Windows Analysis Report
172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

Overview

General Information

Sample name:	172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe
Analysis ID:	1525923
MD5:	ac7836d93953a3aaa764d9d212fa1650
SHA1:	69d7e8144c94794e2c15ac50b0fe01fbde694ba7
SHA256:	9d0ccbd6be0eda127dd9ff110d46b4a0dcc192a2832221784ee8d0cb9d80598a
Tags:	base64-decodedexeuser-abuse_ch
Infos:
Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

PureLog Stealer, zgRAT

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

Yara detected zgRAT

Machine Learning detection for sample

Binary contains a suspicious time stamp

PE file does not import any functions

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

ReversingLabs: Detection: 13%

Machine Learning detection for sample

Source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

System Summary

Malicious sample detected (through community Yara rule)

Source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe, type: SAMPLE

Matched rule: Detects zgRAT Author: ditekSHen

PE file does not import any functions

Source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

Binary or memory string: OriginalFilenameBlowhard.exe" vs 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

Uses 32bit PE files

Source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe, type: SAMPLE

Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: classification engine

Classification label: mal76.troj.winEXE@0/0@0/0

Source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

ReversingLabs: Detection: 13%

Source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

Static file information: File size 1089434 > 1048576

Source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Binary contains a suspicious time stamp

Source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

Static PE information: 0xC348C61F [Fri Oct 27 10:40:31 2073 UTC]

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match

File source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe, type: SAMPLE

Yara detected zgRAT

Source: Yara match

File source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe, type: SAMPLE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match

File source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe, type: SAMPLE

Yara detected zgRAT

Source: Yara match

File source: 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe, type: SAMPLE

Screenshots

No Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1525923
Product:	CloudBasic
Start time:	16:38:08
Start date:	04.10.2024
Sample:	172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ac7836d93953a3aaa764d9d212fa1650
SHA1:	69d7e8144c94794e2c15ac50b0fe01fbde694ba7
SHA256:	9d0ccbd6be0eda127dd9ff110d46b4a0dcc192a2832221784ee8d0cb9d80598a
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report
172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report 172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
172805101440ffea594d2599248d0f2d382d177349a402c86175ffd9e7d67d9c283869c709601.dat-decoded.exe

Malware Threat Intel
Provided by