MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdb8b8b1134a657a1fef24640d2e11005cf81c370380cff8634b2a7da776cea4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Zyklon


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdb8b8b1134a657a1fef24640d2e11005cf81c370380cff8634b2a7da776cea4
SHA3-384 hash: 1d5b00662e2074c8c9c9cba28fe969a42d2a6628c3c3e7f185e48bcd2341a4965f1df5e9c551edc22aed015872f22bcb
SHA1 hash: 775fb754dcc83e0ae397862d5d84060e40859d69
MD5 hash: a8953bbaa868dd7f66a3a7e73da80585
humanhash: edward-mango-eight-shade
File name:a8953bbaa868dd7f66a3a7e73da80585.exe
Download: download sample
Signature Zyklon
Create hunting rule
File size:62'464 bytes
First seen:2024-02-22 21:30:11 UTC
Last seen:2024-02-22 23:27:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c93d7208ad32b0621fe41c01c2063bf (1 x Zyklon)
ssdeep 768:rlK8yVL66zg/23bhSyk2gPN2e9cF7ojZ4RQrxY2nNKXCTs1gL8:rlKhJ69/dyk32eW6SQi2NKz1U
TLSH T1C1533B5376674031D642A2F15177AFF5D3EEAF305BB281D7A7810E3B8A302C5B868D29
TrID 52.9% (.EXE) Win32 Executable (generic) (4504/4/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon a472b1b0f2d660e0 (1 x Zyklon)
Reporter abuse_ch
Tags:exe Zyklon


