MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e346f2c15cb9cb03b4c4d8c28c8a36f06065f4e37ec8de79995fd8526baa851a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e346f2c15cb9cb03b4c4d8c28c8a36f06065f4e37ec8de79995fd8526baa851a
SHA3-384 hash: 85f47cf24ce491c54c065b27826817fa9a20b98746c980de79e97c5d4d8e74770a12fd6c975124698ac8cde4f53f271c
SHA1 hash: 7e08808cf7d150ac19c30703611131ca4efc47a0
MD5 hash: 16f59cfcf3a6825e3b82bcd824eae170
humanhash: robin-oxygen-alaska-batman
File name:16f59cfcf3a6825e3b82bcd824eae170
Download: download sample
Signature zgRAT
Create hunting rule
File size:4'700'160 bytes
First seen:2024-04-04 19:12:49 UTC
Last seen:2024-04-04 20:19:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:6KMuP4HOZZXSsS0MktC2Qujgu6fUbLd8SbT5TB2+:6KMugIS06ZQgu6wr7v
Threatray 214 similar samples on MalwareBazaar
TLSH T187263329B79E9E6BCDCC0C7D68708AC544423C7E7A05D6BE4890322A2273D6F5B97325
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 90c7cdf8e2e4761c (2 x LummaStealer, 1 x Stealc, 1 x zgRAT)
Reporter zbetcheckin
Tags:32 exe zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
317
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
e346f2c15cb9cb03b4c4d8c28c8a36f06065f4e37ec8de79995fd8526baa851a.exe
Verdict:
Malicious activity
Analysis date:
2024-04-04 19:15:07 UTC
Tags:
stealer redline
Link:
https://app.any.run/tasks/0e55efb2-abf1-4426-95b4-b897a77f1539

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Moving a file to the Program Files subdirectory
Replacing files
Forced system process termination
Searching for the window
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Rewriting of the hard drive's master boot record
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/e346f2c15cb9cb03b4c4d8c28c8a36f06065f4e37ec8de79995fd8526baa851a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/60441e02-8591-4c6e-8ff9-634bf4050bac
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1420464
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e346f2c15cb9cb03b4c4d8c28c8a36f06065f4e37ec8de79995fd8526baa851a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e346f2c15cb9cb03b4c4d8c28c8a36f06065f4e37ec8de79995fd8526baa851a/
Threat name:
ByteCode-MSIL.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2024-04-04 19:13:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
56
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ndpfqk4xhfqhnge3dbizcrw6bqgl5hdp3en46mzl7mfe25kquna._file
Verdict:
malicious
Similar samples:
4500f0d2feadf7c3f582442aad4d48bdd61c5e915827b0212d528d720fe2cc6e
zgRAT
610c474254bee38a3c7c7f3468f26d2c8eac8879aec5539a6be84e72afcfe893
zgRAT
6c3faa9c54a7d44226623afee69d63114957699330dd576092965999550dd19d
zgRAT
c98b767c0ceb5c2bc05e873a06f0f264d8f7e42fd51c475e8595514d8b81f09f
zgRAT
d053879ededbb8f28a3f336c73d2236993f92bc8cbfdd9b5ad160b7123c1c39a
zgRAT
d2a5bffc667647e9ba8a0d1733f9a27df01af72b9dbc7193031aad4c8853c6e4
zgRAT
d6a38a2e5ae630ab2d30f879433bb3f0268d65861a2f49703319d1469a1e4b39
zgRAT
f3cc24a419c6822084fbd496d4d169b61d7ca28b31fc6d1032d6255179521a68
zgRAT
f7b3ea13abebeb99ddfd4319457ff2d8a8473b8a46963de047cce295abadd2eb
zgRAT
+ 204 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:zgrat bootkit infostealer persistence rat spyware
Link:
https://tria.ge/reports/240404-xw29hsff81/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Writes to the Master Boot Record (MBR)
Detect ZGRat V1
RedLine
RedLine payload
ZGRat
Unpacked files
SH256 hash:
e346f2c15cb9cb03b4c4d8c28c8a36f06065f4e37ec8de79995fd8526baa851a
MD5 hash:
16f59cfcf3a6825e3b82bcd824eae170
SHA1 hash:
7e08808cf7d150ac19c30703611131ca4efc47a0
Link:
https://www.unpac.me/results/d1e265ac-3c4c-4910-85a3-0528d105144f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e346f2c15cb9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e346f2c15cb9cb03b4c4d8c28c8a36f06065f4e37ec8de79995fd8526baa851a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe e346f2c15cb9cb03b4c4d8c28c8a36f06065f4e37ec8de79995fd8526baa851a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2801300/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-04-04 19:12:50 UTC

url : hxxp://94.232.45.38/ttt01.exe