MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 becc5a80b6ddf5cce6701ee367b76b2aeff842c1209942891cacde5305b52f4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: becc5a80b6ddf5cce6701ee367b76b2aeff842c1209942891cacde5305b52f4b
SHA3-384 hash: d3f1e5a26da3a3455aba1f4c6765222c30a2d6d91f56bace26fd11aee848fd0ded24fe50ea4f76d9520ddf74da570452
SHA1 hash: 8e8b8127c602b48b1101c6f05c376c286d987792
MD5 hash: 5826e69f394b48f822644136a031cd05
humanhash: wyoming-wyoming-undress-utah
File name:SecuriteInfo.com.Variant.Ser.MSILHeracles.1709.24891.31417
Download: download sample
Signature zgRAT
Create hunting rule
File size:2'715'648 bytes
First seen:2023-04-23 08:31:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:iiL/QLctLmq4ncCbxiWCqDQhvqyaeXG6C:
Threatray 2'145 similar samples on MalwareBazaar
TLSH T153C5F0330587BEDD53F76988D88B22440ECDA8BB2368D3957CCF159B61A9564ED83CB0
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter SecuriteInfoCom
Tags:exe zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Ser.MSILHeracles.1709.24891.31417
Verdict:
Malicious activity
Analysis date:
2023-04-23 08:32:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ba37afa0-9d4a-454e-8ab4-b02cd9bca755

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Ser.MSILHeracles.1709.24891.31417.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6444ed045ff821708a43bc27/reports/f6a94f89-64f4-4297-9d9b-b772e4cf6738/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/becc5a80b6ddf5cce6701ee367b76b2aeff842c1209942891cacde5305b52f4b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d5d30bf5-0eef-4b5b-ba1b-e74fb61cab17
Result
Threat name:
zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1219353
Signature
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 852299 Sample: SecuriteInfo.com.Variant.Se... Startdate: 23/04/2023 Architecture: WINDOWS Score: 92 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected zgRAT 2->42 44 Machine Learning detection for sample 2->44 7 SecuriteInfo.com.Variant.Ser.MSILHeracles.1709.24891.31417.exe 1 5 2->7         started        11 Qlsyh.exe 1 2->11         started        13 Qlsyh.exe 1 2->13         started        process3 file4 30 C:\Users\user\AppData\Roaming\...\Qlsyh.exe, PE32+ 7->30 dropped 32 C:\Users\user\...\Qlsyh.exe:Zone.Identifier, ASCII 7->32 dropped 34 SecuriteInfo.com.V...24891.31417.exe.log, ASCII 7->34 dropped 46 Encrypted powershell cmdline option found 7->46 48 Modifies the context of a thread in another process (thread injection) 7->48 50 Injects a PE file into a foreign processes 7->50 15 SecuriteInfo.com.Variant.Ser.MSILHeracles.1709.24891.31417.exe 2 7->15         started        18 powershell.exe 16 7->18         started        52 Multi AV Scanner detection for dropped file 11->52 54 Machine Learning detection for dropped file 11->54 20 powershell.exe 11->20         started        22 powershell.exe 13->22         started        signatures5 process6 dnsIp7 36 185.225.74.84, 7702 MAYAKBG Germany 15->36 24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        28 conhost.exe 22->28         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/becc5a80b6ddf5cce6701ee367b76b2aeff842c1209942891cacde5305b52f4b/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x3gfvafw3x24zztqd3rwpn3lflx7qqwbecmufci4vtpfgbnvf5fq._file
Verdict:
malicious
Similar samples:
0cff8404e73906f3a4932e145bf57fae7a0e66a7d7952416161a5d9bb9752fd8
zgRAT
1ff771de93f1b7a1824949621e743f0207b199b96151fb288474a7e8a2435e1d
zgRAT
5c7ea36ba0644e026b9a8e6fbaaa4e88f8cc4be90f2ebe96ab041645c0b9bb51
zgRAT
65bea8ecbc22a05fe6cdd7108d9859e22de0a6796c7597ff299e4baf0dde04ad
zgRAT
6b0ef726a01c2f7b18ce4409dcce197cdbfeba8ac17948488a0a17c2c09c9aba
zgRAT
9cb4357e2a87559617f3adfcdcfe5dba5f02de53d9d7acd8cc5415bbab703e65
zgRAT
c7554a7609cf9428545460211a203ed575173798679198a502fe847bff3cc044
zgRAT
cfe0ce3795f3c45d3945d05c010f35e08e42036045e41aa3cf63cb1fb32d2ca6
zgRAT
d9b498faf01b9eb598761915a6fc2fb4f1ab2317d354348baca6794730fd15d3
zgRAT
+ 2'135 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230423-kfahcacc55/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Unpacked files
SH256 hash:
becc5a80b6ddf5cce6701ee367b76b2aeff842c1209942891cacde5305b52f4b
MD5 hash:
5826e69f394b48f822644136a031cd05
SHA1 hash:
8e8b8127c602b48b1101c6f05c376c286d987792
Link:
https://www.unpac.me/results/9de8c184-23f9-4897-aa01-8d0f36f39da7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/becc5a80b6ddf5cce6701ee367b76b2aeff842c1209942891cacde5305b52f4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_zgRAT
Create hunting rule
Author:ditekSHen
Description:Detects zgRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe becc5a80b6ddf5cce6701ee367b76b2aeff842c1209942891cacde5305b52f4b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2616143/
  
Delivery method
Distributed via web download

Comments