MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b89c262b14911c4480ed00b35a53500ecabb8f9df4169f2a84c3028f468cff48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Zegost


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b89c262b14911c4480ed00b35a53500ecabb8f9df4169f2a84c3028f468cff48
SHA3-384 hash: 44e8e47766eba7ecbcd9451dbe4a6dad047bdbf0a0558bb4159f8e566270479c09ffaa607f84a1a4e07f3c8409186a3f
SHA1 hash: c5c8d21405758d05c44f680b7c4d687581b3d494
MD5 hash: ac2f5a364cfacb088c2ef92e9a73c5ae
humanhash: white-michigan-don-quiet
File name:ac2f5a364cfacb088c2ef92e9a73c5ae.exe
Download: download sample
Signature Zegost
Create hunting rule
File size:131'072 bytes
First seen:2021-05-23 07:56:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eed9182d328e7e994d0c62e9280718d0 (1 x Zegost)
ssdeep 3072:0FrX5RaBaz+oA9IxnN8GeepiiepFv5DmiqyN+ZJNl/13Z:0XcBaz+oA9IxnN8veMdpRTAZbl/N
Threatray 3 similar samples on MalwareBazaar
TLSH B4D37B003F26A802C9F174F62BC79B72E00E55E3A7D98D41230F92525DE785C6F96EE9
Reporter abuse_ch
Tags:exe Zegost

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ac2f5a364cfacb088c2ef92e9a73c5ae.exe
Verdict:
No threats detected
Analysis date:
2021-05-23 07:58:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f74bdd8c-6852-4191-99b3-45d1979c32b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Zegost-9830719-0
Create hunting rule

Win.Trojan.Agent-1360368
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
GhostRat
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/789431
Signature
Antivirus / Scanner detection for submitted sample
Checks if browser processes are running
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b89c262b14911c4480ed00b35a53500ecabb8f9df4169f2a84c3028f468cff48/
Threat name:
Win32.Backdoor.Zegost
Create hunting rule
Status:
Malicious
First seen:
2021-04-03 07:53:00 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xcocmkyuseoejahnaczvuu2qb3flxd456qlj6kueymbi6rum75ea._file
Verdict:
malicious
Similar samples:
3e8dd70c08a940466b486f393409fe74e3ec39c21ff60ddf6ffb1ee7a2511ed1
Zegost
79a72a4ecd40dc06db04c402f2c5881af3918bb42236922f5838f820acea64cf
Zegost
bea67778fa9a788b8137fb623d045d2b90011f806ddc38212d9f4d877ab8d49a
Zegost
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210523-jyrtm2rfds/
Behaviour
Suspicious behavior: EnumeratesProcesses
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farfli
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b89c262b14911c4480ed00b35a53500ecabb8f9df4169f2a84c3028f468cff48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_Mal1
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-23 08:00:36 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0027.004] Cryptography Micro-objective::3DES::Encrypt Data
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0026.002] Data Micro-objective::XOR::Encode Data