Windows Analysis Report
1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe

Overview

General Information

Sample name: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe
Analysis ID: 1525928
MD5: 270a0b31b0dea72f9d1dd6c9806dbe98
SHA1: c35c899588142880f3d8278a8032cbdb22b0a267
SHA256: 022c8a1e18ce200f388c24ec8c8ad3cbd493afd851822558016fddde688c9b35
Tags: base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

PureLog Stealer, zgRAT
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected PureLog Stealer
Yara detected zgRAT
Machine Learning detection for sample
Binary contains a suspicious time stamp
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe ReversingLabs: Detection: 13%
Machine Learning detection for sample
Source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe, type: SAMPLE Matched rule: Detects zgRAT Author: ditekSHen
PE file does not import any functions
Source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe Binary or memory string: OriginalFilenameFaineancy.exe" vs 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe
Uses 32bit PE files
Source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe, type: SAMPLE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: classification engine Classification label: mal76.troj.winEXE@0/0@0/0
Source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe ReversingLabs: Detection: 13%
Source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Binary contains a suspicious time stamp
Source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe Static PE information: 0xF5C11724 [Fri Aug 27 17:51:32 2100 UTC]

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe, type: SAMPLE
Yara detected zgRAT
Source: Yara match File source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe, type: SAMPLE

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe, type: SAMPLE
Yara detected zgRAT
Source: Yara match File source: 1728051009222f21cd7228745d779c350a32dd00cb3283817395c6233d0e35bbb8007ee686964.dat-decoded.exe, type: SAMPLE

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1525928 Sample: 1728051009222f21cd7228745d7... Startdate: 04/10/2024 Architecture: WINDOWS Score: 76 5 Malicious sample detected (through community Yara rule) 2->5 7 Multi AV Scanner detection for submitted file 2->7 9 Yara detected PureLog Stealer 2->9 11 2 other signatures 2->11
No contacted IP infos