MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c230cf0d3c075b686aa8935996fc01b7012d1751d03fd760542318537a4f6177. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

zgRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	c230cf0d3c075b686aa8935996fc01b7012d1751d03fd760542318537a4f6177
SHA3-384 hash:	078473c514a65854f81b17f59643795afd38909dd0c83f37c2a67a14d267ce269597e0eab72d9424ec43aee63b98a16c
SHA1 hash:	27c8ebb103b2836d1d190becbaab6d6717f1e09e
MD5 hash:	ac481092ba6b334ba64482381726c022
humanhash:	east-steak-delta-carbon
File name:	12.exe
Download:	download sample
Signature	zgRAT Create hunting rule
File size:	1'538'088 bytes
First seen:	2024-01-28 02:25:41 UTC
Last seen:	2024-01-28 04:30:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d2645bbc353c1453eda8dde166a0cc4d (1 x AZORult, 1 x zgRAT)
ssdeep	24576:ausGRdrEAbm4zesGRdrEAbm4zf+dNzlg7+EZnBkzF7RDb9DBAb030++slpDB3vCv:aubdYAm4zebdYAm4zf+3C7+EZ+9b9t+d
TLSH	T13065E0C23B9DC621F63DDE30BB9592A04A6ABD1AA901173F354633C32EB6D078DD5217
TrID	28.5% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 13.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.2% (.EXE) Win32 Executable (generic) (4505/5/1) 5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	1ZRR4H
Tags:	exe zgRAT

Intelligence

File Origin

# of uploads :

# of downloads :

302

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/473222/

Detection(s):

SecuriteInfo.com.Win32.InjectorX-gen.22559.21528.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug hacktool overlay packed

Link:

https://www.filescan.io/uploads/65b5bb3b16a447dc38ff09a0/reports/677c15f0-995e-429d-b89b-3e932878b11a/overview

Verdict:

Malicious

Labled as:

Trojan.VB.Generic

Link:

https://www.hybrid-analysis.com/sample/c230cf0d3c075b686aa8935996fc01b7012d1751d03fd760542318537a4f6177

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ab2344de-f8e3-4383-bded-5ab5e949ce9c

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1382200

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Hides threads from debuggers

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c230cf0d3c075b686aa8935996fc01b7012d1751d03fd760542318537a4f6177

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c230cf0d3c075b686aa8935996fc01b7012d1751d03fd760542318537a4f6177/

Threat name:

Win32.Trojan.InjectorX

Status:

Malicious

First seen:

2024-01-18 17:30:45 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yiym6dj4a5nwq2visnmzn7abw4as2f2r2a75oycuemmfg6spmf3q._file

Verdict:

malicious

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:zgrat rat

Link:

https://tria.ge/reports/240128-cwvjfshda9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Detect ZGRat V1

ZGRat

Unpacked files

SH256 hash:

08a2face0c42b001772523ec0a2ab6ade1af8ba31af42327d6c5e9494f9ff75a

MD5 hash:

5b28c49d5866de6a4964c42809306d0d

SHA1 hash:

fd7bcad964a4c45d7eccf49e9fccbd048f189588

Link:

https://www.unpac.me/results/aff3b99c-930d-448f-861c-0e0ee48dce13/

SH256 hash:

19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372

MD5 hash:

4e29f75c0c51b9dec76955f0382d9541

SHA1 hash:

4899aa8e3f57339cbaec8faab777897a76fe1c3a

Link:

https://www.unpac.me/results/aff3b99c-930d-448f-861c-0e0ee48dce13/

SH256 hash:

bff3a948b87ee44fce97c72d58b8a3c173e4285b83dfece7356d7a642e31d3f0

MD5 hash:

fd37290529b0f1501adb555c8dea2679

SHA1 hash:

166b208bab7baec46cdb6001dc275a65b5d326b3

Link:

https://www.unpac.me/results/aff3b99c-930d-448f-861c-0e0ee48dce13/

SH256 hash:

7a04ca7737f027e4fca8449539f24db475761eecb8ff7aab67df502ac917c3e8

MD5 hash:

6155afd836789168c30f08f90a06d889

SHA1 hash:

77cfe41fc1f3a2f4cf195cc321b36bdcbef97356

Link:

https://www.unpac.me/results/aff3b99c-930d-448f-861c-0e0ee48dce13/

SH256 hash:

c230cf0d3c075b686aa8935996fc01b7012d1751d03fd760542318537a4f6177

MD5 hash:

ac481092ba6b334ba64482381726c022

SHA1 hash:

27c8ebb103b2836d1d190becbaab6d6717f1e09e

Link:

https://www.unpac.me/results/aff3b99c-930d-448f-861c-0e0ee48dce13/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c230cf0d3c07/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c230cf0d3c075b686aa8935996fc01b7012d1751d03fd760542318537a4f6177

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SEH__vba Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/473222/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample