MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f96ce425352e621d1143cd2ca48eaf3423625fa4821e81c494da40666b59fb71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f96ce425352e621d1143cd2ca48eaf3423625fa4821e81c494da40666b59fb71
SHA3-384 hash: 1b2300081f24369cd5b7e5c3fb22106c1f740c2369ca36b727748e6e9b23c4911e4002ad6dbece13ff10c2b78bf3edd4
SHA1 hash: 4bf174c56d380f0b96745a2792e4d8de6b2d1a06
MD5 hash: d22cd7d032bb2d7bf5e55a811157bd34
humanhash: december-alanine-india-spaghetti
File name:d22cd7d032bb2d7bf5e55a811157bd34
Download: download sample
Signature zgRAT
Create hunting rule
File size:38'120 bytes
First seen:2023-02-20 11:35:27 UTC
Last seen:2023-02-20 14:30:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:rCVe0QS//g9EQigUJwHVN93zwtI2hkYFxIuqF3hKk:qR//nnJCVNGtn0uq3hKk
Threatray 975 similar samples on MalwareBazaar
TLSH T1BA0394923259C026D424A5FEC8E7E6E4937BBE599D22D60734B4FB1E3E37393C952408
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon ad7360d4dcf97182 (1 x zgRAT)
Reporter zbetcheckin
Tags:32 exe zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d22cd7d032bb2d7bf5e55a811157bd34
Verdict:
Malicious activity
Analysis date:
2023-02-20 11:37:14 UTC
Tags:
loader
Link:
https://app.any.run/tasks/c73adf41-9ff2-451c-9fc6-8f235f465c00

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368401/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.13701.13902.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
83%
Tags:
evasive overlay packed packed
Link:
https://www.filescan.io/uploads/63f35b27b53d126ad26347b4/reports/ef400062-80d4-4714-9db3-1dec3740f1fa/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f96ce425352e621d1143cd2ca48eaf3423625fa4821e81c494da40666b59fb71
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d9bb38ff-e2b2-427a-a78f-5e54e42b80a4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1179150
Signature
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f96ce425352e621d1143cd2ca48eaf3423625fa4821e81c494da40666b59fb71/
Threat name:
Win32.Downloader.PsDownload
Create hunting rule
Status:
Malicious
First seen:
2023-02-20 11:36:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
9 of 23 (39.13%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7fwoijjvfzrb2ekdzuwkjdvpgqrwex5eqipidreu3jagm22z7nyq._file
Verdict:
malicious
Similar samples:
069f26b91b13d2ebbca88ac98894e859995555a2559cbb274383a9379b98a61a
zgRAT
08c5de8e4d3c038e2385643b3201122ac43f7e09d21b89e42a2186a66fae3434
zgRAT
106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871
zgRAT
189df98f0de9676700b0d3e8d19cb4d6b33fa23313d435845dfa76a808b39cbc
zgRAT
218150c8d3e13fd5de782d48a45433b76d64a4f82feb9e4853543b1c8a9a1498
zgRAT
a13d5f2dedff839d945268116a3ba08cc0d5e17ed2b519477d118b447c02929f
zgRAT
c8b995746f09979fc1ccd83a08dab8913aa88b9036b584cc60d72029e867dd1d
zgRAT
d6280fbc63a14ec4318051d72ad20b7ca0c6391f752264aaac2ecd1685bf746c
zgRAT
ec4b8c7407dce9428bfe6752b90cfd9dafe91d83e238102bf310c6deaeb21a01
zgRAT
+ 965 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230220-nqlj5sag92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Unpacked files
SH256 hash:
f96ce425352e621d1143cd2ca48eaf3423625fa4821e81c494da40666b59fb71
MD5 hash:
d22cd7d032bb2d7bf5e55a811157bd34
SHA1 hash:
4bf174c56d380f0b96745a2792e4d8de6b2d1a06
Link:
https://www.unpac.me/results/30556ab1-a76b-4793-93e8-36bf2f834cf4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.67
Link:
https://yomi.yoroi.company/submissions/f96ce425352e621d1143cd2ca48eaf3423625fa4821e81c494da40666b59fb71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe f96ce425352e621d1143cd2ca48eaf3423625fa4821e81c494da40666b59fb71

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2545703/
Cape
Cape
https://www.capesandbox.com/analysis/368401/

Comments


Avatar
zbet commented on 2023-02-20 11:35:28 UTC

url : hxxp://77.91.84.92/svhosts.exe