MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd464c108d2022979662b515c494dabaf7f528c31b2da3e75d83ba24171600d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd464c108d2022979662b515c494dabaf7f528c31b2da3e75d83ba24171600d0
SHA3-384 hash: 90260f76f94b84011280b8b99f0c489befe383e804274b241c107fc5c092de67210f91f461cdf9a50a717e0b6052ac54
SHA1 hash: 33c2acd6765077407a0a0721fc0407e349386841
MD5 hash: 3f6c38e49e932143b2c9137ff5c61b46
humanhash: salami-indigo-nine-monkey
File name:3f6c38e49e932143b2c9137ff5c61b46
Download: download sample
Signature zgRAT
Create hunting rule
File size:2'981'888 bytes
First seen:2024-03-21 04:16:31 UTC
Last seen:2024-03-21 06:39:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:4wg7E2jV4UiiLXOkNdtnLBl3khOtcubBiqrx7ULfzFsuqGXo3FqRQptrheTICNAt:Fg7NqIrOkPLl0tubnJofZ2OoVqRDUCat
Threatray 359 similar samples on MalwareBazaar
TLSH T1F3D5335AD786657EC72A9BF37023A0549072D5CF3B1AEF9DAF9814EB0E06B05492070F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
331
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bd464c108d2022979662b515c494dabaf7f528c31b2da3e75d83ba24171600d0.exe
Verdict:
Malicious activity
Analysis date:
2024-03-21 04:17:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f1085da9-73df-4eea-8644-8157e070f951

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.21028.30666.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Restart of the analyzed sample
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a file in the Windows subdirectories
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Launching a process
Creating a file in the system32 subdirectories
Forced system process termination
Moving a file to the Program Files subdirectory
Replacing files
Searching for synchronization primitives
Creating a window
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Using obfuscated Powershell scripts
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65fbb4c2fc3fe20efe6abfe8/reports/d73dc0a4-a6fe-4584-84eb-482589b871d2/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/bd464c108d2022979662b515c494dabaf7f528c31b2da3e75d83ba24171600d0
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bbf89457-dd40-4758-aef5-c5bb7753c95f
Result
Threat name:
PureLog Stealer, Quasar, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1412870
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected Quasar RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1412870 Sample: wwQAQhTxCK.exe Startdate: 21/03/2024 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 Antivirus detection for dropped file 2->48 50 19 other signatures 2->50 8 powershell.exe 2 15 2->8         started        11 wwQAQhTxCK.exe 2 7 2->11         started        process3 file4 62 Writes to foreign memory regions 8->62 64 Modifies the context of a thread in another process (thread injection) 8->64 66 Found suspicious powershell code related to unpacking or dynamic code loading 8->66 68 Injects a PE file into a foreign processes 8->68 14 dllhost.exe 1 8->14         started        17 conhost.exe 8->17         started        40 C:\Users\user\AppData\Roaming\$77sys32.exe, PE32 11->40 dropped 42 C:\Users\user\AppData\...\$77a7dd5a44885b, PE32 11->42 dropped 70 Creates autostart registry keys with suspicious names 11->70 72 Contains functionality to inject code into remote processes 11->72 74 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->74 76 Allocates memory in foreign processes 11->76 19 $77a7dd5a44885b 11->19         started        21 wwQAQhTxCK.exe 1 11->21         started        signatures5 process6 signatures7 78 Injects code into the Windows Explorer (explorer.exe) 14->78 80 Writes to foreign memory regions 14->80 82 Creates a thread in another existing process (thread injection) 14->82 90 2 other signatures 14->90 23 lsass.exe 14->23 injected 26 winlogon.exe 14->26 injected 28 dwm.exe 14->28 injected 32 23 other processes 14->32 84 Antivirus detection for dropped file 19->84 86 Multi AV Scanner detection for dropped file 19->86 88 Machine Learning detection for dropped file 19->88 30 WerFault.exe 4 19->30         started        process8 signatures9 60 Writes to foreign memory regions 23->60 34 $77sys32.exe 5 23->34         started        process10 file11 38 C:\Users\user\AppData\...