MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf28022edef1f38d7876a22e54d670a17ad7a663fe6d630f8b4e33638d6ef539. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf28022edef1f38d7876a22e54d670a17ad7a663fe6d630f8b4e33638d6ef539
SHA3-384 hash: 29dc9dfe5739691ae37d47f2c6482c53f298c0356977c1f1e91d3326524fe9f75c8c70e7114146a293392c4ece4012d9
SHA1 hash: 6912d1c63fae7cdda1aa11eb3a69af7d8cb16f80
MD5 hash: 305e49395b9495b69c88fafdff771b0e
humanhash: nevada-speaker-nebraska-robert
File name:168874695393d5c4487a6a50f5e204d46211fd6619b471c831cec533d1f63a54ba597252bc507.dat-decoded
Download: download sample
Signature zgRAT
Create hunting rule
File size:2'922'496 bytes
First seen:2023-07-07 16:22:35 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 24576:7ZSjHZm/elolWzslM45T1pYJFmc6V1ZZBDdfcNf/x7xVKB0GT83ez0XFD75NzNMx:7uZm/ulsF5avew4
Threatray 6 similar samples on MalwareBazaar
TLSH T1B5D59303B667C9B2C2A5D737C59A001C43AED5817B13EB7AA64A232E1D83FFE5853507
TrID 80.3% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
4.4% (.SCR) Windows screen saver (13097/50/3)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
3.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter abuse_ch
Tags:base64-decoded dll zgRAT


Avatar
abuse_ch
Malware dropped as base64 encoded payload

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/410919/
Detection(s):
Win.Trojan.Bladbindi-1
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64a83be682e04d1583948338/reports/6755b49b-ecbd-4457-83b8-028387cd8996/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/cf28022edef1f38d7876a22e54d670a17ad7a663fe6d630f8b4e33638d6ef539
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/61d647e4-1969-44bf-90e9-c0a0a8d503c4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf28022edef1f38d7876a22e54d670a17ad7a663fe6d630f8b4e33638d6ef539/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-07-07 16:23:05 UTC
File Type:
PE (.Net Dll)
Extracted files:
4
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4uaelw66hzy26dwuixfjvtquf5npjtd7zwwgd4ljyzwhdlo6u4q._file
Verdict:
malicious
Similar samples:
576449483e9522dc46f4815bbccd02fed4d908cce0c8edd56131c206eeb90cf5
zgRAT
5a38b7d37447ed3fa3bbcfe8739b68e76ab2bd4def3fdb85e117238d45a2d84a
zgRAT
5b3a9d0cfad981c3f67db128224c435b683b39701a5e3eb601b46dfaf61d4d6a
zgRAT
8b6246a2b1d2bf17d9e31bb330446aaa43210e5240ce436e5ba2f5ce08c6d5e6
zgRAT
8c333b7328e876046988ec1e7e487f4cdebd62cbf0a4a595b31d87b0c1892037
zgRAT
91845e50a50ac3f00d103ea6773e6824c0b997c755d8a176b91b51431204b29d
zgRAT
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230707-tvsf5sbb6t/
Unpacked files
SH256 hash:
cf28022edef1f38d7876a22e54d670a17ad7a663fe6d630f8b4e33638d6ef539
MD5 hash:
305e49395b9495b69c88fafdff771b0e
SHA1 hash:
6912d1c63fae7cdda1aa11eb3a69af7d8cb16f80
Link:
https://www.unpac.me/results/d0dd5988-0869-4f76-ba59-8c72896fdfe6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf28022edef1f38d7876a22e54d670a17ad7a663fe6d630f8b4e33638d6ef539

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_zgRAT
Create hunting rule
Author:ditekSHen
Description:Detects zgRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

unknown 93d5c4487a6a50f5e204d46211fd6619b471c831cec533d1f63a54ba597252bc

zgRAT

DLL dll cf28022edef1f38d7876a22e54d670a17ad7a663fe6d630f8b4e33638d6ef539

(this sample)

  
Dropped by
SHA256 93d5c4487a6a50f5e204d46211fd6619b471c831cec533d1f63a54ba597252bc
  
Dropped by
MD5 39b268f72696e1c7ced14f2326d0e092
  
URLhaus
https://urlhaus.abuse.ch/url/2676323/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/410919/
  
URLhaus
https://urlhaus.abuse.ch/url/2678621/

Comments