zgrat | 2672783b07d4a03225cd11b484092db5792617647ba2f3ac4b447e22a9d0ed16 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

NEAS.26727...JC.xls

windows7-x64

NEAS.26727...JC.xls

windows10-2004-x64

1

Sharing

General

Target

NEAS.2672783b07d4a03225cd11b484092db5792617647ba2f3ac4b447e22a9d0ed16xlsx_JC.xls
Size

220KB
Sample

231023-t3qbracc55
MD5

15c921cb2dac8d0ee2ca4fbe7f7c0989
SHA1

18bbe85e71bc15b10da55f70796ac86bd75936d9
SHA256

2672783b07d4a03225cd11b484092db5792617647ba2f3ac4b447e22a9d0ed16
SHA512

6000006878ddf4446602606e85f2aa958b3952c1e109f85651b1254018faac844841418fb3f0bd951693aa5e6867e89997fe070785aed857566d4b93e60365ce
SSDEEP

6144:9Y35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVqfMIkoR0/WU/6FG07W:E3bVqfMIkoR0wG07W

Score

10^/10

zgrat rat

Static task

static1

Behavioral task

behavioral1

Sample

NEAS.2672783b07d4a03225cd11b484092db5792617647ba2f3ac4b447e22a9d0ed16xlsx_JC.xls

Resource

win7-20231020-en

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

NEAS.2672783b07d4a03225cd11b484092db5792617647ba2f3ac4b447e22a9d0ed16xlsx_JC.xls

Resource

win10v2004-20231020-en

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg

exe.dropper

https://imageupload.io/ib/ws8MAJ6eptiLfGu_1697738492.jpg

Targets

- Target
  
  NEAS.2672783b07d4a03225cd11b484092db5792617647ba2f3ac4b447e22a9d0ed16xlsx_JC.xls
- Size
  
  220KB
- MD5
  
  15c921cb2dac8d0ee2ca4fbe7f7c0989
- SHA1
  
  18bbe85e71bc15b10da55f70796ac86bd75936d9
- SHA256
  
  2672783b07d4a03225cd11b484092db5792617647ba2f3ac4b447e22a9d0ed16
- SHA512
  
  6000006878ddf4446602606e85f2aa958b3952c1e109f85651b1254018faac844841418fb3f0bd951693aa5e6867e89997fe070785aed857566d4b93e60365ce
- SSDEEP
  
  6144:9Y35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVqfMIkoR0/WU/6FG07W:E3bVqfMIkoR0wG07W
Score

10^/10

zgrat rat
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Blocklisted process makes network request
- Abuses OpenXML format to download file from external location
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

© 2018-2025

Terms | Privacy