zgrat | f4fe433cb53851f9eb590485841d783b08b6b7fe40f61b051d5a117261528821

Analysis

max time kernel
153s
max time network
165s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
17/11/2023, 03:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe
Size

614KB
MD5

6338b893b8ca8399d2abfc02b8b0a610
SHA1

470c4b90d16da1090bfca1dbc01d986c849ed4b5
SHA256

f4fe433cb53851f9eb590485841d783b08b6b7fe40f61b051d5a117261528821
SHA512

306ab970a235f45be994f0e80ba2c7192553008cf3f884384126ec247d78837606bfda3a96553a8f0a764a3515c82c85eea37525d0f9306428271336ed6167c4
SSDEEP

12288:zJVt1918SuzpvriS0bhWTL6TpwU4AuwTT9LRPpE0mWvLEFjF5vbeKyE2:zJVvwzpM0TwrFpE0TvoFjF5iKyE

Score

10^/10

zgrat evasion persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 10 IoCs

resource	yara_rule
behavioral1/memory/2188-0-0x00000000000C0000-0x0000000000160000-memory.dmp	family_zgrat_v1
behavioral1/memory/2188-4-0x00000000056A0000-0x0000000005776000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000b00000001225a-14.dat	family_zgrat_v1
behavioral1/files/0x000b00000001225a-19.dat	family_zgrat_v1
behavioral1/files/0x000b00000001225a-18.dat	family_zgrat_v1
behavioral1/files/0x000b00000001225a-15.dat	family_zgrat_v1
behavioral1/files/0x000b00000001225a-20.dat	family_zgrat_v1
behavioral1/memory/2756-23-0x0000000000230000-0x00000000002B6000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000700000001625a-33.dat	family_zgrat_v1
behavioral1/memory/2188-48-0x0000000004C80000-0x0000000004CC0000-memory.dmp	family_zgrat_v1

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0037000000015dc0-26.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2688	devenv.exe
2756	admtools.exe

Loads dropped DLL 4 IoCs

pid	Process
2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe
2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe
2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe
2688	devenv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audio WiMAX Service 4.4 = "\"C:\\Users\\Public\\Documents\\devenv.exe\""	devenv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Audio WiMAX Service 4.4 = "\"C:\\Users\\Public\\Documents\\devenv.exe\""	devenv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\C:\Users\Public\Documents\admtools.exe = "C:\\Users\\Public\\Documents\\admtools.exe"	admtools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Public\Documents\admtools.exe = "C:\\Users\\Public\\Documents\\admtools.exe"	admtools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\BPDFUYWR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe\" --update"	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2804	2188	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe
2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe
2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe
2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe
2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe
Token: SeDebugPrivilege	2688	devenv.exe
Token: 33	2688	devenv.exe
Token: SeIncBasePriorityPrivilege	2688	devenv.exe
Token: SeDebugPrivilege	2756	admtools.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2688	2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe	29
PID 2188 wrote to memory of 2688	2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe	29
PID 2188 wrote to memory of 2688	2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe	29
PID 2188 wrote to memory of 2688	2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe	29
PID 2188 wrote to memory of 2688	2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe	29
PID 2188 wrote to memory of 2688	2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe	29
PID 2188 wrote to memory of 2688	2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe	29
PID 2188 wrote to memory of 2756	2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe	30
PID 2188 wrote to memory of 2756	2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe	30
PID 2188 wrote to memory of 2756	2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe	30
PID 2188 wrote to memory of 2756	2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe	30
PID 2188 wrote to memory of 2804	2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe	32
PID 2188 wrote to memory of 2804	2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe	32
PID 2188 wrote to memory of 2804	2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe	32
PID 2188 wrote to memory of 2804	2188	NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe	32

C:\Users\Admin\AppData\Local\Temp\NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6338b893b8ca8399d2abfc02b8b0a610.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Public\Documents\devenv.exe
  "C:\Users\Public\Documents\devenv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Users\Public\Documents\admtools.exe
  "C:\Users\Public\Documents\admtools.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1232
  2⤵
  - Program crash
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RCX92CD.tmp

Filesize
614KB

MD5
6338b893b8ca8399d2abfc02b8b0a610

SHA1
470c4b90d16da1090bfca1dbc01d986c849ed4b5

SHA256
f4fe433cb53851f9eb590485841d783b08b6b7fe40f61b051d5a117261528821

SHA512
306ab970a235f45be994f0e80ba2c7192553008cf3f884384126ec247d78837606bfda3a96553a8f0a764a3515c82c85eea37525d0f9306428271336ed6167c4

Download Submit
C:\Users\Public\Documents\admtools.exe

Filesize
512KB

MD5
86ca40ffe87618ad86bd49e5a9b6da69

SHA1
b7efd2e35262116bb1f2eb5913881166bb270952

SHA256
9bd3d486e541b5c7e9eec713b6162faf97b21c0cf61a56a996f838a6f4f0be59

SHA512
6c896a9eeb731d8fdd29124731f243d74020f9064e2f10b89425f8719d24c429394fdca40e888681c4fc17515b3221f2ad471492a2a4d03e1d8ef5056bf582e1

Download Submit
C:\Users\Public\Documents\admtools.exe

Filesize
512KB

MD5
86ca40ffe87618ad86bd49e5a9b6da69

SHA1
b7efd2e35262116bb1f2eb5913881166bb270952

SHA256
9bd3d486e541b5c7e9eec713b6162faf97b21c0cf61a56a996f838a6f4f0be59

SHA512
6c896a9eeb731d8fdd29124731f243d74020f9064e2f10b89425f8719d24c429394fdca40e888681c4fc17515b3221f2ad471492a2a4d03e1d8ef5056bf582e1

