MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e199b649f562ee61d10b1f77a77fef2a3bf0c1f870e4aa9958402a4059f2fa1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e199b649f562ee61d10b1f77a77fef2a3bf0c1f870e4aa9958402a4059f2fa1c
SHA3-384 hash: e15ee71caffc3f8554599b47caab77936061dd0641dd59b0d40ca426f3b2ffd4bdf7ac9d842ca2e8d5a05c3a0953f324
SHA1 hash: f3f2bf73e7a7f7ca70e0aef040ed244f6d1155f4
MD5 hash: 46f5f5a59fa2058386004186d75b4641
humanhash: november-pip-golf-enemy
File name:cp.exe
Download: download sample
Signature zgRAT
Create hunting rule
File size:2'607'384 bytes
First seen:2024-01-05 18:25:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7785ff80525c2ec7c1996163ba4515e8 (1 x zgRAT)
ssdeep 49152:pqttbGmMwYxfYb+O+AjZPuhSitb59F2B4F3VGBnyrDIP:dwfP4hVcSI
TLSH T14DC5C004F543E823C6220B7D9E1D53AEBF267F190F046895FEEAAF0C973E5227915192
TrID 61.0% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
10.5% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
4.7% (.EXE) Win32 Executable (generic) (4505/5/1)
2.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter adm1n_usa32
Tags:exe zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e199b649f562ee61d10b1f77a77fef2a3bf0c1f870e4aa9958402a4059f2fa1c.exe
Verdict:
Suspicious activity
Analysis date:
2024-01-05 18:29:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/67bb6335-68cf-4fca-8ca4-07c0b313b37d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469671/
Detection(s):
PUA.Win.Packer.BorlandDelphi-5
Create hunting rule

