zgrat | ed4ef6ea5bca41f50f9300b0c0527ff04a1bb54150202d6e357a92433bda46cf

General

Target

r1210DEC-GIG.exe
Size

627KB
MD5

35092b310e4d2832d81b8f5d9ef1e094
SHA1

ec3a6137aedb5c7b056d51ce653f10c094a4ef14
SHA256

ed4ef6ea5bca41f50f9300b0c0527ff04a1bb54150202d6e357a92433bda46cf
SHA512

8739c9deac4df2c9b20e9f9207f600bfb83c364f3c1bcdd098e878a2ba3969de2c348c5084a3d772b03683dce4d240510822db280c2565735ecc4368328ec725
SSDEEP

12288:ApEmQepZshyxfbCErYeNWDUuZv7IgKM7Uvj5Z+62Tp1Lnly4hdw:ApE0bCcWDUynKM7H31Xy/

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/1096-3-0x00000000005E0000-0x00000000005F8000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 2800	1096	r1210DEC-GIG.exe	28
PID 2800 set thread context of 1364	2800	r1210DEC-GIG.exe	22
PID 2800 set thread context of 1468	2800	r1210DEC-GIG.exe	31
PID 1468 set thread context of 1364	1468	netiougc.exe	22

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2800	r1210DEC-GIG.exe
2800	r1210DEC-GIG.exe
2800	r1210DEC-GIG.exe
2800	r1210DEC-GIG.exe
2800	r1210DEC-GIG.exe
2800	r1210DEC-GIG.exe
2800	r1210DEC-GIG.exe
2800	r1210DEC-GIG.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe
1468	netiougc.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2800	r1210DEC-GIG.exe
1364	Explorer.EXE
1364	Explorer.EXE
1468	netiougc.exe
1468	netiougc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2800	1096	r1210DEC-GIG.exe	28
PID 1096 wrote to memory of 2800	1096	r1210DEC-GIG.exe	28
PID 1096 wrote to memory of 2800	1096	r1210DEC-GIG.exe	28
PID 1096 wrote to memory of 2800	1096	r1210DEC-GIG.exe	28
PID 1096 wrote to memory of 2800	1096	r1210DEC-GIG.exe	28
PID 1096 wrote to memory of 2800	1096	r1210DEC-GIG.exe	28
PID 1096 wrote to memory of 2800	1096	r1210DEC-GIG.exe	28
PID 1364 wrote to memory of 1468	1364	Explorer.EXE	31
PID 1364 wrote to memory of 1468	1364	Explorer.EXE	31
PID 1364 wrote to memory of 1468	1364	Explorer.EXE	31
PID 1364 wrote to memory of 1468	1364	Explorer.EXE	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\r1210DEC-GIG.exe
  "C:\Users\Admin\AppData\Local\Temp\r1210DEC-GIG.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\r1210DEC-GIG.exe
    "C:\Users\Admin\AppData\Local\Temp\r1210DEC-GIG.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2800
- C:\Windows\SysWOW64\netiougc.exe
  "C:\Windows\SysWOW64\netiougc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1096-12-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/1096-1-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/1096-2-0x0000000000DC0000-0x0000000000E00000-memory.dmp

Filesize
256KB

Download
memory/1096-3-0x00000000005E0000-0x00000000005F8000-memory.dmp

Filesize
96KB

Download
memory/1096-4-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/1096-5-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/1096-6-0x00000000051B0000-0x000000000522C000-memory.dmp

Filesize
496KB

Download
memory/1096-0-0x00000000010B0000-0x0000000001152000-memory.dmp

Filesize
648KB

Download
memory/1364-18-0x00000000039D0000-0x0000000003AD0000-memory.dmp

Filesize
1024KB

Download
memory/1364-19-0x0000000008850000-0x000000000A145000-memory.dmp

Filesize
25.0MB

Download
memory/1364-27-0x0000000008850000-0x000000000A145000-memory.dmp

Filesize
25.0MB

Download
memory/1468-28-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/1468-25-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/1468-24-0x0000000000C00000-0x0000000000F03000-memory.dmp

Filesize
3.0MB

Download
memory/1468-26-0x00000000005B0000-0x000000000064C000-memory.dmp

Filesize
624KB

Download
memory/1468-21-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/1468-29-0x00000000005B0000-0x000000000064C000-memory.dmp

Filesize
624KB

Download
memory/1468-20-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/2800-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2800-17-0x0000000000150000-0x000000000016D000-memory.dmp

Filesize
116KB

Download
memory/2800-16-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2800-22-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2800-23-0x0000000000150000-0x000000000016D000-memory.dmp

Filesize
116KB

Download
memory/2800-14-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2800-13-0x0000000000AD0000-0x0000000000DD3000-memory.dmp

Filesize
3.0MB

Download
memory/2800-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2800-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2800-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2800-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing