MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec94c8c7f81013c6b195c398dca59c2148746850ab4f549dd181b3ec25382453. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec94c8c7f81013c6b195c398dca59c2148746850ab4f549dd181b3ec25382453
SHA3-384 hash: aa0bebd5ccdab52624c043744669eef0783ebd1548661bd369dbf6b8c66bde6925ab75979f4067b72c48dc425cb2ebbf
SHA1 hash: 988f7a47c076d0048fe09f2c7c46870baa461c3f
MD5 hash: c8360d1235aa3bf925228bfe6a1c8a62
humanhash: florida-robin-cold-ink
File name:c8360d1235aa3bf925228bfe6a1c8a62
Download: download sample
Signature zgRAT
Create hunting rule
File size:729'088 bytes
First seen:2023-12-07 04:53:57 UTC
Last seen:2023-12-07 06:15:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b610b1ff2dfb4b84acc0b3fb1474f9f2 (10 x RedLineStealer, 2 x Vidar, 1 x LummaStealer)
ssdeep 12288:WhI9jc2M11UZZOHpyRGGNkYj/lUcwAKdTSAixvFbOhl0c0nXBB4kncxJT+R6phS4:WKjb3OJyEQ9+ZSvxvNI0TBBnQJTgmhS4
TLSH T173F4226334D3D037C79BCEB9A404DA126A3FA5B26ED15447B79A15BB1FB07A0037428E
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:32 exe zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
315
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/463096/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.25319.1811.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65714fec3f60a810348ae11e/reports/4396f277-5170-499a-b923-a8f99ee56332/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/ec94c8c7f81013c6b195c398dca59c2148746850ab4f549dd181b3ec25382453
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2694df5c-7353-4485-bca0-c5f6e197a43a
Result
Threat name:
zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1355153
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Costura Assembly Loader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ec94c8c7f81013c6b195c398dca59c2148746850ab4f549dd181b3ec25382453
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec94c8c7f81013c6b195c398dca59c2148746850ab4f549dd181b3ec25382453/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-12-06 07:10:29 UTC
File Type:
PE (Exe)
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5skmrr7ycaj4nmmvyomnzjm4efehi2cqvnhvjhorqgz6yjjyerjq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/231207-fjjg7shdar/
Unpacked files
SH256 hash:
6ab8611ae6d3576f2c86d8a5199602012991a2d5cabc4efa2e9d4436ae6d1480
MD5 hash:
3a6916d417b10f661566b0a26d3090cf
SHA1 hash:
e6f3813d52b3bb51161a5e556b028d4f2940dbfa
Link:
https://www.unpac.me/results/2dd70ec6-9a73-473e-8eee-a763409afb91/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/2dd70ec6-9a73-473e-8eee-a763409afb91/
SH256 hash:
c1fd2a7c6525fe166593723454f1a19a5a413f69f6a6661768dcaf8a9425be24
MD5 hash:
1bf0d373d65e49ca0c60c0feb2718561
SHA1 hash:
14d35f4fa6df88fbf8f6fbe56283d99ae7643e71
Link:
https://www.unpac.me/results/2dd70ec6-9a73-473e-8eee-a763409afb91/
SH256 hash:
2c365d8e30ff1cd743bd5483caf02535029f3e3ce5e80df7e358afe3465a0029
MD5 hash:
1179729d3fb5dd204aee3d8ecdf87c99
SHA1 hash:
0a7df5309ed1bf5abd5378ac4786b75d9cc56f43
Link:
https://www.unpac.me/results/2dd70ec6-9a73-473e-8eee-a763409afb91/
SH256 hash:
ec94c8c7f81013c6b195c398dca59c2148746850ab4f549dd181b3ec25382453
MD5 hash:
c8360d1235aa3bf925228bfe6a1c8a62
SHA1 hash:
988f7a47c076d0048fe09f2c7c46870baa461c3f
Link:
https://www.unpac.me/results/2dd70ec6-9a73-473e-8eee-a763409afb91/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec94c8c7f81013c6b195c398dca59c2148746850ab4f549dd181b3ec25382453

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe ec94c8c7f81013c6b195c398dca59c2148746850ab4f549dd181b3ec25382453

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2738264/
Cape
Cape
https://www.capesandbox.com/analysis/463096/

Comments


Avatar
zbet commented on 2023-12-07 04:53:58 UTC

url : hxxp://185.196.8.238/cleaneruop.exe