MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1bd141a8c2a27b5c7318229556282a4259a9caba1b3768ec58a83dc2d7afdca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1bd141a8c2a27b5c7318229556282a4259a9caba1b3768ec58a83dc2d7afdca
SHA3-384 hash: 4b7d830067e7a4e01c02c869c7fe23de15958c7d4e5b739b48d12cd0833ee627b3eb460cc5afd18a6ac5bf31e45eefa8
SHA1 hash: a38cd558106de33fad4e132021d350273e6b4639
MD5 hash: e533f71c253551d1be4ad5ffd52fb793
humanhash: fish-four-illinois-kentucky
File name:e533f71c253551d1be4ad5ffd52fb793
Download: download sample
Signature zgRAT
Create hunting rule
File size:5'509'120 bytes
First seen:2023-11-03 23:33:16 UTC
Last seen:2023-11-04 01:15:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:Vi9vWWTILsbKEAYwwg3zhFCvjrIGn6kfL9b2mGz+PkUQXxIhdFuPK0zWRNaHw:VIvWWTIpkwVj3Cv4BypbBGuzZAWR+
Threatray 3'527 similar samples on MalwareBazaar
TLSH T143463309D40D51A3F2912B74D46EE7B729AA4E508EEA0C2BB9E1BDBB313D51739317C0
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f08e9686dad89ac4 (5 x zgRAT, 4 x PureLogsStealer, 3 x Amadey)
Reporter zbetcheckin
Tags:32 exe zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
342
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e533f71c253551d1be4ad5ffd52fb793
Verdict:
Suspicious activity
Analysis date:
2023-11-04 01:49:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4da4facc-1af0-4949-a1a6-c8eaa073d7c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.22411.29416.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Creating a file in the %AppData% subdirectories
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6545836b641154c7e3ea1f7e/reports/7ff2d745-0ab8-4ac8-a0de-229c5dfda4f0/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c1bd141a8c2a27b5c7318229556282a4259a9caba1b3768ec58a83dc2d7afdca
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/26dd4502-1eac-42e0-a7d4-b691c9a40d5a
Result
Threat name:
zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1336951
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates autostart registry keys with suspicious names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c1bd141a8c2a27b5c7318229556282a4259a9caba1b3768ec58a83dc2d7afdca
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1bd141a8c2a27b5c7318229556282a4259a9caba1b3768ec58a83dc2d7afdca/
Threat name:
Win32.Trojan.ScarletFlash
Create hunting rule
Status:
Malicious
First seen:
2023-11-01 06:41:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yg6rigumfit3lrzrqiuvkyucuqszvhflugzxndwfrkb5yll27xfa._file
Verdict:
malicious
Similar samples:
00f99e2925f2ac3ca02397be84c75bba0ef0ec7d7094273f6e5a4f280114e2f5
zgRAT
22224f65c07515b2f61e29f7f1a14005d0de54378aa925d9e017bb2ac26b5395
zgRAT
4239478f1ff05d0014ba2492e155e733b661473d7299cbf98eb8f81bbf6e719a
zgRAT
599b057032b8e99d9d2a303864311b3f715c2c0a94634a39d4ea1c7141e2a90e
zgRAT
74622dee4841085cd64da27da09c697236e5846915736d7d43200874927b6bc8
zgRAT
9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
zgRAT
c1bd141a8c2a27b5c7318229556282a4259a9caba1b3768ec58a83dc2d7afdca
zgRAT
cfa592b0128bc126fbf3fb66c551a8d87223b196f5e0cd87e60b88bdc688c6e0
zgRAT
f76c7d8841a467f13ab5d2c39b56d297a2fa94867973c201d40f877355849092
zgRAT
fc0b9d2a311a40467281c79ec0822d2fce7a156a9970fc98eb57fd55c71764e6
zgRAT
+ 3'517 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/231103-3kea7sbb4y/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
5d8fef08f52cc3604b8ee94e239c9049a9c9a5bd84c813b20400bf89cf2a8cd0
MD5 hash:
fdaf42af3f320bc76f16a1fdcaabf296
SHA1 hash:
9d9a5789664e6a1e7a2e42c5f9c8a779abd34aec
Link:
https://www.unpac.me/results/278b28d3-5d4d-439d-b85e-9e5d398518b9/
SH256 hash:
dcaa189c418f7f94f87d0bbcd54191b9b76c3f77d0c4c51cee30a442261f2ecd
MD5 hash:
0495d054901d5007036bd46e7be84784
SHA1 hash:
8a04418f2d1a87d485af971ffaca7b5c7d187402
Link:
https://www.unpac.me/results/278b28d3-5d4d-439d-b85e-9e5d398518b9/
SH256 hash:
927f3954b0d05606cc96471d9f2668435c6a93c4862a3ceef5273ee2e6970d52
MD5 hash:
56ed2e7063498f952f9dfa65f380edc1
SHA1 hash:
2985b9fcc8be4069ea06fec84271eadd51c14c40
Link:
https://www.unpac.me/results/278b28d3-5d4d-439d-b85e-9e5d398518b9/
SH256 hash:
0ea2d6bc37f1f5d094dae0354b9fd511de1bd1835ac0c17d20b417a060680cc8
MD5 hash:
801ac59ac060a80c050ab8d1725efb1c
SHA1 hash:
f6d50f4858a06a95d1a462cbcf500f51c9b340a5
Link:
https://www.unpac.me/results/278b28d3-5d4d-439d-b85e-9e5d398518b9/
SH256 hash:
f9e2d2d37154f8744c79e258e3e79533eac840b5acb8ed98dcd4174cb488de65
MD5 hash:
3d1d89cb18045c381caab52dc9faa85f
SHA1 hash:
4f7dc50e5fc86ab5af55d22bd7f6853ae744a728
Link:
https://www.unpac.me/results/278b28d3-5d4d-439d-b85e-9e5d398518b9/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/278b28d3-5d4d-439d-b85e-9e5d398518b9/
SH256 hash:
d945a4715b9b7ad56a9a04362c0a141e7f121769835e59019d63b0e15a960b20
MD5 hash:
2b903c1dca29e587bb8e24546ae89c0f
SHA1 hash:
4263931a5d6881bfe58c74c6aa68f28da2d9a561
Link:
https://www.unpac.me/results/278b28d3-5d4d-439d-b85e-9e5d398518b9/
SH256 hash:
c1bd141a8c2a27b5c7318229556282a4259a9caba1b3768ec58a83dc2d7afdca
MD5 hash:
e533f71c253551d1be4ad5ffd52fb793
SHA1 hash:
a38cd558106de33fad4e132021d350273e6b4639
Link:
https://www.unpac.me/results/278b28d3-5d4d-439d-b85e-9e5d398518b9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1bd141a8c2a27b5c7318229556282a4259a9caba1b3768ec58a83dc2d7afdca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe c1bd141a8c2a27b5c7318229556282a4259a9caba1b3768ec58a83dc2d7afdca

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2727705/

Comments


Avatar
zbet commented on 2023-11-03 23:33:17 UTC

url : hxxp://77.91.70.80/Wpqcpff.exe