MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c35a61b25b49b161c30a7d7dfed70a1a89ae5de7366ef59490946bbd81133b22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c35a61b25b49b161c30a7d7dfed70a1a89ae5de7366ef59490946bbd81133b22
SHA3-384 hash: 046c58d3d49087db2f1a663de193d111a2b4f96cf11dcd89b7bb88d194b34b87a4f3786340030c6e4cee4041262fc2eb
SHA1 hash: 6fcbed73e5e03e8c59d8180d68e1585209e33c87
MD5 hash: 21d3bf9ea8df95aeb5827b0a94389c92
humanhash: mexico-virginia-one-happy
File name:nk696Ndw2kPFEvX.exe
Download: download sample
Signature zgRAT
Create hunting rule
File size:1'121'280 bytes
First seen:2022-10-02 11:37:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:/15jB6R2YqVMUbFfbh9Jj/oXVjzkRNW8mdHxW6:/3zYQxF6XBgm8kHA6
Threatray 19'892 similar samples on MalwareBazaar
TLSH T1E035F22B16EE5A07C168A9B880D1D2F6A3A9CC11E157C2C75FC79C0FF0C6BA497617D2
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter cocaman
Tags:exe INVOICE zgRAT


Avatar
cocaman
Malicious email (T1566.001)
From: "claudia.carpenter@spglobal.com" (likely spoofed)
Received: "from spglobal.com (unknown [45.137.22.243]) "
Date: "30 Sep 2022 06:42:18 +0200"
Subject: "Overdue invoices"
Attachment: "nk696Ndw2kPFEvX.exe"

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315737/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a file
Searching for synchronization primitives
Forced shutdown of a system process
Unauthorized injection to a system process
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f3605c1-218d-43ef-8dac-4b5779dff914
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1081889
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c35a61b25b49b161c30a7d7dfed70a1a89ae5de7366ef59490946bbd81133b22/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-09-28 10:45:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ynngdms3jgywdqykpv675vykdke24xphgzxplfeqsrv33aithmra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08db0f66ab8d81a0fcde9a0c032675458fb3b46d1599cc0a3d122de89dde5b82
zgRAT
1a318e3ff66252f891ce48482da2a97fe57c924474d6ef34708f6f2583126fe3
zgRAT
7161a182643b322144e31fe19128eb7fdcac2a19333120e05c128b17a71d30a5
zgRAT
720d90ad498171d943399e010d4aa16cc65f69bbff6f042d6b364813cfd168bb
zgRAT
7baa3f43e31940f5f7a338fbcc9f99411b1edaab57d77ef64cb5c2f5a122a4e0
zgRAT
+ 19'882 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/221002-nrp9qaeggj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Drops file in Drivers directory
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8237a6af-ab80-429b-94e7-3a63fbaba849
Unpacked files
SH256 hash:
ac4aa7c0f1be6d250812c12e9e93f3d9dd934fece206fe0d416edf9aabc5324d
MD5 hash:
287af1559cf883f929aadfb0799c3b60
SHA1 hash:
e8ae0c51f4b61c92d194b4449e1eaac5f0c486bb
Link:
https://www.unpac.me/results/8cf36729-60f4-41ae-9a2b-ae8a24a0cd50/
SH256 hash:
9001e95484d2abd0738bdff956830ef06b8051cc857254a02efc140a11d1b067
MD5 hash:
df4f33b54aac95014d1dbc124e346f1f
SHA1 hash:
d493e540aba36ec2ce25742481ff54f86bda183b
Link:
https://www.unpac.me/results/8cf36729-60f4-41ae-9a2b-ae8a24a0cd50/
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/8cf36729-60f4-41ae-9a2b-ae8a24a0cd50/
SH256 hash:
2df5084a47b8c39fc1f6c9249d11b7f6075eef6f4da09e3cfe104ce032b1da57
MD5 hash:
bf3a605da6b58f818255de9faee378a6
SHA1 hash:
36fb7016da8525a66634cafb82ad3ae6120c5499
Link:
https://www.unpac.me/results/8cf36729-60f4-41ae-9a2b-ae8a24a0cd50/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/8cf36729-60f4-41ae-9a2b-ae8a24a0cd50/
SH256 hash:
c35a61b25b49b161c30a7d7dfed70a1a89ae5de7366ef59490946bbd81133b22
MD5 hash:
21d3bf9ea8df95aeb5827b0a94389c92
SHA1 hash:
6fcbed73e5e03e8c59d8180d68e1585209e33c87
Link:
https://www.unpac.me/results/8cf36729-60f4-41ae-9a2b-ae8a24a0cd50/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c35a61b25b49/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c35a61b25b49b161c30a7d7dfed70a1a89ae5de7366ef59490946bbd81133b22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zgRAT

Executable exe c35a61b25b49b161c30a7d7dfed70a1a89ae5de7366ef59490946bbd81133b22

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
Dropping
zgRAT
Cape
Cape
https://www.capesandbox.com/analysis/315737/

Comments