zgrat | c93d0c374e09947472526fbe936ae4c0cba10b2f1258fe58bcc8208340399171

Analysis

max time kernel
141s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adguardInstaller.exe
Size

142KB
MD5

d8cd51480ecf511782081069a7104294
SHA1

f3f8be244db69cbfdb064c59a5c43cf6df853edb
SHA256

c93d0c374e09947472526fbe936ae4c0cba10b2f1258fe58bcc8208340399171
SHA512

d06a5bd9e100b2cabae83306e12b882ff2389540aae3693a1fb3e1dd9292eeca5f394c3891df660d31be77af4eabd4a771c2f30891a4cf47b3f64a952161ebc1
SSDEEP

3072:T4qZHnMyBV3vuhLFvGyfmKvK9MkBr/8wpn:T4qZHdV3vKvK9MkhPpn

Score

10^/10

zgrat discovery rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231ed-115.dat	family_zgrat_v1
behavioral2/files/0x00060000000231ed-116.dat	family_zgrat_v1
behavioral2/memory/1796-118-0x0000000006660000-0x0000000006864000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 2 IoCs

pid	Process
1608	setup.exe
1796	setup.exe

Loads dropped DLL 15 IoCs

pid	Process
1796	setup.exe
1796	setup.exe
1796	setup.exe
1796	setup.exe
1796	setup.exe
1796	setup.exe
1796	setup.exe
1796	setup.exe
1796	setup.exe
1796	setup.exe
1796	setup.exe
1796	setup.exe
1796	setup.exe
1796	setup.exe
1796	setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 1608	2648	adguardInstaller.exe	85
PID 2648 wrote to memory of 1608	2648	adguardInstaller.exe	85
PID 2648 wrote to memory of 1608	2648	adguardInstaller.exe	85
PID 1608 wrote to memory of 1796	1608	setup.exe	90
PID 1608 wrote to memory of 1796	1608	setup.exe	90
PID 1608 wrote to memory of 1796	1608	setup.exe	90

C:\Users\Admin\AppData\Local\Temp\adguardInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\adguardInstaller.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe
  C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe AID=18675_page_es_welcome
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\Temp\{DA4F45CC-EBDD-453F-8F10-8539F9B8877E}\.cr\setup.exe
    "C:\Windows\Temp\{DA4F45CC-EBDD-453F-8F10-8539F9B8877E}\.cr\setup.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe" -burn.filehandle.attached=728 -burn.filehandle.self=724 AID=18675_page_es_welcome
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe

Filesize
34.9MB

MD5
f6c033d77be4ad6fa0610727e1056dd1

SHA1
5bbe6d4f8a15eb34e2c8ded75ea7d379e9333ed2

SHA256
51ea9b79789de4d6f53e2c53c196e5003a11d8942f90ea6816ce994e8e54a6fa

SHA512
45cd8f3b38e5065a0ddc9677d8fa2ef45bafd55ebf2a6e08d61bfcb5bf7cad0fb281f486500d84f1d254aa33a640b23de9e86ee72828699004a599ee2524d251

Download Submit
C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe

Filesize
34.9MB

MD5
f6c033d77be4ad6fa0610727e1056dd1

SHA1
5bbe6d4f8a15eb34e2c8ded75ea7d379e9333ed2

SHA256
51ea9b79789de4d6f53e2c53c196e5003a11d8942f90ea6816ce994e8e54a6fa

SHA512
45cd8f3b38e5065a0ddc9677d8fa2ef45bafd55ebf2a6e08d61bfcb5bf7cad0fb281f486500d84f1d254aa33a640b23de9e86ee72828699004a599ee2524d251

Download Submit
C:\Windows\Temp\{972E9ECB-92E0-4684-89A9-83BAFBFD8BBA}\.ba\AdGuard.Utils.Installer.dll

Filesize
53KB

MD5
c9d2bc23bab3488d90a7d5401b1fb443

SHA1
4b7b28a47bc943770c867f910ffc96f9d2c8f88f

SHA256
b8164bb0506424055da50b25ad884ff0ad9c5cc5ce639892c113cbb43a2f97b7

SHA512
dd3f052321e4fba28d0ddd4fa611292b818ac90d90b53ae9310ec9d04a49d80f33e14bc46899d6d284c3c7a4ca5c46cf44cd95799f1b5e20e17aba1f15aa4653

