zgrat | af62cd4a6f402e193c2a6ec6f4320ea04eab5eb847a24834032b825ab038afa5

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 22:23

Target

af62cd4a6f402e193c2a6ec6f4320ea04eab5eb847a24834032b825ab038afa5.exe
Size

2.1MB
MD5

b27ee49508b9abb43081c81d0a62ca7a
SHA1

2d841cb1a6c9d66bdfb347677d1d9029185e1bfd
SHA256

af62cd4a6f402e193c2a6ec6f4320ea04eab5eb847a24834032b825ab038afa5
SHA512

3c29f1f7bba02e31a5f375e22d8b9c2c57c52dd90f3bf3054462b09fe2e08d88d89c21e6b737c5e44b48d54ba56763773de961fbb2e139082d5b443b849e05f3
SSDEEP

24576:/L4Z2GZS1jIsY2RJfNgxOKYbPKwvKTC2xYdz39CcuLagVXU:/KjS1jIwRfmJwvcC2f9agVk

Score

10^/10

zgrat rat

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2192-0-0x0000000000D00000-0x0000000000F20000-memory.dmp	family_zgrat_v1

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2192-0-0x0000000000D00000-0x0000000000F20000-memory.dmp	net_reactor

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2192	af62cd4a6f402e193c2a6ec6f4320ea04eab5eb847a24834032b825ab038afa5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	af62cd4a6f402e193c2a6ec6f4320ea04eab5eb847a24834032b825ab038afa5.exe

memory/2192-0-0x0000000000D00000-0x0000000000F20000-memory.dmp

Filesize
2.1MB

Download
memory/2192-1-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2192-2-0x0000000002AB0000-0x0000000002B30000-memory.dmp

Filesize
512KB

Download
memory/2192-3-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2192-4-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download