PUA.Win.Packer.BorlandDelphi-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Launching a process
Creating a file
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a process from a recently created file
Searching for analyzing tools
Creating a window
Creating a service
Running batch commands
Launching a service
Creating a file in the Windows subdirectories
Enabling autorun for a service
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control expand hook keylogger lolbin msbuild overlay packed remote shell32
Link:
https://www.filescan.io/uploads/659849bbf4b6e5e163693da7/reports/d8ab4b66-b483-437d-ba58-ad8af99c04a1/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/e199b649f562ee61d10b1f77a77fef2a3bf0c1f870e4aa9958402a4059f2fa1c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/610f9d3f-a0e5-4c4a-b2e5-6ef769bd545f
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1370544
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Drops VBS files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1370544 Sample: cp.exe Startdate: 05/01/2024 Architecture: WINDOWS Score: 100 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 5 other signatures 2->86 9 cp.exe 7 2->9         started        13 uxtldsktkgfv.exe 2->13         started        15 wscript.exe 1 2->15         started        17 7 other processes 2->17 process3 file4 66 C:\Users\user\AppData\...\xgTrayIcon.exe, PE32 9->66 dropped 68 C:\Users\user\AppData\...\xgTrayIcon.vbs, ASCII 9->68 dropped 94 Drops VBS files to the startup folder 9->94 96 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->96 98 Writes to foreign memory regions 9->98 100 Injects a PE file into a foreign processes 9->100 19 aspnet_compiler.exe 15 5 9->19         started        23 aspnet_compiler.exe 9->23         started        102 Multi AV Scanner detection for dropped file 13->102 104 Query firmware table information (likely to detect VMs) 13->104 106 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->106 112 4 other signatures 13->112 108 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->108 25 xgTrayIcon.exe 6 15->25         started        110 Changes security center settings (notifications, updates, antivirus, firewall) 17->110 28 MpCmdRun.exe 17->28         started        30 WerFault.exe 17->30         started        signatures5 process6 dnsIp7 70 185.172.128.11, 49712, 80 NADYMSS-ASRU Russian Federation 19->70 64 C:\Users\user\AppData\Roaming\update.exe, PE32+ 19->64 dropped 32 update.exe 2 19->32         started        36 WerFault.exe 19->36         started        88 Multi AV Scanner detection for dropped file 25->88 90 Writes to foreign memory regions 25->90 92 Injects a PE file into a foreign processes 25->92 38 aspnet_compiler.exe 25->38         started        40 conhost.exe 28->40         started        file8 signatures9 process10 file11 62 C:\ProgramData\...\uxtldsktkgfv.exe, PE32+ 32->62 dropped 72 Multi AV Scanner detection for dropped file 32->72 74 Query firmware table information (likely to detect VMs) 32->74 76 Machine Learning detection for dropped file 32->76 78 3 other signatures 32->78 42 cmd.exe 1 32->42         started        44 sc.exe 1 32->44         started        46 sc.exe 1 32->46         started        48 2 other processes 32->48 signatures12 process13 process14 50 conhost.exe 42->50         started        52 choice.exe 1 42->52         started        54 conhost.exe 44->54         started        56 conhost.exe 46->56         started        58 conhost.exe 48->58         started        60 conhost.exe 48->60         started       
Score:
56%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/e199b649f562ee61d10b1f77a77fef2a3bf0c1f870e4aa9958402a4059f2fa1c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e199b649f562ee61d10b1f77a77fef2a3bf0c1f870e4aa9958402a4059f2fa1c/
Threat name:
Win32.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2024-01-04 21:04:16 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
15 of 37 (40.54%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4gm3mspvmlxgduild532o77pfi57bqpyodskvgkyiaveawps7ioa._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/240105-w26nfshec4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
85435cfccd84a3b4debed5446247c72d1e5f646ade9ae34439bc6a13f0d20cf4
MD5 hash:
7864051b28e44167b34c3139887bbac0
SHA1 hash:
c44f443da05c21f32297cff2c98f82fcda5fcb79
Link:
https://www.unpac.me/results/07c493e2-fb26-4dec-89e1-76392361f898/
SH256 hash:
d10628b69544f73bba31917e65e3b11358ef4c517c10b4c52e8d702ce23e50a5
MD5 hash:
d3de98221e3503e727abddd2c7305582
SHA1 hash:
833c840c01910866eec4fb34c1c3af5169e8b1cb
Link:
https://www.unpac.me/results/07c493e2-fb26-4dec-89e1-76392361f898/
SH256 hash:
e5d1a0602a52f75c3c3dcdbbc4722512a01655de5d8d4d28d3b8fa4b72133160
MD5 hash:
1c5075d25011f9b3b96c7ecf8da1736a
SHA1 hash:
81af5fe5267e45b12022dcffb76e3903035c113c
Link:
https://www.unpac.me/results/07c493e2-fb26-4dec-89e1-76392361f898/
SH256 hash:
e273f7c854bbf35e89fb332769bbc7a529f260d34a202a02e4188bd9a87cc503
MD5 hash:
56dad323e3a9a082a212f13577051e60
SHA1 hash:
5cc0c0640c519866211cd209cedf61bcae450bd2
Link:
https://www.unpac.me/results/07c493e2-fb26-4dec-89e1-76392361f898/
SH256 hash:
2c25db43e9ea767a6bf7a012493ae076c7d5739e11765f8df093a14bbc5573a8
MD5 hash:
0d3b6ad6034ebfbcf0e532ca6ff367ad
SHA1 hash:
092a56376ac228ee222a91b207a34cc4bfbcc9f3
Link:
https://www.unpac.me/results/07c493e2-fb26-4dec-89e1-76392361f898/
SH256 hash:
e199b649f562ee61d10b1f77a77fef2a3bf0c1f870e4aa9958402a4059f2fa1c
MD5 hash:
46f5f5a59fa2058386004186d75b4641
SHA1 hash:
f3f2bf73e7a7f7ca70e0aef040ed244f6d1155f4
Link:
https://www.unpac.me/results/07c493e2-fb26-4dec-89e1-76392361f898/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e199b649f562/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e199b649f562ee61d10b1f77a77fef2a3bf0c1f870e4aa9958402a4059f2fa1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__PEB
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe e199b649f562ee61d10b1f77a77fef2a3bf0c1f870e4aa9958402a4059f2fa1c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2733619/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2739592/
  
URLhaus
https://urlhaus.abuse.ch/url/2737076/
  
URLhaus
https://urlhaus.abuse.ch/url/2735404/
  
URLhaus
https://urlhaus.abuse.ch/url/2742874/
Cape
Cape
https://www.capesandbox.com/analysis/469671/

Comments