Download Submit
C:\Windows\Temp\{972E9ECB-92E0-4684-89A9-83BAFBFD8BBA}\.ba\AdGuard.Utils.Installer.dll

Filesize
53KB

MD5
c9d2bc23bab3488d90a7d5401b1fb443

SHA1
4b7b28a47bc943770c867f910ffc96f9d2c8f88f

SHA256
b8164bb0506424055da50b25ad884ff0ad9c5cc5ce639892c113cbb43a2f97b7

SHA512
dd3f052321e4fba28d0ddd4fa611292b818ac90d90b53ae9310ec9d04a49d80f33e14bc46899d6d284c3c7a4ca5c46cf44cd95799f1b5e20e17aba1f15aa4653

Download Submit
C:\Windows\Temp\{972E9ECB-92E0-4684-89A9-83BAFBFD8BBA}\.ba\AdGuard.Utils.UI.dll

Filesize
566KB

MD5
4c65d91bf72cf4cc0b72df60b3870434

SHA1
9f757d57ddfcd695915a32e235a0d72d01431196

SHA256
c94fe6b07c638cce3e17ac191987af6b9c3af81bcf772a39912be34241b34f4f

SHA512
fa48bbc4648776c8c49a74b259940b7b54ce6eed0f0e7ea9a2d0c7d427230f58d89c9949934bc76177bb8e70194060656c0f590119f54ead3137214401ce882b

Download Submit
C:\Windows\Temp\{972E9ECB-92E0-4684-89A9-83BAFBFD8BBA}\.ba\AdGuard.Utils.UI.dll

Filesize
566KB

MD5
4c65d91bf72cf4cc0b72df60b3870434

SHA1
9f757d57ddfcd695915a32e235a0d72d01431196

SHA256
c94fe6b07c638cce3e17ac191987af6b9c3af81bcf772a39912be34241b34f4f

SHA512
fa48bbc4648776c8c49a74b259940b7b54ce6eed0f0e7ea9a2d0c7d427230f58d89c9949934bc76177bb8e70194060656c0f590119f54ead3137214401ce882b

Download Submit
C:\Windows\Temp\{972E9ECB-92E0-4684-89A9-83BAFBFD8BBA}\.ba\AdGuard.Utils.dll

Filesize
2.0MB

MD5
5940d6d2c8ca412ace239c975735e182

SHA1
38a7c5cbd7723a1d9f06872ece668286a5784d21

SHA256
5e374bf9f71dbc331164ef1e114a163fff3821db2d49f9b4536906999084a9af

SHA512
6723c867ca925557382ad31d0d514b11dd23f0d654b2b9015126c2168148287e4c183f7965539331c2333b8ed3fdf9db849c5d27c773aeb8517e71b318f45dbd

Download Submit
C:\Windows\Temp\{972E9ECB-92E0-4684-89A9-83BAFBFD8BBA}\.ba\AdGuard.Utils.dll

Filesize
2.0MB

MD5
5940d6d2c8ca412ace239c975735e182

SHA1
38a7c5cbd7723a1d9f06872ece668286a5784d21

SHA256
5e374bf9f71dbc331164ef1e114a163fff3821db2d49f9b4536906999084a9af

SHA512
6723c867ca925557382ad31d0d514b11dd23f0d654b2b9015126c2168148287e4c183f7965539331c2333b8ed3fdf9db849c5d27c773aeb8517e71b318f45dbd

Download Submit
C:\Windows\Temp\{972E9ECB-92E0-4684-89A9-83BAFBFD8BBA}\.ba\Adguard.Burn.dll

Filesize
277KB

MD5
72f5737e86b1e83ca13ef6f74ad6767e

SHA1
71aa708c8058901fc149b405eb776aa6079b3922

SHA256
88583fe5b3b093134d6047c134a09d9b14d03668da279a1026c188c5a150918c

SHA512
0f0ef277a417124ebf2a2ec8030160d25a36290435a59fbb238611ae8ac339ddedb0c96e0d8a367cecc97aed3ea34817df4af220a79a517e5a583bef5b515089

Download Submit
C:\Windows\Temp\{972E9ECB-92E0-4684-89A9-83BAFBFD8BBA}\.ba\Adguard.Burn.dll

