Windows Analysis Report
172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

Overview

General Information

Sample name:	172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe
Analysis ID:	1525930
MD5:	8e5865da52505ef1ec09dc1f58b36a75
SHA1:	824b545d9f381df805ae5b32158e7a12a2bfdf23
SHA256:	2fb8a8576edcdb38f8f7334ca354cd35fe6f04e84d9b60e4f000592e9f45db22
Tags:	base64-decodedexeuser-abuse_ch
Infos:

Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

PureLog Stealer, zgRAT

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Machine Learning detection for sample

Binary contains a suspicious time stamp

PE file does not import any functions

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 89.0% probability

Machine Learning detection for sample

Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

System Summary

Malicious sample detected (through community Yara rule)

Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe, type: SAMPLE

Matched rule: Detects zgRAT Author: ditekSHen

PE file does not import any functions

Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

Binary or memory string: OriginalFilenameCoati.exe" vs 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

Uses 32bit PE files

Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe, type: SAMPLE

Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: classification engine

Classification label: mal80.troj.winEXE@0/0@0/0

Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

ReversingLabs: Detection: 15%

Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Binary contains a suspicious time stamp

Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

Static PE information: 0xEC34EBF6 [Sat Jul 30 19:07:34 2095 UTC]

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match

File source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe, type: SAMPLE

Yara detected zgRAT

Source: Yara match

File source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe, type: SAMPLE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match

File source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe, type: SAMPLE

Yara detected zgRAT

Source: Yara match

File source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1525930
Product:	CloudBasic
Start time:	16:41:39
Start date:	04.10.2024
Sample:	172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	8e5865da52505ef1ec09dc1f58b36a75
SHA1:	824b545d9f381df805ae5b32158e7a12a2bfdf23
SHA256:	2fb8a8576edcdb38f8f7334ca354cd35fe6f04e84d9b60e4f000592e9f45db22
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report
172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

Malware Threat Intel
Provided by