MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea692e0b71d678d18c157a5980625e75f9060c97f9209a562691ebf92f726e84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea692e0b71d678d18c157a5980625e75f9060c97f9209a562691ebf92f726e84
SHA3-384 hash: 5f72922328083a5d37f03c335bb68c465af7167450efe012db6be0c043e81a48a9aa80d734e1acabaa8bab7882a7cfed
SHA1 hash: 6c5edc8550e2851178cc70cea46f4c6ae622f09b
MD5 hash: 5630282a95afd2a5ceeecc5acf7ff053
humanhash: oscar-kitten-kilo-batman
File name:download.exe
Download: download sample
Signature zgRAT
Create hunting rule
File size:3'252'224 bytes
First seen:2023-10-24 15:42:56 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 98304:F/j1VbVk+uKtr0h53OCff6FWnCSeqOLXg:F/j1Vbt90h53OCff6aCHqOb
Threatray 34 similar samples on MalwareBazaar
TLSH T1DFE5BF09B6D6EE2FD7887B3AA02B41284235D6117757BB1F1F7D52343D923B80A423DA
TrID 80.3% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
4.4% (.SCR) Windows screen saver (13097/50/3)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
3.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter malwarelabnet
Tags:dll zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
297
Origin country :
CA CA
Vendor Threat Intelligence
Detection:
Fiber
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456026/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.25698.20009.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6537e6062c931cd07e1b1efb/reports/c2d36f4f-1369-429b-ad5f-f4fa67a7072d/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/ea692e0b71d678d18c157a5980625e75f9060c97f9209a562691ebf92f726e84
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bb851869-e981-49fa-9d96-93e31fe5367a
Result
Threat name:
zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1331383
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Multi AV Scanner detection for submitted file
Yara detected Generic Downloader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331383 Sample: download.exe.dll Startdate: 24/10/2023 Architecture: WINDOWS Score: 64 18 time.windows.com 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected zgRAT 2->22 24 .NET source code contains method to dynamically call methods (often used by packers) 2->24 26 Yara detected Generic Downloader 2->26 8 loaddll32.exe 1 2->8         started        10 SkypeApp.exe 2 4 2->10         started        signatures3 process4 process5 12 cmd.exe 1 8->12         started        14 conhost.exe 8->14         started        process6 16 rundll32.exe 12->16         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ea692e0b71d678d18c157a5980625e75f9060c97f9209a562691ebf92f726e84
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea692e0b71d678d18c157a5980625e75f9060c97f9209a562691ebf92f726e84/
Threat name:
ByteCode-MSIL.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-10-20 05:30:33 UTC
File Type:
PE (.Net Dll)
Extracted files:
4
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5jus4c3r2z4nddavpjmyays6ox4qmdex7eqjuvrgshv7sl3sn2ca._file
Verdict:
malicious
Similar samples:
11e812da55ed18d2337cf3249cf00df14fd1442f1914dcd177eb36df329d3e2e
zgRAT
3e24e25b11d4ec5c97fff9121b751f34e11b74d376a1aaa0868605b57d162d30
zgRAT
411ff6f1702fc4c00c095688a3e3e7bc2a495bea2b50debc326d76ed9dcfec20
zgRAT
442a4875ff59e45063211c004f61cbd43dc441454dc1192a6bd495a831f32001
zgRAT
5d96e330336bdf3dc249de4ff69aeb0dceb92dbfbe77839c8a3e5dfad2742572
zgRAT
5dde21be9d6b2fffde1eeab3dd6fc370bf6c47f047d9dc7e16c5e9f0ead13b96
zgRAT
a71764497b51d851d5e78d8ab520136e8d93de16184985a1715154254948b94e
zgRAT
d3ee013d6d3189698f86f7bf10bac7d49ae944d574e40f6f0888d702d52fcd18
zgRAT
dd4a6bb436e33a55b18f88a38f23ea82b1f4d80cb170eeb7e1de6797b9ce59dc
zgRAT
ea995ab98439bc4ce6209707650964576c98ad11cd270351d4fbb5d0076bc40f
zgRAT
+ 24 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat
Link:
https://tria.ge/reports/231024-s5w2msff76/
Unpacked files
SH256 hash:
ea692e0b71d678d18c157a5980625e75f9060c97f9209a562691ebf92f726e84
MD5 hash:
5630282a95afd2a5ceeecc5acf7ff053
SHA1 hash:
6c5edc8550e2851178cc70cea46f4c6ae622f09b
Link:
https://www.unpac.me/results/430b4b73-5862-46ce-bb19-ffbb9827d9e8/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:MALWARE_Win_Fiber
Create hunting rule
Author:ditekSHen
Description:Detects Fiber .NET injector
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/456026/

Comments