Filesize
277KB

MD5
72f5737e86b1e83ca13ef6f74ad6767e

SHA1
71aa708c8058901fc149b405eb776aa6079b3922

SHA256
88583fe5b3b093134d6047c134a09d9b14d03668da279a1026c188c5a150918c

SHA512
0f0ef277a417124ebf2a2ec8030160d25a36290435a59fbb238611ae8ac339ddedb0c96e0d8a367cecc97aed3ea34817df4af220a79a517e5a583bef5b515089

Download Submit
C:\Windows\Temp\{972E9ECB-92E0-4684-89A9-83BAFBFD8BBA}\.ba\BootstrapperCore.config

Filesize
1KB

MD5
898c2a320bea0580f37beeccda8f2378

SHA1
eccab214a148e6a7a9535bf1c83b714c756dabf2

SHA256
4440270efc95c694150a665b62ca89b8b93b1271dfb2757e8dd1a68ef2705498

SHA512
e4608aab984c6e97b00e80d2635a283392f1eb24bdb65f5fce92851eb63ad474e5050ac46e5cafe2dbd438dd026269253bd4ec427f08b2a09788d6b1d49bcc84

Download Submit
C:\Windows\Temp\{972E9ECB-92E0-4684-89A9-83BAFBFD8BBA}\.ba\BootstrapperCore.dll

Filesize
87KB

MD5
b0d10a2a622a322788780e7a3cbb85f3

SHA1
04d90b16fa7b47a545c1133d5c0ca9e490f54633

SHA256
f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426

SHA512
62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

Download Submit
C:\Windows\Temp\{972E9ECB-92E0-4684-89A9-83BAFBFD8BBA}\.ba\BootstrapperCore.dll

Filesize
87KB

MD5
b0d10a2a622a322788780e7a3cbb85f3

SHA1
04d90b16fa7b47a545c1133d5c0ca9e490f54633

SHA256
f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426

SHA512
62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

Download Submit
C:\Windows\Temp\{972E9ECB-92E0-4684-89A9-83BAFBFD8BBA}\.ba\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
C:\Windows\Temp\{972E9ECB-92E0-4684-89A9-83BAFBFD8BBA}\.ba\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
C:\Windows\Temp\{972E9ECB-92E0-4684-89A9-83BAFBFD8BBA}\.ba\SharpRaven.dll

Filesize
96KB

MD5
1bd677bea16cf6490c6cf35c0d1c0174

SHA1
dd7b027aa51433c824e99cac7b7a8c5c27a28a3f

SHA256
d738249c61afd4dba39302a79422d3a34ec9b3807c9f5f973d1a385a0ff44955

SHA512
ee4b0dc1c9d862eb597227c8860739ac87269656e952d4609c7befce4ea08345e3e5693b1d95f1c6c70ec79f681d31321798ef0eac52954fbeaf44764a265a82

Download Submit
C:\Windows\Temp\{972E9ECB-92E0-4684-89A9-83BAFBFD8BBA}\.ba\SharpRaven.dll

Filesize
96KB

MD5
1bd677bea16cf6490c6cf35c0d1c0174

SHA1
dd7b027aa51433c824e99cac7b7a8c5c27a28a3f

SHA256
d738249c61afd4dba39302a79422d3a34ec9b3807c9f5f973d1a385a0ff44955

SHA512
ee4b0dc1c9d862eb597227c8860739ac87269656e952d4609c7befce4ea08345e3e5693b1d95f1c6c70ec79f681d31321798ef0eac52954fbeaf44764a265a82

Download Submit
C:\Windows\Temp\{972E9ECB-92E0-4684-89A9-83BAFBFD8BBA}\.ba\mbahost.dll

Filesize
119KB

MD5
c59832217903ce88793a6c40888e3cae

SHA1
6d9facabf41dcf53281897764d467696780623b8

SHA256
9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db

SHA512
1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

Download Submit
C:\Windows\Temp\{DA4F45CC-EBDD-453F-8F10-8539F9B8877E}\.cr\setup.exe

