zgrat | aa78d28127b7e9b4bb1fe32a5610a51dc2ee8248d5b55b7cced7e9650559ccc1

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adguardVPNInstaller.exe
Size

113KB
MD5

49a7b6cbb30da964374cdd8530a14d24
SHA1

9f24c79cc0fcc7fe6cce5a0283ba94821b4bff57
SHA256

aa78d28127b7e9b4bb1fe32a5610a51dc2ee8248d5b55b7cced7e9650559ccc1
SHA512

28aa023255265a2e8cfeb059de07e1923eae87d2aa2914af8141ec3cd7caf3cf867a8fd880ef7073fc1d8c8c14356beb88666d56f8c1a41fecbc2c89af2db185
SSDEEP

1536:o4GZnjfFGS6VW3RtfNxwxfHKMFHPGwFCVZUpbdXH+j0NJszM8wpXxR:o4GZnrASj3/HQLFvGwFCZ+XH+IX8wp3

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023210-124.dat	family_zgrat_v1
behavioral2/files/0x0006000000023210-125.dat	family_zgrat_v1
behavioral2/memory/548-127-0x0000000006D10000-0x0000000006F0C000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0006000000023210-146.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
5088	setup.exe
548	setup.exe

Loads dropped DLL 13 IoCs

pid	Process
548	setup.exe
548	setup.exe
548	setup.exe
548	setup.exe
548	setup.exe
548	setup.exe
548	setup.exe
548	setup.exe
548	setup.exe
548	setup.exe
548	setup.exe
548	setup.exe
548	setup.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1572	548	WerFault.exe	86

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 5088	5072	adguardVPNInstaller.exe	85
PID 5072 wrote to memory of 5088	5072	adguardVPNInstaller.exe	85
PID 5072 wrote to memory of 5088	5072	adguardVPNInstaller.exe	85
PID 5088 wrote to memory of 548	5088	setup.exe	86
PID 5088 wrote to memory of 548	5088	setup.exe	86
PID 5088 wrote to memory of 548	5088	setup.exe	86

C:\Users\Admin\AppData\Local\Temp\adguardVPNInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\adguardVPNInstaller.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe
  C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe AID=32362
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\Temp\{9F98D77A-54F5-45D2-AE6D-83D308B83C47}\.cr\setup.exe
    "C:\Windows\Temp\{9F98D77A-54F5-45D2-AE6D-83D308B83C47}\.cr\setup.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe" -burn.filehandle.attached=724 -burn.filehandle.self=720 AID=32362
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1700
      4⤵
      Program crash
      PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 548 -ip 548
1⤵
PID:2352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe

Filesize
23.6MB

MD5
1cbfaba0adc5b9b50f623035df1e4ebc

SHA1
fecc51c27c003ca35f5c061ae238e58e37752c49

SHA256
f54bf6c36ecaa142b62fdcceadcaf198d241a0470fcfe392de228e2ae93b3000

SHA512
a41631783e500a92dfb9f4bdaf46eae9a1c61ccfb5ce5adb3c71cfbbf37c15927a4361e17702e6d6ca64babffef93d62615b48fae0adde4d14ebda42225d6704

Download Submit
C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe

Filesize
23.6MB

MD5
1cbfaba0adc5b9b50f623035df1e4ebc

SHA1
fecc51c27c003ca35f5c061ae238e58e37752c49

SHA256
f54bf6c36ecaa142b62fdcceadcaf198d241a0470fcfe392de228e2ae93b3000

SHA512
a41631783e500a92dfb9f4bdaf46eae9a1c61ccfb5ce5adb3c71cfbbf37c15927a4361e17702e6d6ca64babffef93d62615b48fae0adde4d14ebda42225d6704

Download Submit
C:\Windows\Temp\{89634A28-EFB8-4F94-A4EB-6C9D4389C42D}\.ba\AdGuard.CrashReporter.dll

