MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af62cd4a6f402e193c2a6ec6f4320ea04eab5eb847a24834032b825ab038afa5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

zgRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	af62cd4a6f402e193c2a6ec6f4320ea04eab5eb847a24834032b825ab038afa5
SHA3-384 hash:	4c260340f8ccfd03ed12fb85cdc0f7a3777817aa686017609b01392dc3328501e314cf441ce907151d08e50d3fdedf6e
SHA1 hash:	2d841cb1a6c9d66bdfb347677d1d9029185e1bfd
MD5 hash:	b27ee49508b9abb43081c81d0a62ca7a
humanhash:	gee-summer-nevada-king
File name:	file
Download:	download sample
Signature	zgRAT Create hunting rule
File size:	2'216'960 bytes
First seen:	2023-10-16 12:01:44 UTC
Last seen:	2023-10-17 09:24:51 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:/L4Z2GZS1jIsY2RJfNgxOKYbPKwvKTC2xYdz39CcuLagVXU:/KjS1jIwRfmJwvcC2f9agVk
Threatray	1 similar samples on MalwareBazaar
TLSH	T12DA5E65C7EC21C63EE8E02F8C35E4A089F61E45273A1D6EE2640D5DDB64D247A98DF83
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	andretavare5
Tags:	exe zgRAT

andretavare5

Sample downloaded from http://lakuiksong.known.co.ke/netTimer.exe

Intelligence

File Origin

# of uploads :

# of downloads :

338

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/454856/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2228.13139.16470.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Creating a file

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control lolbin packed

Link:

https://www.filescan.io/uploads/652d263b853e4f06480bf636/reports/ba60f1bf-6f37-49d9-baf9-149eed4857dc/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/af62cd4a6f402e193c2a6ec6f4320ea04eab5eb847a24834032b825ab038afa5

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/09214db2-a6b6-46f1-aba2-9d1bc5ab871f

Score:

89%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/af62cd4a6f402e193c2a6ec6f4320ea04eab5eb847a24834032b825ab038afa5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/af62cd4a6f402e193c2a6ec6f4320ea04eab5eb847a24834032b825ab038afa5/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2023-10-16 12:02:05 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=v5rm2stpiaxbspbkn3dpimqoubhkwxvyi6reqnadfobfvmbyv6sq._file

Verdict:

unknown

zgRAT

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:zgrat rat

Link:

https://tria.ge/reports/231016-n7fefseb4w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

.NET Reactor proctector

ZGRat

Detect ZGRat V1

Unpacked files

SH256 hash:

af62cd4a6f402e193c2a6ec6f4320ea04eab5eb847a24834032b825ab038afa5

MD5 hash:

b27ee49508b9abb43081c81d0a62ca7a

SHA1 hash:

2d841cb1a6c9d66bdfb347677d1d9029185e1bfd

Link:

https://www.unpac.me/results/9009710e-3858-41c5-b106-b76595e85db2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/af62cd4a6f402e193c2a6ec6f4320ea04eab5eb847a24834032b825ab038afa5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_DotNetReactor Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with unregistered version of .NET Reactor

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Author:	qux
Description:	Detects exe does not have import table

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2718410/

Cape

https://www.capesandbox.com/analysis/454856/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample