MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e63ae6b6a21682cc06993ce09d717f3713b04a84b5567653bd8ccfdba1f89f06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Zegost


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e63ae6b6a21682cc06993ce09d717f3713b04a84b5567653bd8ccfdba1f89f06
SHA3-384 hash: 6a5d148c3f7ba963037237627ce75a1b491cd4b53a0de4150db20ccdfa4d2c753ad70d276c74bcf6d455ab22172902fd
SHA1 hash: ffd5bb4b62d7816f0ce4af5843cd82ab7edf5cb0
MD5 hash: 2136731abbe410fb24240c34f1a47260
humanhash: lamp-uniform-papa-uncle
File name:2136731abbe410fb24240c34f1a47260
Download: download sample
Signature Zegost
Create hunting rule
File size:3'106'304 bytes
First seen:2021-07-29 21:04:31 UTC
Last seen:2021-07-29 21:47:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c27231b356af8ced28fb04cd41acd2d (1 x Zegost)
ssdeep 49152:j2Tz8wIYwesVWRj1DLBaxMHQH2DeVpsjN8lLJ+cSK8ZOqUgzXVJVjIK9zWLNCab5:MzPsYR9LBaxLWD2sh8l4ASOqUQVJhd9E
Threatray 1 similar samples on MalwareBazaar
TLSH T1CCE512007981C071D4BA15350CF9A77A2A7D7D310B68CAEFABE44E7E5E780D06A35A73
Reporter zbetcheckin
Tags:32 exe Zegost

Intelligence

File Origin
# of uploads :
2
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2136731abbe410fb24240c34f1a47260
Verdict:
No threats detected
Analysis date:
2021-07-29 21:06:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/054f994f-1c30-4b3d-a8b7-a20b134a5796

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175141/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46702677.8693.28760.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/530c5600-f404-4199-a176-aedc0d821b55
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824128
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Detected VMProtect packer
DLL side loading technique detected
Early bird code injection technique detected
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e63ae6b6a21682cc06993ce09d717f3713b04a84b5567653bd8ccfdba1f89f06/
Threat name:
Win32.Backdoor.Zegost
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 04:08:00 UTC
AV detection:
13 of 27 (48.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4y5onnvcc2bmybuzhtqj24l7g4j3asuewvlhmu55rth5xipyt4da._file
Verdict:
unknown
Similar samples:
96da3b9b77439e1b6ee9dd967044bd234f6fdba1465367cb821387c8dd27134e
Zegost
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata vmprotect
Link:
https://tria.ge/reports/210729-2yxzs6adce/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
VMProtect packed file
suricata: ET MALWARE Backdoor family PCRat/Gh0st CnC traffic
suricata: ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102
suricata: ET MALWARE Downloader.Win32.Small CnC Beacon
suricata: ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server
Unpacked files
SH256 hash:
c377cc975d25bda2e108654b0e6e6dde8ff6183836bdf2126ac3c867f42c90db
MD5 hash:
e45951948c40970a3b82cd4c2108286b
SHA1 hash:
fd1dc4b67613b2265dd4688414495bc61bfb1f70
Link:
https://www.unpac.me/results/32c48e94-4a64-4f6c-a1fa-1c2f8be92901/
SH256 hash:
04b221abd2b374a62fba3a2351152eb118e5c54398cbacfb510b3a11adae09d8
MD5 hash:
3b04c84b07ccf57a611bb79af2ca4426
SHA1 hash:
9447f22a5708da832796e653e1aead561141ea87
Link:
https://www.unpac.me/results/32c48e94-4a64-4f6c-a1fa-1c2f8be92901/
SH256 hash:
0e6ba4803caf67c79184e1c437832613adec088bd3315837fed3550ebfea3226
MD5 hash:
695648548e4c342951ca6c13c56d43f2
SHA1 hash:
59c42af68d6b9d1f030a08e1ed87a82d9d3ea1bb
Link:
https://www.unpac.me/results/32c48e94-4a64-4f6c-a1fa-1c2f8be92901/
SH256 hash:
e63ae6b6a21682cc06993ce09d717f3713b04a84b5567653bd8ccfdba1f89f06
MD5 hash:
2136731abbe410fb24240c34f1a47260
SHA1 hash:
ffd5bb4b62d7816f0ce4af5843cd82ab7edf5cb0
Link:
https://www.unpac.me/results/32c48e94-4a64-4f6c-a1fa-1c2f8be92901/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e63ae6b6a21682cc06993ce09d717f3713b04a84b5567653bd8ccfdba1f89f06

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Zegost

Executable exe e63ae6b6a21682cc06993ce09d717f3713b04a84b5567653bd8ccfdba1f89f06

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175141/
  
URLhaus
https://urlhaus.abuse.ch/url/1490663/

Comments


Avatar
zbet commented on 2021-07-29 21:04:31 UTC

url : hxxp://43.255.241.176/Dll/17z/loader.exe