MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cea71d83aeb6a4257e6d8738fe3e18d530f0f060d59e6a9c817eb93ae3175fb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cea71d83aeb6a4257e6d8738fe3e18d530f0f060d59e6a9c817eb93ae3175fb3
SHA3-384 hash: 741d4fc56306c0dfc1753a9642d9a9076cf435f458bc42a59cdb0978763d139fd267678c55db0141e26d39f27872d9e9
SHA1 hash: 44366ca78f95a6e2b26de95a23ca5cc1849cda86
MD5 hash: 11f048a49f86d8f5c55172529007227f
humanhash: jupiter-october-victor-indigo
File name:SecuriteInfo.com.Win32.DropperX-gen.12167.21749
Download: download sample
Signature zgRAT
Create hunting rule
File size:1'403'392 bytes
First seen:2023-01-11 10:35:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:1QtO8F+76A4fKpjbdsRxB2aDTXTYxE8DlGabOmqGpPkX0Sv:cFS6RcjbyRxzTXmhIrpBxv
Threatray 647 similar samples on MalwareBazaar
TLSH T1EA55127AE44C1852C85EDC276693E5FAB68B91FCFBF848064C1FC249ADC84C5563E6B0
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.DropperX-gen.12167.21749
Verdict:
Malicious activity
Analysis date:
2023-01-11 10:38:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7e19b3a6-fc62-48cc-818e-3b05e3f50165

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/351898/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.12167.21749.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63be9116a70bef46551e8955/reports/6e2c623e-2115-4962-90f4-29c0f35e2ec9/overview
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9cffc574-a942-400b-836a-17293b98b0aa
Result
Threat name:
zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1149513
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Costura Assembly Loader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 782245 Sample: SecuriteInfo.com.Win32.Drop... Startdate: 11/01/2023 Architecture: WINDOWS Score: 96 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected zgRAT 2->49 51 4 other signatures 2->51 7 SecuriteInfo.com.Win32.DropperX-gen.12167.21749.exe 1 7 2->7         started        11 Arviqe.exe 4 2->11         started        13 Arviqe.exe 3 2->13         started        process3 file4 39 C:\Users\user\AppData\Roaming\...\Arviqe.exe, PE32 7->39 dropped 41 C:\Users\user\...\Arviqe.exe:Zone.Identifier, ASCII 7->41 dropped 43 SecuriteInfo.com.W...12167.21749.exe.log, ASCII 7->43 dropped 53 Encrypted powershell cmdline option found 7->53 15 powershell.exe 16 7->15         started        17 SecuriteInfo.com.Win32.DropperX-gen.12167.21749.exe 7->17         started        19 SecuriteInfo.com.Win32.DropperX-gen.12167.21749.exe 7->19         started        27 8 other processes 7->27 55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 21 powershell.exe 13 11->21         started        23 Arviqe.exe 11->23         started        29 9 other processes 11->29 25 powershell.exe 13->25         started        31 10 other processes 13->31 signatures5 process6 process7 33 conhost.exe 15->33         started        35 conhost.exe 21->35         started        37 conhost.exe 25->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cea71d83aeb6a4257e6d8738fe3e18d530f0f060d59e6a9c817eb93ae3175fb3/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-11 10:36:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z2tr3a5ow2sck7tnq44p4pqy2uypb4da2wpgvhebp24tvyyxl6zq._file
Verdict:
malicious
Similar samples:
106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871
zgRAT
1136869b303bfb491fda58869c898c19d9086fe34fd752018e49804481c6fbb1
zgRAT
3d8df24ce7381b4dfbd331934ae68aa3c822ba8518ccd967b5b1697ee31dea29
zgRAT
67901cd2dfa1b1abd362722379f677dfef008d40fc2b65b1aa2359840f58320f
zgRAT
7965e9813714dba016ee3034616a12092c71818443a0c269d3ab8791b9883eec
zgRAT
a3ee09ce29be074b29f2ea1a0eb126bc907c93aed40b880f00eb0b8ee59b8d2c
zgRAT
e803c5d292e1684844ff0ac82e76ca90caca1e44e7cd3507ce4ee4507b9d9fb2
zgRAT
e961ac85380ccd346de98c4a55e10b837b9a77b7d31ec7a312b61b484e32c932
zgRAT
f8f1b145c2a92cb79b32568f3300732e3d79bd5f157a1e54b77c1058707a972c
zgRAT
+ 637 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230111-mm9bcsbg92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/00414753-d3e4-4ef4-91a3-efbd8255f01a
Unpacked files
SH256 hash:
cea71d83aeb6a4257e6d8738fe3e18d530f0f060d59e6a9c817eb93ae3175fb3
MD5 hash:
11f048a49f86d8f5c55172529007227f
SHA1 hash:
44366ca78f95a6e2b26de95a23ca5cc1849cda86
Link:
https://www.unpac.me/results/b27505ee-d9ac-4070-8027-0a17ce3b4864/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/cea71d83aeb6a4257e6d8738fe3e18d530f0f060d59e6a9c817eb93ae3175fb3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/351898/

Comments