zgrat | fc07e1f14fe415abbf50144169406b444d1a70a06332892004d29e286da08f37

Analysis

max time kernel
137s
max time network
154s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
26-11-2023 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b843b704dd6690f5cc7a8a400674b054.exe
Size

3.9MB
MD5

b843b704dd6690f5cc7a8a400674b054
SHA1

fec8571d6b9e1ae91e4cb0ff7d1a6477ff0888a9
SHA256

fc07e1f14fe415abbf50144169406b444d1a70a06332892004d29e286da08f37
SHA512

29f7e4bb063677f848ba45eb0e90dba542dceff1aa7c8a517d42645700545058fb6e507bc267678c0cc8c73d6f070f21e7d5bc78bd2540b5bd0384c0d4d3c2a3
SSDEEP

98304:ySA5A5qQ2o3QCHp2IzQCI2qQv3zjb7iK3OPBOMVw/WBmCL:Vv5WUQC4IzQL21zjb7X3uQMVYzO

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 9 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012275-9.dat	family_zgrat_v1
behavioral1/files/0x000e000000012275-10.dat	family_zgrat_v1
behavioral1/files/0x000e000000012275-12.dat	family_zgrat_v1
behavioral1/files/0x000e000000012275-11.dat	family_zgrat_v1
behavioral1/memory/2188-13-0x00000000002F0000-0x000000000068A000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0006000000015ed7-90.dat	family_zgrat_v1
behavioral1/files/0x000600000001628e-102.dat	family_zgrat_v1
behavioral1/files/0x000600000001628e-103.dat	family_zgrat_v1
behavioral1/memory/524-104-0x0000000000AB0000-0x0000000000E4A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 2 IoCs

pid	Process
2188	Msnetcommon.exe
524	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2896	cmd.exe
2896	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\0a1fd5f707cd16	Msnetcommon.exe
File created	C:\Program Files\7-Zip\Lang\WmiPrvSE.exe	Msnetcommon.exe
File created	C:\Program Files\7-Zip\Lang\24dbde2999530e	Msnetcommon.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\sppsvc.exe	Msnetcommon.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Vss\smss.exe	Msnetcommon.exe
File created	C:\Windows\Vss\69ddcba757bf72	Msnetcommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
524	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe
2188	Msnetcommon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
524	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	Msnetcommon.exe
Token: SeDebugPrivilege	524	sppsvc.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 480	3008	b843b704dd6690f5cc7a8a400674b054.exe	28
PID 3008 wrote to memory of 480	3008	b843b704dd6690f5cc7a8a400674b054.exe	28
PID 3008 wrote to memory of 480	3008	b843b704dd6690f5cc7a8a400674b054.exe	28
PID 3008 wrote to memory of 480	3008	b843b704dd6690f5cc7a8a400674b054.exe	28
PID 480 wrote to memory of 2896	480	WScript.exe	29
PID 480 wrote to memory of 2896	480	WScript.exe	29
PID 480 wrote to memory of 2896	480	WScript.exe	29
PID 480 wrote to memory of 2896	480	WScript.exe	29
PID 2896 wrote to memory of 2188	2896	cmd.exe	31
PID 2896 wrote to memory of 2188	2896	cmd.exe	31
PID 2896 wrote to memory of 2188	2896	cmd.exe	31
PID 2896 wrote to memory of 2188	2896	cmd.exe	31
PID 2188 wrote to memory of 2992	2188	Msnetcommon.exe	34
PID 2188 wrote to memory of 2992	2188	Msnetcommon.exe	34
PID 2188 wrote to memory of 2992	2188	Msnetcommon.exe	34
PID 2992 wrote to memory of 2012	2992	cmd.exe	36
PID 2992 wrote to memory of 2012	2992	cmd.exe	36
PID 2992 wrote to memory of 2012	2992	cmd.exe	36
PID 2992 wrote to memory of 1520	2992	cmd.exe	37
PID 2992 wrote to memory of 1520	2992	cmd.exe	37
PID 2992 wrote to memory of 1520	2992	cmd.exe	37
PID 2992 wrote to memory of 524	2992	cmd.exe	38
PID 2992 wrote to memory of 524	2992	cmd.exe	38
PID 2992 wrote to memory of 524	2992	cmd.exe	38
PID 2992 wrote to memory of 524	2992	cmd.exe	38
PID 2992 wrote to memory of 524	2992	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\b843b704dd6690f5cc7a8a400674b054.exe
"C:\Users\Admin\AppData\Local\Temp\b843b704dd6690f5cc7a8a400674b054.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\bridgeintoPerfdll\FUtKAenxZ.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\bridgeintoPerfdll\SVKIEXo2DS.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\bridgeintoPerfdll\Msnetcommon.exe
      "C:\bridgeintoPerfdll/Msnetcommon.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\67lV5TXkCG.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2012
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1520
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\sppsvc.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\WmiPrvSE.exe