Filesize
580KB

MD5
2b33d4fcbd1434d119ff27d3025820ce

SHA1
55c283f673fc407b4faa20554aa1d34e5586fe8d

SHA256
c3443206a047fd95f8cf2c462540ff809301f4847a3ed25b912b9b15af730151

SHA512
16ac51d13449d7ba804bcf764346bc70f073388f1c1ade4c73b035e58ac3a999f923041770b1e3fcbb8008fed122ce6395950ed9944b5faf3cf62b5694f003f3

Download Submit
C:\Windows\Temp\{89634A28-EFB8-4F94-A4EB-6C9D4389C42D}\.ba\AdGuard.CrashReporter.dll

Filesize
580KB

MD5
2b33d4fcbd1434d119ff27d3025820ce

SHA1
55c283f673fc407b4faa20554aa1d34e5586fe8d

SHA256
c3443206a047fd95f8cf2c462540ff809301f4847a3ed25b912b9b15af730151

SHA512
16ac51d13449d7ba804bcf764346bc70f073388f1c1ade4c73b035e58ac3a999f923041770b1e3fcbb8008fed122ce6395950ed9944b5faf3cf62b5694f003f3

Download Submit
C:\Windows\Temp\{89634A28-EFB8-4F94-A4EB-6C9D4389C42D}\.ba\AdGuard.Utils.Installer.dll

Filesize
53KB

MD5
c9d2bc23bab3488d90a7d5401b1fb443

SHA1
4b7b28a47bc943770c867f910ffc96f9d2c8f88f

SHA256
b8164bb0506424055da50b25ad884ff0ad9c5cc5ce639892c113cbb43a2f97b7

SHA512
dd3f052321e4fba28d0ddd4fa611292b818ac90d90b53ae9310ec9d04a49d80f33e14bc46899d6d284c3c7a4ca5c46cf44cd95799f1b5e20e17aba1f15aa4653

Download Submit
C:\Windows\Temp\{89634A28-EFB8-4F94-A4EB-6C9D4389C42D}\.ba\AdGuard.Utils.Installer.dll

Filesize
53KB

MD5
c9d2bc23bab3488d90a7d5401b1fb443

SHA1
4b7b28a47bc943770c867f910ffc96f9d2c8f88f

SHA256
b8164bb0506424055da50b25ad884ff0ad9c5cc5ce639892c113cbb43a2f97b7

SHA512
dd3f052321e4fba28d0ddd4fa611292b818ac90d90b53ae9310ec9d04a49d80f33e14bc46899d6d284c3c7a4ca5c46cf44cd95799f1b5e20e17aba1f15aa4653

Download Submit
C:\Windows\Temp\{89634A28-EFB8-4F94-A4EB-6C9D4389C42D}\.ba\AdGuard.Utils.UI.dll

Filesize
556KB

MD5
6d9bb385d8eb358c45197b61f7128c49

SHA1
64f1674f1a342cc7732545c5aa8fee6aa53ae0aa

SHA256
4fa12b84af73970ecc70e221c47da9dea2858b266cf255e2f70ac2b23cc2cb49

SHA512
802ca353366acdeb025275089423d655c3919f06a9215c8244f511a39ebd4ab25bbdec7656364fb856a69dd354f613284590482f585007cbd4ce4e2e01cd4c89

Download Submit
C:\Windows\Temp\{89634A28-EFB8-4F94-A4EB-6C9D4389C42D}\.ba\AdGuard.Utils.UI.dll

Filesize
556KB

MD5
6d9bb385d8eb358c45197b61f7128c49

SHA1
64f1674f1a342cc7732545c5aa8fee6aa53ae0aa

SHA256
4fa12b84af73970ecc70e221c47da9dea2858b266cf255e2f70ac2b23cc2cb49

SHA512
802ca353366acdeb025275089423d655c3919f06a9215c8244f511a39ebd4ab25bbdec7656364fb856a69dd354f613284590482f585007cbd4ce4e2e01cd4c89

Download Submit
C:\Windows\Temp\{89634A28-EFB8-4F94-A4EB-6C9D4389C42D}\.ba\AdGuard.Utils.dll

