Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

Overview

General Information

Sample name:172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe
Analysis ID:1525930
MD5:8e5865da52505ef1ec09dc1f58b36a75
SHA1:824b545d9f381df805ae5b32158e7a12a2bfdf23
SHA256:2fb8a8576edcdb38f8f7334ca354cd35fe6f04e84d9b60e4f000592e9f45db22
Tags:base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

PureLog Stealer, zgRAT
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Machine Learning detection for sample
Binary contains a suspicious time stamp
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exeMALWARE_Win_zgRATDetects zgRATditekSHen
      • 0x9cd58:$s1: file:///
      • 0x9cc90:$s2: {11111-22222-10009-11112}
      • 0x9cce8:$s3: {11111-22222-50001-00000}
      • 0x965df:$s4: get_Module
      • 0x8feef:$s5: Reverse
      • 0x90ef8:$s6: BlockCopy
      • 0x8fdba:$s7: ReadByte
      • 0x9cd6a:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exeReversingLabs: Detection: 15%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 89.0% probability
      Machine Learning detection for sample
      Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exeJoe Sandbox ML: detected
      Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe, type: SAMPLEMatched rule: Detects zgRAT Author: ditekSHen
      Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exeStatic PE information: No import functions for PE file found
      Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exeBinary or memory string: OriginalFilenameCoati.exe" vs 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe
      Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe, type: SAMPLEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
      Source: classification engineClassification label: mal80.troj.winEXE@0/0@0/0
      Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exeReversingLabs: Detection: 15%
      Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exeStatic PE information: 0xEC34EBF6 [Sat Jul 30 19:07:34 2095 UTC]

      Stealing of Sensitive Information

      barindex
      Yara detected PureLog Stealer
      Source: Yara matchFile source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe, type: SAMPLE
      Yara detected zgRAT
      Source: Yara matchFile source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe, type: SAMPLE

      Remote Access Functionality

      barindex
      Yara detected PureLog Stealer
      Source: Yara matchFile source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe, type: SAMPLE
      Yara detected zgRAT
      Source: Yara matchFile source: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe, type: SAMPLE

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
      Timestomp      		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe16%ReversingLabs
      172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1525930
      Start date and time:2024-10-04 16:41:39 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 2m 49s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:1
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe
      Detection:MAL
      Classification:mal80.troj.winEXE@0/0@0/0
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Unable to launch sample, stop analysis

      Errors

      • No process behavior to analyse as no analysis process or sample was found
      • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe
      • VT rate limit hit for: 172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
      Entropy (8bit):5.898591541988443
      TrID:
      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      • Win32 Executable (generic) a (10002005/4) 49.78%
      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
      • Generic Win/DOS Executable (2004/3) 0.01%
      • DOS Executable Generic (2002/1) 0.01%
      File name:172805100964776af2fd06dff33cf2df8ed64ab6c1e55037f553e0105884493bddb2c9d7b3812.dat-decoded.exe
      File size:883'574 bytes
      MD5:8e5865da52505ef1ec09dc1f58b36a75
      SHA1:824b545d9f381df805ae5b32158e7a12a2bfdf23
      SHA256:2fb8a8576edcdb38f8f7334ca354cd35fe6f04e84d9b60e4f000592e9f45db22
      SHA512:7e97b8bfa9a3e45d1291e8d8d5d4ccaf810a050e6708b141df151cb26a20872d7c92b3740ec213e3ebe01e8996bc9801c8ffc45b502ab49c18609dfbf952a5d8
      SSDEEP:6144:mW9N1MsvIYnVcqYT77Zg3VilL2T4J+TaDqFk5MtxPI3r0oO3xwspxD1C8V/7xKqV:mGN1MsXmks01txOr0ospDN3W8LjyA7+
      TLSH:E015080676658E63E29F1772C0A7981017BCDD86E363E70F748D33761813366B85AE8B
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....4...............0..h............... ........@.. .......................@............@................................

      File Icon

      Icon Hash:00928e8e8686b000

      Static PE Info

      General

      Entrypoint:0x4a87ee
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows cui
      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Time Stamp:0xEC34EBF6 [Sat Jul 30 19:07:34 2095 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:

      Entrypoint Preview

      Instruction
      lodsb
      or dword ptr [esi-14FBF1A1h], 66FC817Ah
      jbe 00007FDE2CBEFC6Ah
      inc edi
      loope 00007FDE2CBEFCC7h
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0xa87a00x4b.text
      IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x27fb0.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000xc.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x20000xa67f40xa68006b7f1582bb1685f15f83eb752758c3beFalse0.42431933887012013data5.801725346778648IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rsrc0xaa0000x27fb00x2800060f1d0ce700a8682da631c21faa57efaFalse0.315472412109375data5.760333387235807IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0xd20000xc0x200c16526bddf2c89a48029b0ec1ea07397False0.443359375data4.26260160468723IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Network Behavior

      No network behavior found

      Statistics

      No statistics

      System Behavior

      No system behavior

      Disassembly

      No disassembly