Download Submit
C:\Users\Public\Documents\admtools.exe

Filesize
512KB

MD5
86ca40ffe87618ad86bd49e5a9b6da69

SHA1
b7efd2e35262116bb1f2eb5913881166bb270952

SHA256
9bd3d486e541b5c7e9eec713b6162faf97b21c0cf61a56a996f838a6f4f0be59

SHA512
6c896a9eeb731d8fdd29124731f243d74020f9064e2f10b89425f8719d24c429394fdca40e888681c4fc17515b3221f2ad471492a2a4d03e1d8ef5056bf582e1

Download Submit
C:\Users\Public\Documents\devenv.exe

Filesize
312KB

MD5
3fe2b1337f824dfcbf545ccffb5454f3

SHA1
c06821b26d386f35984c1d89032f76f4344c004e

SHA256
001d3941132dd30110e1a650abbc4dd49d352f06d08d491a4f6503acff875e67

SHA512
84567f4a228e0de164c15f077397dc32f0a9fc21265de4ee5afcdddfdf9e5eafda0214ce0ac4eb5392c967a92750563d530c81f9a844a742381753db3004b208

Download Submit
C:\Users\Public\Documents\devenv.exe

Filesize
312KB

MD5
3fe2b1337f824dfcbf545ccffb5454f3

SHA1
c06821b26d386f35984c1d89032f76f4344c004e

SHA256
001d3941132dd30110e1a650abbc4dd49d352f06d08d491a4f6503acff875e67

SHA512
84567f4a228e0de164c15f077397dc32f0a9fc21265de4ee5afcdddfdf9e5eafda0214ce0ac4eb5392c967a92750563d530c81f9a844a742381753db3004b208

Download Submit
\Users\Public\Documents\admtools.exe

Filesize
512KB

MD5
86ca40ffe87618ad86bd49e5a9b6da69

SHA1
b7efd2e35262116bb1f2eb5913881166bb270952

SHA256
9bd3d486e541b5c7e9eec713b6162faf97b21c0cf61a56a996f838a6f4f0be59

SHA512
6c896a9eeb731d8fdd29124731f243d74020f9064e2f10b89425f8719d24c429394fdca40e888681c4fc17515b3221f2ad471492a2a4d03e1d8ef5056bf582e1

Download Submit
\Users\Public\Documents\admtools.exe

Filesize
512KB

MD5
86ca40ffe87618ad86bd49e5a9b6da69

SHA1
b7efd2e35262116bb1f2eb5913881166bb270952

SHA256
9bd3d486e541b5c7e9eec713b6162faf97b21c0cf61a56a996f838a6f4f0be59

SHA512
6c896a9eeb731d8fdd29124731f243d74020f9064e2f10b89425f8719d24c429394fdca40e888681c4fc17515b3221f2ad471492a2a4d03e1d8ef5056bf582e1

Download Submit
\Users\Public\Documents\devenv.exe

Filesize
312KB

MD5
3fe2b1337f824dfcbf545ccffb5454f3

SHA1
c06821b26d386f35984c1d89032f76f4344c004e

SHA256
001d3941132dd30110e1a650abbc4dd49d352f06d08d491a4f6503acff875e67

SHA512
84567f4a228e0de164c15f077397dc32f0a9fc21265de4ee5afcdddfdf9e5eafda0214ce0ac4eb5392c967a92750563d530c81f9a844a742381753db3004b208

Download Submit
\Users\Public\Documents\p2p.dll

Filesize
28KB

MD5
6cfff9c292a1bb84d395af36a514b969

SHA1
68dfeb678345a9f0a558b732ae25d956bcdacf34

SHA256
a3967a0cc27a52334c159387be84dba99ec5f5f2978260f6b1e3afa648a060db

SHA512
dabb894cec6f5c6c45e893bbb88ddda0686c6cf6f5182574565fdecd8a45e798f1815d728d309cafa9763ff16713b4adba58aa4f5291d1ab81c3c55338499392

Download Submit
memory/2188-47-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2188-4-0x00000000056A0000-0x0000000005776000-memory.dmp

Filesize
856KB

Download
memory/2188-3-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2188-2-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/2188-49-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2188-0-0x00000000000C0000-0x0000000000160000-memory.dmp

Filesize
640KB

Download
memory/2188-48-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/2188-1-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2688-21-0x0000000001240000-0x0000000001294000-memory.dmp

Filesize
336KB

Download
memory/2688-42-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/2688-41-0x0000000073F40000-0x0000000073F56000-memory.dmp

Filesize
88KB

Download
memory/2688-22-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2688-50-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2688-53-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/2756-43-0x000000001AD90000-0x000000001AE10000-memory.dmp

Filesize
512KB

Download
memory/2756-44-0x00000000002C0000-0x00000000002E2000-memory.dmp

Filesize
136KB

Download
memory/2756-45-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/2756-40-0x000007FEF5B50000-0x000007FEF653C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-23-0x0000000000230000-0x00000000002B6000-memory.dmp

Filesize
536KB

Download
memory/2756-51-0x000007FEF5B50000-0x000007FEF653C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-54-0x000000001AD90000-0x000000001AE10000-memory.dmp

Filesize
512KB

Download