Filesize
2.0MB

MD5
3172d64c6f5d4eed8b24cbf8af50afa8

SHA1
85316e8f265ca32ac8bd7f3e30e00a99c6886abe

SHA256
00a9eeb37dcad21ac9f1137afb7161cb55e03bf55833ca83859cc3fb24a20a1f

SHA512
bf70da14606227bb3cc721f35fa5f37cda4e6f9c3a32472f9bb7e82ca71a66c7bafd26605d323abc68bc9c84559ad322bb9ec1a1c67e8286c7600b548a95178c

Download Submit
C:\Windows\Temp\{89634A28-EFB8-4F94-A4EB-6C9D4389C42D}\.ba\AdGuard.Utils.dll

Filesize
2.0MB

MD5
3172d64c6f5d4eed8b24cbf8af50afa8

SHA1
85316e8f265ca32ac8bd7f3e30e00a99c6886abe

SHA256
00a9eeb37dcad21ac9f1137afb7161cb55e03bf55833ca83859cc3fb24a20a1f

SHA512
bf70da14606227bb3cc721f35fa5f37cda4e6f9c3a32472f9bb7e82ca71a66c7bafd26605d323abc68bc9c84559ad322bb9ec1a1c67e8286c7600b548a95178c

Download Submit
C:\Windows\Temp\{89634A28-EFB8-4F94-A4EB-6C9D4389C42D}\.ba\AdGuard.Utils.dll

Filesize
2.0MB

MD5
3172d64c6f5d4eed8b24cbf8af50afa8

SHA1
85316e8f265ca32ac8bd7f3e30e00a99c6886abe

SHA256
00a9eeb37dcad21ac9f1137afb7161cb55e03bf55833ca83859cc3fb24a20a1f

SHA512
bf70da14606227bb3cc721f35fa5f37cda4e6f9c3a32472f9bb7e82ca71a66c7bafd26605d323abc68bc9c84559ad322bb9ec1a1c67e8286c7600b548a95178c

Download Submit
C:\Windows\Temp\{89634A28-EFB8-4F94-A4EB-6C9D4389C42D}\.ba\AdGuardVpn.Burn.dll

Filesize
255KB

MD5
dab0cf0d882fe9769665d94f9bf26643

SHA1
982877e18aee4605b5f8a190553c75d61dc49694

SHA256
5b9a0cf4befc9192695e00525e0d400795323793549aee69db29ce694845b587

SHA512
e9bdc93b66519e5e4fa198cb009e15413958b6ceb85b1ccf710de542af6a387c474700defb2d5ebe213eaf4fa4b4169ed3f3deb54cab192d0636f5d76d1f37ad

Download Submit
C:\Windows\Temp\{89634A28-EFB8-4F94-A4EB-6C9D4389C42D}\.ba\AdGuardVpn.Burn.dll

Filesize
255KB

MD5
dab0cf0d882fe9769665d94f9bf26643

SHA1
982877e18aee4605b5f8a190553c75d61dc49694

SHA256
5b9a0cf4befc9192695e00525e0d400795323793549aee69db29ce694845b587

SHA512
e9bdc93b66519e5e4fa198cb009e15413958b6ceb85b1ccf710de542af6a387c474700defb2d5ebe213eaf4fa4b4169ed3f3deb54cab192d0636f5d76d1f37ad

Download Submit
C:\Windows\Temp\{89634A28-EFB8-4F94-A4EB-6C9D4389C42D}\.ba\BootstrapperCore.config

Filesize
1KB

MD5
427918825375ce8aa01f208629c901fa

SHA1
bb983d3b30454deb48695e495b8483195d72c927

SHA256
eee85d8d43e427f87e043f9516bc2511c891980a134eba7e2d6097438ef860e4

SHA512
1368fb726b21d96278773e37ff36b20952578c814f7e4d3ef76cc81a5b2d608f04e65c1e6328f19aa59f40dd2701d6f5afa167cde14143d385cd075a8359b4cf

