MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dce0b953b9201d59cd92a30bce45190f9c763690a09a7a279024d8cf4b8ce171. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dce0b953b9201d59cd92a30bce45190f9c763690a09a7a279024d8cf4b8ce171
SHA3-384 hash: 01dfb443a443b23929ef2458f5c51c4b8648cb454af0e7917a1d2408a565a43853de6edeecccf38682f11a287467575f
SHA1 hash: 2af89a1481476946f0e6666399b8183efe72c4cc
MD5 hash: 55b2683198df5ccb9f1abe080dde6519
humanhash: asparagus-jig-comet-white
File name:Purchase Order Number 2312001458.scr
Download: download sample
Signature zgRAT
Create hunting rule
File size:25'088 bytes
First seen:2023-12-18 17:28:22 UTC
Last seen:2023-12-18 19:19:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 384:u/eolrxBYQD7eJvamAFZ5aMNlG6PRewOrAWb7yR8zfVET1mANNwhpm8:Wl9aQ/eJvWn2AWb7yqAzkQ8
Threatray 62 similar samples on MalwareBazaar
TLSH T149B25A5A7A4F3621E62BC73EF863E4504FABE9464913C66F705B0397081339FEE46912
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 36c29292b2e88c82 (54 x AgentTesla, 33 x RedLineStealer, 11 x Formbook)
Reporter lowmal3
Tags:exe zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
302
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
50d6984bb86d704e9b8b0a99a5b55960.eml
Verdict:
Suspicious activity
Analysis date:
2023-12-18 12:17:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3aa4ba51-e2b9-4e47-b32b-37b746635abf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468322/
Detection(s):
SecuriteInfo.com.Win64.TrojanX-gen.14455.26482.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file in the %temp% subdirectories
Using the Windows Management Instrumentation requests
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65808160f4b6e5e1634f2680/reports/46fb1a57-a229-476d-a991-132aaab17c2b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dce0b953b9201d59cd92a30bce45190f9c763690a09a7a279024d8cf4b8ce171
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/690c485a-d3de-459e-93c2-88f4eaa26a93
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1364068
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1364068 Sample: Purchase_Order_Number_23120... Startdate: 18/12/2023 Architecture: WINDOWS Score: 100 31 www.southstreetdungeon.com 2->31 33 southstreetdungeon.com 2->33 35 81.189.14.0.in-addr.arpa 2->35 49 Antivirus detection for URL or domain 2->49 51 Antivirus detection for dropped file 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 9 other signatures 2->55 7 Purchase_Order_Number_2312001458.scr.exe 15 5 2->7         started        12 Purchase Order Number 2312001458.exe 4 2->12         started        14 Purchase Order Number 2312001458.exe 14 5 2->14         started        signatures3 process4 dnsIp5 37 southstreetdungeon.com 50.116.92.134, 443, 49704, 49713 UNIFIEDLAYER-AS-1US United States 7->37 27 C:\...\Purchase Order Number 2312001458.exe, PE32+ 7->27 dropped 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->57 59 Modifies the context of a thread in another process (thread injection) 7->59 61 Injects a PE file into a foreign processes 7->61 16 Purchase_Order_Number_2312001458.scr.exe 24 7->16         started        21 Purchase Order Number 2312001458.exe 12->21         started        23 Purchase Order Number 2312001458.exe 14->23         started        file6 signatures7 process8 dnsIp9 29 107.175.113.194, 47037, 49711, 49712 AS-COLOCROSSINGUS United States 16->29 25 C:\Users\user\AppData\...\sqlite.interop.dll, PE32+ 16->25 dropped 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->39 41 Tries to steal Mail credentials (via file / registry access) 16->41 43 Found many strings related to Crypto-Wallets (likely being stolen) 16->43 45 Tries to harvest and steal browser information (history, passwords, etc) 21->45 47 Tries to harvest and steal Bitcoin Wallet information 21->47 file10 signatures11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dce0b953b9201d59cd92a30bce45190f9c763690a09a7a279024d8cf4b8ce171
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dce0b953b9201d59cd92a30bce45190f9c763690a09a7a279024d8cf4b8ce171/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-12-18 07:20:05 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
2
AV detection:
11 of 37 (29.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3tqlsu5zeaovttmsumf44rizb6ohmnuqucnhuj4qetmm6s4m4fyq._file
Verdict:
malicious
Similar samples:
37e64d9178c73444d42f82a228fc822900d1d0ebffc99919d281b2416c9b6033
zgRAT
44a7c97a6329413816ca06839f6bd2aa29e5e45a5e0dc6d36fd491e8f056d661
zgRAT
52c76dd8c1caaf930ccb5f376b9731b21611c55ae4cbbfefb41fe3e50e66a3d1
zgRAT
5fb3a526d0e47584efd56faa6c0e0d296587e1798f9a7654aa0cf6a711b8a0a7
zgRAT
9331f9970a83bda8893c6ace5048f736426c8cbddbd7cc0857a7a7306efa9ff0
zgRAT
d0f93d98529b19fc436ea00567f23e9e012d440669b8e728e17d8d8e20a147cd
zgRAT
+ 52 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat collection persistence rat spyware stealer
Link:
https://tria.ge/reports/231218-v2jy1sddh8/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
dce0b953b9201d59cd92a30bce45190f9c763690a09a7a279024d8cf4b8ce171
MD5 hash:
55b2683198df5ccb9f1abe080dde6519
SHA1 hash:
2af89a1481476946f0e6666399b8183efe72c4cc
Link:
https://www.unpac.me/results/01b0741d-993c-4223-9cad-feb6869c01aa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dce0b953b9201d59cd92a30bce45190f9c763690a09a7a279024d8cf4b8ce171

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zgRAT

Executable exe dce0b953b9201d59cd92a30bce45190f9c763690a09a7a279024d8cf4b8ce171

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/468322/

Comments