MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5b18d53835af3194899ef34effacf1e886854716b78ad0ca948d079d0550f74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5b18d53835af3194899ef34effacf1e886854716b78ad0ca948d079d0550f74
SHA3-384 hash: 4138bc96e4bfbc97068c9955c4e203fda8f474276e0da6d77988e2437d83617618614a3c2d4c32a6902a9317acecef47
SHA1 hash: 4533d3dca99cd546284718c350185bd5404dcc30
MD5 hash: da419a77d4cf91ece32dca8dd1dfd152
humanhash: river-solar-lemon-queen
File name:da419a77d4cf91ece32dca8dd1dfd152
Download: download sample
Signature zgRAT
Create hunting rule
File size:606'208 bytes
First seen:2023-12-04 15:50:49 UTC
Last seen:2023-12-04 17:30:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:ZmBbJ+/O9lnYT2rRQJKTMfb8Y9aqK+TfWjen95tjf++33+J0eibpuYmw7Wy:ZCcYnfrRQAifm+j9fjF33+BYpzf
TLSH T1B1D42306EA67FB77D02444F34A3EEF491D30988486478B5F587FA4EA5D1D2B20EF2894
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
362
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
da419a77d4cf91ece32dca8dd1dfd152
Verdict:
Malicious activity
Analysis date:
2023-12-04 15:54:16 UTC
Tags:
pureloader purecrypter loader
Link:
https://app.any.run/tasks/50294ac2-f3c1-43bd-9bec-0527fb1b8443

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462397/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.24527.9363.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a file
Forced system process termination
Deleting a recently created file
Creating a process from a recently created file
Launching a process
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/656df58f8b5ba47db2d0caf3/reports/3fbc19cc-d54c-4bfa-b6bd-31efaa142355/overview
Verdict:
Malicious
Labled as:
Trojan.Mardom.MN.Generic
Link:
https://www.hybrid-analysis.com/sample/e5b18d53835af3194899ef34effacf1e886854716b78ad0ca948d079d0550f74
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39dddbf5-11e0-443c-b71f-02944aa947a1
Result
Threat name:
zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1353303
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1353303 Sample: eChwr3ZM1u.exe Startdate: 04/12/2023 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 13 other signatures 2->47 6 InArgs.exe 3 2->6         started        9 DigestAlgorithm.exe 2->9         started        11 tpvdad.exe 5 2->11         started        14 6 other processes 2->14 process3 file4 51 Antivirus detection for dropped file 6->51 53 Multi AV Scanner detection for dropped file 6->53 55 Machine Learning detection for dropped file 6->55 16 InstallUtil.exe 16 4 6->16         started        57 Writes to foreign memory regions 9->57 59 Modifies the context of a thread in another process (thread injection) 9->59 61 Injects a PE file into a foreign processes 9->61 21 RegSvcs.exe 9->21         started        33 C:\Users\user\AppData\...\DigestAlgorithm.exe, PE32+ 11->33 dropped 35 C:\Users\user\AppData\Local\...\InArgs.exe, PE32 14->35 dropped 63 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->63 65 Potential dropper URLs found in powershell memory 14->65 23 conhost.exe 14->23         started        25 conhost.exe 14->25         started        27 conhost.exe 14->27         started        signatures5 process6 dnsIp7 37 163.123.142.171, 39001, 39002, 39003 ILIGHT-NETUS Reserved 16->37 39 91.92.244.36, 49704, 49706, 49707 THEZONEBG Bulgaria 16->39 29 C:\Users\user\AppData\Local\Temp\tpvdad.exe, PE32+ 16->29 dropped 31 C:\Users\user\AppData\Local\...\antchxd.exe, PE32 16->31 dropped 49 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->49 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5b18d53835af3194899ef34effacf1e886854716b78ad0ca948d079d0550f74/
Threat name:
ByteCode-MSIL.Trojan.Mardom
Create hunting rule
Status:
Malicious
First seen:
2023-12-03 05:58:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
16 of 22 (72.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4wyy2u4dllzrssez542o76wpd2egqvdrnn4k2dfjjdihtucvb52a._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/231204-tagh5scc3t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in System32 directory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
27d15c2d8b7a8fc2f1234632833a77d00fa4ad72647f808e44ee25d08f537c11
MD5 hash:
6258c948ccc8bfeaab7b3160930fa766
SHA1 hash:
cf9ec6a78ef7709443da45a3c70d15afb63e444a
Link:
https://www.unpac.me/results/60bab143-9f70-4a87-8189-5a84c444b704/
SH256 hash:
8638007a7ba052b3bc50d8693065895a7f03a77b1d81f95d84e183b78c7d1fb9
MD5 hash:
66683f8b2d50e409acad4cd9406c9925
SHA1 hash:
a607d02296d41e1d8e029ccb46b2228b401f87f4
Link:
https://www.unpac.me/results/60bab143-9f70-4a87-8189-5a84c444b704/
SH256 hash:
a0d1695277e878bfd86e104211755245af69adf3c9b8b4f14a88093881d47715
MD5 hash:
1028f63c3224f485c1a64d21c32db623
SHA1 hash:
4e2c296d3d7653be9cc6c536698c0238e583e4f0
Link:
https://www.unpac.me/results/60bab143-9f70-4a87-8189-5a84c444b704/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/60bab143-9f70-4a87-8189-5a84c444b704/
SH256 hash:
e5b18d53835af3194899ef34effacf1e886854716b78ad0ca948d079d0550f74
MD5 hash:
da419a77d4cf91ece32dca8dd1dfd152
SHA1 hash:
4533d3dca99cd546284718c350185bd5404dcc30
Link:
https://www.unpac.me/results/60bab143-9f70-4a87-8189-5a84c444b704/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e5b18d53835a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
zgRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5b18d53835af3194899ef34effacf1e886854716b78ad0ca948d079d0550f74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe e5b18d53835af3194899ef34effacf1e886854716b78ad0ca948d079d0550f74

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2737300/
Cape
Cape
https://www.capesandbox.com/analysis/462397/

Comments


Avatar
zbet commented on 2023-12-04 15:50:50 UTC

url : hxxp://163.123.142.171:8080/file/1701517649-explorer.exe