Avatar
abuse_ch
Zyklon C2:
http://79.137.207.120/generatorExternal9Windows/Local74/3Processor/Js/UpdateBigloadProcess/HttpTest/uploads9universalTest/Trackflower6/pipe0Wp/trafficLineGameprovider/publicLocal80/6Better9/processorPhp/6defaultServer/0javascript/multi8external/5betterRequestlinux/UploadswindowsLow/toBigloadmultiflowerAsyncwptempdownloads.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
363
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/477449/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.31919.30722.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% directory
Running batch commands
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Searching for synchronization primitives
Creating a file
Creating a file in the %AppData% subdirectories
Loading a suspicious library
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm fingerprint lolbin mpcmdrun msiexec overlay packed setupapi shdocvw shell32
Link:
https://www.filescan.io/uploads/65d7bd1cc5e1a083fbf5456e/reports/eb3ba74c-3a16-432c-bdb0-34ad64af23e7/overview
Verdict:
Malicious
Labled as:
Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/cdb8b8b1134a657a1fef24640d2e11005cf81c370380cff8634b2a7da776cea4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a84e08eb-5db9-4eff-863b-f9830e4f36d9
Result
Threat name:
DCRat, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1397263
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1397263 Sample: Px0b16q72c.exe Startdate: 22/02/2024 Architecture: WINDOWS Score: 100 102 Antivirus detection for URL or domain 2->102 104 Antivirus detection for dropped file 2->104 106 Multi AV Scanner detection for dropped file 2->106 108 9 other signatures 2->108 11 Px0b16q72c.exe 1 18 2->11         started        15 msiexec.exe 2->15         started        18 cscript.exe 2->18         started        20 6 other processes 2->20 process3 dnsIp4 98 79.137.202.105, 49704, 80 PSKSET-ASRU Russian Federation 11->98 74 C:\Users\user\...\WindowsMD5Checker.exe, PE32 11->74 dropped 76 C:\Users\user\AppData\...\SandelloChecker.exe, PE32 11->76 dropped 78 C:\Users\user\AppData\...\AdminTool[1].exe, PE32 11->78 dropped 80 C:\Users\user\AppData\...\sandello[1].exe, PE32 11->80 dropped 22 WindowsMD5Checker.exe 3 6 11->22         started        26 SandelloChecker.exe 70 11->26         started        28 conhost.exe 11->28         started        34 2 other processes 11->34 100 79.137.207.120 PSKSET-ASRU Russian Federation 15->100 82 C:\Users\user\Desktop\zjBftnbz.log, PE32 15->82 dropped 84 C:\Users\user\Desktop\whXhVUwC.log, PE32 15->84 dropped 86 C:\Users\user\Desktop\toIyjXLE.log, PE32 15->86 dropped 88 20 other malicious files 15->88 dropped 128 Antivirus detection for dropped file 15->128 130 Multi AV Scanner detection for dropped file 15->130 132 Machine Learning detection for dropped file 15->132 134 Tries to harvest and steal browser information (history, passwords, etc) 15->134 30 msiexec.exe 20->30         started        32 wscript.exe 20->32         started        file5 signatures6 process7 file8 62 C:\MsWebSession\agentreviewIntoRefdhcp.exe, PE32 22->62 dropped 64 aISwmBA1tz2Li9c6LC...0YyEqFbmxvfE9xX.vbe, data 22->64 dropped 116 Multi AV Scanner detection for dropped file 22->116 36 wscript.exe 1 22->36         started        66 C:\Users\user\AppData\Local\...\MSI9B56.tmp, PE32 26->66 dropped 68 C:\Users\user\AppData\Local\...\MSI9B16.tmp, PE32 26->68 dropped 70 C:\Users\user\AppData\Local\...\MSI9AD7.tmp, PE32 26->70 dropped 72 17 other files (16 malicious) 26->72 dropped 118 Query firmware table information (likely to detect VMs) 30->118 39 cmd.exe 32->39         started        signatures9 process10 signatures11 114 Windows Scripting host queries suspicious COM object (likely to drop second stage) 36->114 41 cmd.exe 1 36->41         started        43 conhost.exe 39->43         started        process12 process13 45 agentreviewIntoRefdhcp.exe 3 39 41->45         started        49 conhost.exe 41->49         started        file14 90 C:\Windows\...\TextInputHost.exe, PE32 45->90 dropped 92 C:\Users\user\Desktop\vNKpKdzf.log, PE32 45->92 dropped 94 C:\Users\user\Desktop\tTHYTdVp.log, PE32 45->94 dropped 96 26 other malicious files 45->96 dropped 120 Antivirus detection for dropped file 45->120 122 Multi AV Scanner detection for dropped file 45->122 124 Machine Learning detection for dropped file 45->124 126 Drops executable to a common third party application directory 45->126 51 cmd.exe 45->51         started        signatures15 process16 signatures17 110 Uses ping.exe to sleep 51->110 112 Uses ping.exe to check the status of other devices and networks 51->112 54 conhost.exe 51->54         started        56 chcp.com 51->56         started        58 PING.EXE 51->58         started        60 MdruyXRMDyllZTkgJJ.exe 51->60         started        process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cdb8b8b1134a657a1fef24640d2e11005cf81c370380cff8634b2a7da776cea4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdb8b8b1134a657a1fef24640d2e11005cf81c370380cff8634b2a7da776cea4/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-02-19 01:53:00 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
20 of 38 (52.63%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zw4lrmitjjsxuh7persa2lqrabopqhbxaoam76ddjmvh3j3wz2sa._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat persistence rat spyware stealer
Link:
https://tria.ge/reports/240222-1c14wsff95/
Behaviour
Creates scheduled task(s)
Modifies Control Panel
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Detect ZGRat V1
Process spawned unexpected child process
ZGRat
Unpacked files
SH256 hash:
cdb8b8b1134a657a1fef24640d2e11005cf81c370380cff8634b2a7da776cea4
MD5 hash:
a8953bbaa868dd7f66a3a7e73da80585
SHA1 hash:
775fb754dcc83e0ae397862d5d84060e40859d69
Link:
https://www.unpac.me/results/5893f35e-1c36-4efe-a674-6fd778058bfc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdb8b8b1134a657a1fef24640d2e11005cf81c370380cff8634b2a7da776cea4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/477449/

Comments