MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f873b18a7661d466e204bdcd630e58f5a9900acffc33a4053f03964f1e1e38b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	f873b18a7661d466e204bdcd630e58f5a9900acffc33a4053f03964f1e1e38b3
SHA3-384 hash:	dd9d8b3d586e4c4c41f0f4ab6e479cc31844d7befeda7ddd82238364fa6792b79f4a46ed6bd81e8f47a21f9a8319df21
SHA1 hash:	54384b85f794405cdbd29265e32eb17e02aabe33
MD5 hash:	5293774d4196e1194c75f842a6763d0f
humanhash:	beryllium-green-montana-jupiter
File name:	file.exe
Download:	download sample
Signature	zgRAT Alert Create hunting rule
File size:	3'254'784 bytes
First seen:	2023-05-03 18:07:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:I92/DvBW1Mr7V2Y3RJjYS4tbhZANwrUmTWmWbQExEyhTTs07p7GhhA/gf8S1:I92
Threatray	48 similar samples on MalwareBazaar
TLSH	T159E59DE4906F44D2DC0BAED2697CBDD7073572F3CED90414236E7A084F2BAA98909D5E
TrID	50.8% (.EXE) Win64 Executable (generic) (10523/12/4) 10.0% (.EXE) Win16/32 Executable Delphi generic (2072/23) 9.9% (.ICL) Windows Icons Library (generic) (2059/9) 9.8% (.EXE) OS/2 Executable (generic) (2029/13) 9.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	abuse_ch
Tags:	exe zgRAT

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

246

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

file.exe

Verdict:

Malicious activity

Analysis date:

2023-05-03 18:10:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/37ddfc4b-d4e8-4548-9538-b6836dde4442

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/386301/

ClamAV Detected

Detection(s):

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Creating a file in the %AppData% subdirectories

Creating a file

Using the Windows Management Instrumentation requests

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a process from a recently created file

Deleting a recently created file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Enabling autorun by creating a file

FileScan.IO No Threat

Verdict:

No Threat

Threat level:

  10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6452a3043d47a64d306bc7f0/reports/943a7989-95d6-46ce-8a31-0fd90f88032e/overview

Hybrid Analysis Win/malicious_confidence_90%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/f873b18a7661d466e204bdcd630e58f5a9900acffc33a4053f03964f1e1e38b3

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Formbook

Malware family:

Formbook

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/534e6136-b9ec-46e2-ad0e-0c5adf6b4fca

Joe Sandbox zgRAT

Result

Threat name:

zgRAT

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1225576

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Encrypted powershell cmdline option found

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f873b18a7661d466e204bdcd630e58f5a9900acffc33a4053f03964f1e1e38b3/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.Zilla

Threat name:

ByteCode-MSIL.Trojan.Zilla

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-03 18:08:10 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

3

AV detection:

14 of 37 (37.84%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7bz3dctwmhkgnyqexxgwgdsy6wuzacwp7qz2ibj7aole6hq6hczq._file

Threatray malicious

Verdict:

malicious

Similar samples:

397a6e1b47e1342772eb05cd3e45717a955efef85f78b8dd52c67286a8588411

zgRAT

4b923765825c934c252ec1734636bd366b1b3e739716ad3ae31f29f13a0b6864

zgRAT

5f2c559e070d9279ebf1519114d00ab17f817aff64970480721cd579d1fae612

zgRAT

6958b67fa4b8e6b4cb8a503cb6199b81c6df7491a97ec8edf51662e350078fda

zgRAT

729b3e10a37e42bba3f9999ce8a17bc69f8642d86420f05836a5d0271a718efc

zgRAT

814feb1393d69a3a46e80c35cabffc0c24ee035c94754e72179ca8627afc2e08

zgRAT

927d3a3220ea7299db6e08a1f1200c2c0c5997ae29a658d1ca8136acaa92153f

zgRAT

b4c98e5f455268459dbf8afce9997b4c4355ec30601dd290979a310773f0ed99

zgRAT

e621a773ec75f605fe4780a380817e3dd7125e04d0e97009413570a9babb4d94

zgRAT

e98d63fb7e1461f5dfc8b5f283aaa2a402f9f1f45b0e2453bff144956169c2df

zgRAT

+ 38 additional samples on MalwareBazaar

Hatching Triage Malicious

Result

Malware family:

n/a

Score:

  10/10

Tags:

persistence

Link:

https://tria.ge/reports/230503-wqv3ksfg96/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Blocklisted process makes network request

Downloads MZ/PE file

Malware Config

Dropper Extraction:

https://smartphoodapp.com/xmine.exe

UnpacMe

Unpacked files

SH256 hash:

f873b18a7661d466e204bdcd630e58f5a9900acffc33a4053f03964f1e1e38b3

MD5 hash:

5293774d4196e1194c75f842a6763d0f

SHA1 hash:

54384b85f794405cdbd29265e32eb17e02aabe33

Link:

https://www.unpac.me/results/51f58419-10da-47e9-8044-e637b792462a/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f873b18a7661/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f873b18a7661d466e204bdcd630e58f5a9900acffc33a4053f03964f1e1e38b3

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/386301/