514098/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
  
URLhaus
https://urlhaus.abuse.ch/url/1514315/
  
URLhaus
https://urlhaus.abuse.ch/url/2254177/
  
URLhaus
https://urlhaus.abuse.ch/url/2577943/

Comments