Filesize
2.8MB

MD5
9139cb178f9fc4930597bf4464678a01

SHA1
307adf537e166118495bfc75e560e03fda3864ef

SHA256
947644da599a10679d0e39532e9361a2b2a24e51adec87ca222cbd79b530d55a

SHA512
f301d1bde17522af7da3305f236d94ff1a053d64e9ac807f2049f8ca6a83ee27869a097b2fe33710c9782a5ff983645ab54c380b1a6a46c4a0827e339d2a1893

Download Submit
C:\Windows\Temp\{DA4F45CC-EBDD-453F-8F10-8539F9B8877E}\.cr\setup.exe

Filesize
2.8MB

MD5
9139cb178f9fc4930597bf4464678a01

SHA1
307adf537e166118495bfc75e560e03fda3864ef

SHA256
947644da599a10679d0e39532e9361a2b2a24e51adec87ca222cbd79b530d55a

SHA512
f301d1bde17522af7da3305f236d94ff1a053d64e9ac807f2049f8ca6a83ee27869a097b2fe33710c9782a5ff983645ab54c380b1a6a46c4a0827e339d2a1893

Download Submit
memory/1796-147-0x0000000003D80000-0x0000000003D90000-memory.dmp

Filesize
64KB

Download
memory/1796-136-0x0000000007110000-0x0000000007464000-memory.dmp

Filesize
3.3MB

Download
memory/1796-118-0x0000000006660000-0x0000000006864000-memory.dmp

Filesize
2.0MB

Download
memory/1796-120-0x0000000003D80000-0x0000000003D90000-memory.dmp

Filesize
64KB

Download
memory/1796-154-0x0000000003D80000-0x0000000003D90000-memory.dmp

Filesize
64KB

Download
memory/1796-97-0x0000000003D80000-0x0000000003D90000-memory.dmp

Filesize
64KB

Download
memory/1796-125-0x0000000006600000-0x000000000661E000-memory.dmp

Filesize
120KB

Download
memory/1796-130-0x0000000007060000-0x0000000007108000-memory.dmp

Filesize
672KB

Download
memory/1796-102-0x0000000002B80000-0x0000000002B98000-memory.dmp

Filesize
96KB

Download
memory/1796-114-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

Filesize
64KB

Download
memory/1796-133-0x0000000073B50000-0x0000000074300000-memory.dmp

Filesize
7.7MB

Download
memory/1796-134-0x0000000003D80000-0x0000000003D90000-memory.dmp

Filesize
64KB

Download
memory/1796-135-0x0000000006FE0000-0x0000000007002000-memory.dmp

Filesize
136KB

Download
memory/1796-96-0x0000000073B50000-0x0000000074300000-memory.dmp

Filesize
7.7MB

Download
memory/1796-137-0x0000000003D80000-0x0000000003D90000-memory.dmp

Filesize
64KB

Download
memory/1796-104-0x0000000003D80000-0x0000000003D90000-memory.dmp

Filesize
64KB

Download
memory/1796-142-0x0000000007940000-0x00000000079D2000-memory.dmp

Filesize
584KB

Download
memory/1796-143-0x0000000003D80000-0x0000000003D90000-memory.dmp

Filesize
64KB

Download
memory/1796-153-0x0000000003D80000-0x0000000003D90000-memory.dmp

Filesize
64KB

Download
memory/1796-146-0x0000000003D80000-0x0000000003D90000-memory.dmp

Filesize
64KB

Download
memory/1796-110-0x0000000006300000-0x000000000634C000-memory.dmp

Filesize
304KB

Download
memory/1796-148-0x0000000007730000-0x0000000007738000-memory.dmp

Filesize
32KB

Download
memory/1796-149-0x000000000BF80000-0x000000000BFC0000-memory.dmp

Filesize
256KB

Download
memory/1796-150-0x0000000003D80000-0x0000000003D90000-memory.dmp

Filesize
64KB

Download
memory/1796-151-0x000000000B8C0000-0x000000000B8F8000-memory.dmp

Filesize
224KB

Download
memory/1796-152-0x0000000007BF0000-0x0000000007BFE000-memory.dmp

Filesize
56KB

Download
memory/2648-14-0x0000000000E60000-0x0000000000E87000-memory.dmp

Filesize
156KB

Download
memory/2648-8-0x0000000000E60000-0x0000000000E87000-memory.dmp

Filesize
156KB

Download