MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfa592b0128bc126fbf3fb66c551a8d87223b196f5e0cd87e60b88bdc688c6e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfa592b0128bc126fbf3fb66c551a8d87223b196f5e0cd87e60b88bdc688c6e0
SHA3-384 hash: 3f67fd6b5c44fc177b81fa8f6247a3281e010e466f14048703a534007f1ae71cbe553c474d4dbbac9b9234a42115fbb1
SHA1 hash: 392ccfa22f19f6e466a973ac654e450a62391572
MD5 hash: 43c29e5e42f4870fa4bbb30abad26012
humanhash: early-kilo-cold-pizza
File name:ScHoster.exe
Download: download sample
Signature zgRAT
Create hunting rule
File size:684'032 bytes
First seen:2023-10-20 19:30:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:KbnfV4yEZcoGnvTjARLbX+Ez5C8Q97keqjCrwQk507duFNT:K7fV4ynjnvTjCbX+Et2ZkCsQ60JM
Threatray 3'504 similar samples on MalwareBazaar
TLSH T140E423486718AF63DEFC4472E5E3BA292791E877C7BBE7495C4023225D513C9A62034F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter AndreGironda
Tags:Alibaba2044 exe PureLogs zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ScHoster.exe
Verdict:
Suspicious activity
Analysis date:
2023-10-20 19:41:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/296e4485-a8cb-47b1-a876-ea4b4a0afbdf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Launching a process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
barys obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/653328e64678fc28dfc22563/reports/93641e18-8c49-4992-94a8-920eca602630/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cfa592b0128bc126fbf3fb66c551a8d87223b196f5e0cd87e60b88bdc688c6e0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3b35f1f1-1874-4128-96ec-79ca3164d3a2
Result
Threat name:
zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1329475
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Yara detected Costura Assembly Loader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1329475 Sample: ScHoster.exe Startdate: 20/10/2023 Architecture: WINDOWS Score: 96 51 youtube-ui.l.google.com 2->51 53 www3.l.google.com 2->53 55 32 other IPs or domains 2->55 61 Antivirus / Scanner detection for submitted sample 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Yara detected zgRAT 2->65 67 8 other signatures 2->67 8 firefox.exe 1 2->8         started        10 chrome.exe 8 2->10         started        13 cmd.exe 1 2->13         started        15 2 other processes 2->15 signatures3 process4 dnsIp5 17 firefox.exe 12 178 8->17         started        57 192.168.2.16, 443, 49707, 49731 unknown unknown 10->57 59 239.255.255.250 unknown Reserved 10->59 21 chrome.exe 10->21         started        23 ScHoster.exe 2 13->23         started        25 conhost.exe 1 13->25         started        27 conhost.exe 15->27         started        process6 dnsIp7 39 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49745, 49746, 49748 GOOGLEUS United States 17->39 41 prod.ingestion-edge.prod.dataops.mozgcp.net 34.120.208.123, 443, 49862, 49863 GOOGLEUS United States 17->41 47 9 other IPs or domains 17->47 37 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 17->37 dropped 29 firefox.exe 1 17->29         started        31 firefox.exe 1 17->31         started        33 firefox.exe 1 17->33         started        35 8 other processes 17->35 43 scone-pa.clients6.google.com 142.250.31.95 GOOGLEUS United States 21->43 45 www3.l.google.com 142.251.163.102, 443, 49774, 49775 GOOGLEUS United States 21->45 49 13 other IPs or domains 21->49 file8 process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cfa592b0128bc126fbf3fb66c551a8d87223b196f5e0cd87e60b88bdc688c6e0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cfa592b0128bc126fbf3fb66c551a8d87223b196f5e0cd87e60b88bdc688c6e0/
Threat name:
ByteCode-MSIL.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2023-08-14 12:27:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z6szfmasrpasn67t7ntmkuni3bzchmmw6xqm3b7gboel3ruiy3qa._file
Verdict:
malicious
Similar samples:
00f99e2925f2ac3ca02397be84c75bba0ef0ec7d7094273f6e5a4f280114e2f5
zgRAT
22224f65c07515b2f61e29f7f1a14005d0de54378aa925d9e017bb2ac26b5395
zgRAT
4239478f1ff05d0014ba2492e155e733b661473d7299cbf98eb8f81bbf6e719a
zgRAT
59ed6405e3f3ef450c65aeefd031426c39b014505555b4e7341be27916351436
zgRAT
65bea8ecbc22a05fe6cdd7108d9859e22de0a6796c7597ff299e4baf0dde04ad
zgRAT
74622dee4841085cd64da27da09c697236e5846915736d7d43200874927b6bc8
zgRAT
e844192fb4c52758db729e18e8898fe0921bdbe1e2d3ac3da6a6b5d2cedecb71
zgRAT
f76c7d8841a467f13ab5d2c39b56d297a2fa94867973c201d40f877355849092
zgRAT
fc0b9d2a311a40467281c79ec0822d2fce7a156a9970fc98eb57fd55c71764e6
zgRAT
+ 3'494 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231020-x8cvdshd22/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Unpacked files
SH256 hash:
1b22787bd83b123f4ac2654aaed884bb87365dd098b2e3fac27c60208f185b31
MD5 hash:
2df519defae6095ea826018d997bf260
SHA1 hash:
4c68915ab1ac342757fb135c6fa73b652f790bdd
Link:
https://www.unpac.me/results/eadb4ae0-8519-4044-a2b3-aba552a4a0e2/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/eadb4ae0-8519-4044-a2b3-aba552a4a0e2/
SH256 hash:
a51f414ad63e03b380d2962dab844503fa8a61244c6195f789c63fda3765964d
MD5 hash:
cec44ee37645c1bd94a742f0cd0e5678
SHA1 hash:
395c250814921595f27cee1bae37fc283ec1fef6
Link:
https://www.unpac.me/results/eadb4ae0-8519-4044-a2b3-aba552a4a0e2/
SH256 hash:
a7e7ed0041145883cc31671d858df848aacae12105ec1e1ad0e271e46794f5a1
MD5 hash:
eadd8d1c3ff9fd04e6d8de533175ae3b
SHA1 hash:
0c577ea0e8a8a58505e474083d98affe9def40b8
Link:
https://www.unpac.me/results/eadb4ae0-8519-4044-a2b3-aba552a4a0e2/
SH256 hash:
cfa592b0128bc126fbf3fb66c551a8d87223b196f5e0cd87e60b88bdc688c6e0
MD5 hash:
43c29e5e42f4870fa4bbb30abad26012
SHA1 hash:
392ccfa22f19f6e466a973ac654e450a62391572
Link:
https://www.unpac.me/results/eadb4ae0-8519-4044-a2b3-aba552a4a0e2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cfa592b0128bc126fbf3fb66c551a8d87223b196f5e0cd87e60b88bdc688c6e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Joe
Joe Sandbox
https://www.joesandbox.com/analysis/1329475/0/html
  
Link
https://cyble.com/blog/fileless-pure-clipper-malware-italian-users-in-the-crosshairs/
  
Delivery method
Other

Comments