Download Submit
C:\Windows\Temp\{89634A28-EFB8-4F94-A4EB-6C9D4389C42D}\.ba\BootstrapperCore.dll

Filesize
87KB

MD5
b0d10a2a622a322788780e7a3cbb85f3

SHA1
04d90b16fa7b47a545c1133d5c0ca9e490f54633

SHA256
f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426

SHA512
62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

Download Submit
C:\Windows\Temp\{89634A28-EFB8-4F94-A4EB-6C9D4389C42D}\.ba\BootstrapperCore.dll

Filesize
87KB

MD5
b0d10a2a622a322788780e7a3cbb85f3

SHA1
04d90b16fa7b47a545c1133d5c0ca9e490f54633

SHA256
f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426

SHA512
62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

Download Submit
C:\Windows\Temp\{89634A28-EFB8-4F94-A4EB-6C9D4389C42D}\.ba\mbahost.dll

Filesize
119KB

MD5
c59832217903ce88793a6c40888e3cae

SHA1
6d9facabf41dcf53281897764d467696780623b8

SHA256
9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db

SHA512
1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

Download Submit
C:\Windows\Temp\{9F98D77A-54F5-45D2-AE6D-83D308B83C47}\.cr\setup.exe

Filesize
2.7MB

MD5
a9c66a0ee105d5dc5eb8a26bd66a843b

SHA1
a96a26594c872a8229813494b41284b101b341db

SHA256
1e814731b1bfc40f90b018edb9536dd5fa5da66cec207af2ef721944510dd880

SHA512
e37059eae2d91b7da2522065d612812eb7caf0a45f2f120702808f9762fe712e7616a7621a55ca1e8faed01fafb9c39351728b0081a20e2eaa9979c5dc4b60a2

Download Submit
C:\Windows\Temp\{9F98D77A-54F5-45D2-AE6D-83D308B83C47}\.cr\setup.exe

Filesize
2.7MB

MD5
a9c66a0ee105d5dc5eb8a26bd66a843b

SHA1
a96a26594c872a8229813494b41284b101b341db

SHA256
1e814731b1bfc40f90b018edb9536dd5fa5da66cec207af2ef721944510dd880

SHA512
e37059eae2d91b7da2522065d612812eb7caf0a45f2f120702808f9762fe712e7616a7621a55ca1e8faed01fafb9c39351728b0081a20e2eaa9979c5dc4b60a2

Download Submit
memory/548-128-0x00000000738B0000-0x0000000074060000-memory.dmp

Filesize
7.7MB

Download
memory/548-138-0x00000000044D0000-0x00000000044E0000-memory.dmp

Filesize
64KB

Download
memory/548-123-0x00000000069C0000-0x0000000006A06000-memory.dmp

Filesize
280KB

Download
memory/548-133-0x0000000006F10000-0x0000000006FA4000-memory.dmp

Filesize
592KB

Download
memory/548-113-0x0000000004440000-0x0000000004458000-memory.dmp

Filesize
96KB

Download
memory/548-137-0x0000000006FB0000-0x000000000703E000-memory.dmp

Filesize
568KB

Download
memory/548-127-0x0000000006D10000-0x0000000006F0C000-memory.dmp

Filesize
2.0MB

Download
memory/548-114-0x00000000738B0000-0x0000000074060000-memory.dmp

Filesize
7.7MB

Download
memory/548-115-0x00000000044D0000-0x00000000044E0000-memory.dmp

Filesize
64KB

Download
memory/548-116-0x00000000044D0000-0x00000000044E0000-memory.dmp

Filesize
64KB

Download
memory/548-144-0x0000000006C50000-0x0000000006C60000-memory.dmp

Filesize
64KB

Download
memory/548-151-0x00000000738B0000-0x0000000074060000-memory.dmp

Filesize
7.7MB

Download
memory/548-150-0x00000000044D0000-0x00000000044E0000-memory.dmp

Filesize
64KB

Download
memory/5072-8-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download