\$77fbe706cf3f27, PE32 34->38 dropped 52 Antivirus detection for dropped file 34->52 54 Multi AV Scanner detection for dropped file 34->54 56 Machine Learning detection for dropped file 34->56 58 3 other signatures 34->58 signatures12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bd464c108d2022979662b515c494dabaf7f528c31b2da3e75d83ba24171600d0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd464c108d2022979662b515c494dabaf7f528c31b2da3e75d83ba24171600d0/
Threat name:
ByteCode-MSIL.Trojan.PureLogStealer
Create hunting rule
Status:
Malicious
First seen:
2024-03-20 03:40:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xvdeyeenearjpftcwuk4jfg2xl37kkgddmw2hz25qo5cifywadia._file
Verdict:
malicious
Similar samples:
29f5a8629986da0b4a353e5423fb39c505cba7c06e7aa4b5a4029c5a1669ae95
zgRAT
5edf686e646728c40a9107c1fabd527e5c6c2bf1ac6ec7326fe77fcb19e35ab7
zgRAT
7ecf055419ccb76a13fa53d8f5c5888ea369271ceaad4263f952da6d265c4c41
zgRAT
9df4aaa956d54f55f1bb038f3e8f086169983e094ef8432cd71df928a888a2d0
zgRAT
a9f1b1f099d72e3d3bb950a335b612a7e2d551e38bc8d72a9d3035453b3760ed
zgRAT
dbbe21f14ca93d658be3606974e289edf4b205b22d967324c49cba1950f29b9e
zgRAT
+ 349 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat persistence rat
Link:
https://tria.ge/reports/240321-ewdbaach3z/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Detect ZGRat V1
Suspicious use of NtCreateUserProcessOtherParentProcess
ZGRat
Unpacked files
SH256 hash:
b2f12e4849cacde7798a1eb2bf2f17faa89c17ecfe075e75224a6011e9d27300
MD5 hash:
801b8443c9130abc63d641fc35f49020
SHA1 hash:
ec2b7bd7f309287d96f5b2d69002469168507f34
Detections:
Vermin_Keylogger_Jan18_1
Create hunting rule
MALWARE_Win_zgRAT
Create hunting rule
xRAT_1
Create hunting rule
Link:
https://www.unpac.me/results/873f7b03-a531-47ee-9e7e-94d8a606cc5e/
SH256 hash:
8ec69de0cf717eb8afa364094ad98df87ff8447abfae92df2f6173b6646f0d6d
MD5 hash:
62cdcd3c351c35361912eee5b6054b5a
SHA1 hash:
c73e04368adfc6aca77b4e9664da274dc1a45f37
Link:
https://www.unpac.me/results/873f7b03-a531-47ee-9e7e-94d8a606cc5e/
SH256 hash:
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
MD5 hash:
152e3f07bbaf88fb8b097ba05a60df6e
SHA1 hash:
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
Link:
https://www.unpac.me/results/873f7b03-a531-47ee-9e7e-94d8a606cc5e/
SH256 hash:
4fe8bbdb5141c1be3c1e4960d1ba2aa49c0a3aa9b6e1316fccbe6f7bff7831ae
MD5 hash:
d9ea0a60267fdc954275906dadb48b80
SHA1 hash:
a4db8b34991d63cfcc4147cfe6538f840464091f
Link:
https://www.unpac.me/results/873f7b03-a531-47ee-9e7e-94d8a606cc5e/
SH256 hash:
d27d461900e34d73387a9495bc92c03892635322ce698ef1be96e9b45ad17679
MD5 hash:
bd2429315bd99ddfa3a03a250c55a4ad
SHA1 hash:
6129cdae273c963ca9d4d5a15b0bd72880bf35d2
Link:
https://www.unpac.me/results/873f7b03-a531-47ee-9e7e-94d8a606cc5e/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/873f7b03-a531-47ee-9e7e-94d8a606cc5e/
SH256 hash:
aa3551c643c0803f1c9750e982e802d1998dfbcfa2289266d3a1410b776c82a1
MD5 hash:
6f799bfc59496b6875bda399ec8af754
SHA1 hash:
426b55d2af1bad580c3381d38800deb2778ef682
Link:
https://www.unpac.me/results/873f7b03-a531-47ee-9e7e-94d8a606cc5e/
SH256 hash:
bd464c108d2022979662b515c494dabaf7f528c31b2da3e75d83ba24171600d0
MD5 hash:
3f6c38e49e932143b2c9137ff5c61b46
SHA1 hash:
33c2acd6765077407a0a0721fc0407e349386841
Link:
https://www.unpac.me/results/873f7b03-a531-47ee-9e7e-94d8a606cc5e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bd464c108d20/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd464c108d2022979662b515c494dabaf7f528c31b2da3e75d83ba24171600d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe bd464c108d2022979662b515c494dabaf7f528c31b2da3e75d83ba24171600d0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2788190/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-03-21 04:16:32 UTC

url : hxxp://193.233.132.167/lend/Dolzkqnsbh.exe