Windows Analysis Report
172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

Overview

General Information

Sample name:	172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe
Analysis ID:	1525935
MD5:	5c5309a374fb55f69dc553784a6cd263
SHA1:	6cb9f0c44c7cb36887fa2cfc38d63e0773b98912
SHA256:	a74d597f7740d12d4ec6fa74d14f0bba628eced82be37e2025605d7df374d51f
Tags:	base64-decodedexeuser-abuse_ch
Infos:
Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

PureLog Stealer, zgRAT

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Machine Learning detection for sample

Binary contains a suspicious time stamp

PE file does not import any functions

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 80.0% probability

Machine Learning detection for sample

Source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

System Summary

Malicious sample detected (through community Yara rule)

Source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe, type: SAMPLE

Matched rule: Detects zgRAT Author: ditekSHen

PE file does not import any functions

Source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

Binary or memory string: OriginalFilenamePrinces.exe" vs 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

Uses 32bit PE files

Source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe, type: SAMPLE

Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: classification engine

Classification label: mal80.troj.winEXE@0/0@0/0

Source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

ReversingLabs: Detection: 13%

Source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Binary contains a suspicious time stamp

Source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

Static PE information: 0xB3E06D3A [Tue Aug 18 14:01:30 2065 UTC]

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match

File source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe, type: SAMPLE

Yara detected zgRAT

Source: Yara match

File source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe, type: SAMPLE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match

File source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe, type: SAMPLE

Yara detected zgRAT

Source: Yara match

File source: 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe, type: SAMPLE

Screenshots

No Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true

ID:	1525935
Product:	CloudBasic
Start time:	16:42:56
Start date:	04.10.2024
Sample:	172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5c5309a374fb55f69dc553784a6cd263
SHA1:	6cb9f0c44c7cb36887fa2cfc38d63e0773b98912
SHA256:	a74d597f7740d12d4ec6fa74d14f0bba628eced82be37e2025605d7df374d51f
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report
172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report 172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
172805100984c69ee107a8257c501a997cb4e1569ef6231158654d2046e773df31f3ca0cb6593.dat-decoded.exe

Malware Threat Intel
Provided by