Filesize
3.6MB

MD5
d6ded16404f42a6c35348feb7a6c326a

SHA1
ca8bef9f09db5ba365826b95fedc9bbe2b973216

SHA256
aedfdd5242db717a51fbb4e58b5dd17bb8a1ec5c19243724b9dd96d390de3842

SHA512
d91ca671402afa493c6d74b7ff810570ccf849c5087851e3d19c880eff646565e7045b21e90a5a6189ed101a63af9eb028f404c9a0348f928e63246764f78746

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\sppsvc.exe

Filesize
3.6MB

MD5
d6ded16404f42a6c35348feb7a6c326a

SHA1
ca8bef9f09db5ba365826b95fedc9bbe2b973216

SHA256
aedfdd5242db717a51fbb4e58b5dd17bb8a1ec5c19243724b9dd96d390de3842

SHA512
d91ca671402afa493c6d74b7ff810570ccf849c5087851e3d19c880eff646565e7045b21e90a5a6189ed101a63af9eb028f404c9a0348f928e63246764f78746

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\sppsvc.exe

Filesize
3.6MB

MD5
d6ded16404f42a6c35348feb7a6c326a

SHA1
ca8bef9f09db5ba365826b95fedc9bbe2b973216

SHA256
aedfdd5242db717a51fbb4e58b5dd17bb8a1ec5c19243724b9dd96d390de3842

SHA512
d91ca671402afa493c6d74b7ff810570ccf849c5087851e3d19c880eff646565e7045b21e90a5a6189ed101a63af9eb028f404c9a0348f928e63246764f78746

Download Submit
C:\Users\Admin\AppData\Local\Temp\67lV5TXkCG.bat

Filesize
244B

MD5
3930c8fd089098f2bc1919bc027f9554

SHA1
4a9146bf3469ada434873203ad05143b488a98f9

SHA256
450b093f3774c6cd0eb888385730c56ed3ec489be9c49181da34d33fcaf7a0cc

SHA512
0ab32b4e548f8bc38b56f7448b43a50e50f1600fce06adf70c78df4c2e617c35edbb695122219d92ad73fff9f1df391b709f2ca5c46e4c0ba24daca91c7f6889

Download Submit
C:\bridgeintoPerfdll\FUtKAenxZ.vbe

Filesize
205B

MD5
ca9c208817e4eff516342d7dbd58cf27

SHA1
8ce27a728720ffb14f972cfe52a58c678890edc3

SHA256
18d95a16d9f533dc521aa30a7e714bcbe5cb976883b951e7a7d7ebfcb1565857

SHA512
ce8201ba3db66bccfa446df92ae82afb15a1f3817648b260bec5462e86ed2bd94ab4540ccfe3b127a3ade0ea21a0f6af6c817e3632ec363cee25d66e47fa04f4

