Windows Analysis Report
1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe

Overview

General Information

Sample name: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe
Analysis ID: 1526395
MD5: e68bdd79dc5c7552bbd46d20d173e76c
SHA1: 1308243c9904b448f739439480c9e03034d42d7b
SHA256: 9f8eaa30544621fb719139ab4d51951ce5d842bf6e4c4f18bd3df9a1776c35a5
Tags: base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

PureLog Stealer, zgRAT
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected PureLog Stealer
Yara detected zgRAT
PE file contains section with special chars
Binary contains a suspicious time stamp
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe ReversingLabs: Detection: 15%
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Virustotal: Detection: 20% Perma Link
Uses 32bit PE files
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe, type: SAMPLE Matched rule: Detects zgRAT Author: ditekSHen
PE file contains section with special chars
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Static PE information: section name: @.relo
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Static PE information: section name: `.rsrc
PE file does not import any functions
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Binary or memory string: OriginalFilenameHereaway.exe" vs 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe
Uses 32bit PE files
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe, type: SAMPLE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE size: 0x4c000680 address: 0x0
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC size: 0xc000940 address: 0x0
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT size: 0x8000020 address: 0x0
Source: classification engine Classification label: mal84.troj.winEXE@0/0@0/0
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe ReversingLabs: Detection: 15%
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Virustotal: Detection: 20%
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Binary contains a suspicious time stamp
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Static PE information: 0xC0815A83 [Thu May 5 19:39:47 2072 UTC]
PE file contains an invalid checksum
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Static PE information: real checksum: 0x2 should be: 0x9bc3b
PE file contains sections with non-standard names
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Static PE information: section name: @.relo
Source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe Static PE information: section name: `.rsrc

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe, type: SAMPLE
Yara detected zgRAT
Source: Yara match File source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe, type: SAMPLE

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe, type: SAMPLE
Yara detected zgRAT
Source: Yara match File source: 1728051008f48e3fb51c0c2d66f1f52c855098dd735b8d00916f5849ed0a74beb0756c0876857.dat-decoded.exe, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1526395 Sample: 1728051008f48e3fb51c0c2d66f... Startdate: 05/10/2024 Architecture: WINDOWS Score: 84 5 Malicious sample detected (through community Yara rule) 2->5 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 3 other signatures 2->11
No contacted IP infos

Contacted Domains

Name IP Active
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true