Download Submit
C:\bridgeintoPerfdll\Msnetcommon.exe

Filesize
3.6MB

MD5
d6ded16404f42a6c35348feb7a6c326a

SHA1
ca8bef9f09db5ba365826b95fedc9bbe2b973216

SHA256
aedfdd5242db717a51fbb4e58b5dd17bb8a1ec5c19243724b9dd96d390de3842

SHA512
d91ca671402afa493c6d74b7ff810570ccf849c5087851e3d19c880eff646565e7045b21e90a5a6189ed101a63af9eb028f404c9a0348f928e63246764f78746

Download Submit
C:\bridgeintoPerfdll\Msnetcommon.exe

Filesize
3.6MB

MD5
d6ded16404f42a6c35348feb7a6c326a

SHA1
ca8bef9f09db5ba365826b95fedc9bbe2b973216

SHA256
aedfdd5242db717a51fbb4e58b5dd17bb8a1ec5c19243724b9dd96d390de3842

SHA512
d91ca671402afa493c6d74b7ff810570ccf849c5087851e3d19c880eff646565e7045b21e90a5a6189ed101a63af9eb028f404c9a0348f928e63246764f78746

Download Submit
C:\bridgeintoPerfdll\SVKIEXo2DS.bat

Filesize
87B

MD5
b4c177d380fff1fe04e01223a66e0878

SHA1
2c9fef271f9c1633af8b8467f1e3956572d5f387

SHA256
56709fc7efc983e335352d009ae39344005df1c5bd49a3bfcc2d1f5c9ad08128

SHA512
9f8efe43cc18694cbbf002f011316c21afaea7f17923bc1dd21cd84fe8ea89667159eb5a5738ad667f549341b11fce845fc2bdaa93b690e79d3087e082d824f0

Download Submit
\bridgeintoPerfdll\Msnetcommon.exe

Filesize
3.6MB

MD5
d6ded16404f42a6c35348feb7a6c326a

SHA1
ca8bef9f09db5ba365826b95fedc9bbe2b973216

SHA256
aedfdd5242db717a51fbb4e58b5dd17bb8a1ec5c19243724b9dd96d390de3842

SHA512
d91ca671402afa493c6d74b7ff810570ccf849c5087851e3d19c880eff646565e7045b21e90a5a6189ed101a63af9eb028f404c9a0348f928e63246764f78746

Download Submit
\bridgeintoPerfdll\Msnetcommon.exe

Filesize
3.6MB

MD5
d6ded16404f42a6c35348feb7a6c326a

SHA1
ca8bef9f09db5ba365826b95fedc9bbe2b973216

SHA256
aedfdd5242db717a51fbb4e58b5dd17bb8a1ec5c19243724b9dd96d390de3842

SHA512
d91ca671402afa493c6d74b7ff810570ccf849c5087851e3d19c880eff646565e7045b21e90a5a6189ed101a63af9eb028f404c9a0348f928e63246764f78746

Download Submit
memory/524-122-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/524-119-0x00000000771E0000-0x00000000771E1000-memory.dmp

Filesize
4KB

Download
memory/524-117-0x00000000771F0000-0x00000000771F1000-memory.dmp

Filesize
4KB

Download
memory/524-115-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/524-114-0x0000000077210000-0x0000000077211000-memory.dmp

Filesize
4KB

Download
memory/524-111-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/524-110-0x0000000077220000-0x0000000077221000-memory.dmp

Filesize
4KB

Download
memory/524-108-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/524-107-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/524-106-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/524-105-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/524-104-0x0000000000AB0000-0x0000000000E4A000-memory.dmp

Filesize
3.6MB

Download
memory/524-124-0x00000000771D0000-0x00000000771D1000-memory.dmp

Filesize
4KB

Download
memory/2188-50-0x0000000000820000-0x0000000000832000-memory.dmp

Filesize
72KB

Download
memory/2188-67-0x0000000000800000-0x0000000000810000-memory.dmp

Filesize
64KB

Download
memory/2188-34-0x00000000771D0000-0x00000000771D1000-memory.dmp

Filesize
4KB

Download
memory/2188-36-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/2188-38-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/2188-40-0x00000000771C0000-0x00000000771C1000-memory.dmp

Filesize
4KB

Download
memory/2188-41-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2188-39-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2188-42-0x00000000771B0000-0x00000000771B1000-memory.dmp

Filesize
4KB

Download
memory/2188-44-0x00000000002E0000-0x00000000002EE000-memory.dmp

Filesize
56KB

Download
memory/2188-46-0x00000000007D0000-0x00000000007DE000-memory.dmp

Filesize
56KB

Download
memory/2188-47-0x00000000771A0000-0x00000000771A1000-memory.dmp

Filesize
4KB

Download
memory/2188-48-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2188-32-0x00000000007B0000-0x00000000007C8000-memory.dmp

Filesize
96KB

Download
memory/2188-51-0x0000000077190000-0x0000000077191000-memory.dmp

Filesize
4KB

Download
memory/2188-54-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2188-53-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/2188-55-0x0000000077180000-0x0000000077181000-memory.dmp

Filesize
4KB

Download
memory/2188-56-0x0000000077170000-0x0000000077171000-memory.dmp

Filesize
4KB

Download
memory/2188-58-0x0000000000840000-0x0000000000856000-memory.dmp

Filesize
88KB

Download
memory/2188-59-0x0000000077160000-0x0000000077161000-memory.dmp

Filesize
4KB

Download
memory/2188-61-0x0000000000860000-0x0000000000872000-memory.dmp

Filesize
72KB

Download
memory/2188-63-0x00000000007F0000-0x00000000007FE000-memory.dmp

Filesize
56KB

Download
memory/2188-64-0x0000000077150000-0x0000000077151000-memory.dmp

Filesize
4KB

Download
memory/2188-65-0x0000000077140000-0x0000000077141000-memory.dmp

Filesize
4KB

Download
memory/2188-33-0x00000000771E0000-0x00000000771E1000-memory.dmp

Filesize
4KB

Download
memory/2188-68-0x0000000077130000-0x0000000077131000-memory.dmp

Filesize
4KB

Download
memory/2188-70-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/2188-73-0x0000000000A90000-0x0000000000AEA000-memory.dmp

Filesize
360KB

Download
memory/2188-72-0x0000000077120000-0x0000000077121000-memory.dmp

Filesize
4KB

Download
memory/2188-75-0x0000000000A10000-0x0000000000A1E000-memory.dmp

Filesize
56KB

Download
memory/2188-77-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/2188-79-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/2188-81-0x0000000000A70000-0x0000000000A88000-memory.dmp

Filesize
96KB

Download
memory/2188-83-0x0000000000A50000-0x0000000000A5C000-memory.dmp

Filesize
48KB

Download
memory/2188-85-0x00000000024F0000-0x000000000253E000-memory.dmp

Filesize
312KB

Download
memory/2188-30-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2188-28-0x00000000771F0000-0x00000000771F1000-memory.dmp

Filesize
4KB

Download
memory/2188-27-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/2188-26-0x0000000000790000-0x00000000007AC000-memory.dmp

Filesize
112KB

Download
memory/2188-23-0x0000000077210000-0x0000000077211000-memory.dmp

Filesize
4KB

Download
memory/2188-24-0x0000000000170000-0x000000000017E000-memory.dmp

Filesize
56KB

Download
memory/2188-21-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2188-20-0x0000000000290000-0x00000000002B6000-memory.dmp

Filesize
152KB

Download
memory/2188-18-0x0000000077220000-0x0000000077221000-memory.dmp

Filesize
4KB

Download
memory/2188-17-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2188-16-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2188-15-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2188-14-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2188-13-0x00000000002F0000-0x000000000068A000-memory.dmp

Filesize
3.6MB

Download
memory/2188-101-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download