zgrat | 36c04fff4cb95fcc397afe6ab4d32a3e9dc9c4d68e621f56dd9f8ae975a4a1fe

General

Target

35755b2520fd50c49cbdcce4627a79ae.exe
Size

944KB
MD5

35755b2520fd50c49cbdcce4627a79ae
SHA1

03d5ca3ba3eb3a6b92f2038248510cea88ea3952
SHA256

36c04fff4cb95fcc397afe6ab4d32a3e9dc9c4d68e621f56dd9f8ae975a4a1fe
SHA512

124943e2486c9ac50ee9a883f0b230447cf8de3f29cd0c299a3cb457a2f58cbb26681fdabdd2368bf72301a304a53c6b0d0e6870544e487b1cae58d8e97febbc
SSDEEP

12288:bGH/W5wqrqsyLDMKKMBhHsvhw46Dd9QC1uv3JVMO0PbkDaNarG3i6va/4JN5J:bceI1HfHs7U0/JGA20Gy6i/e9

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1256-5-0x00000000002F0000-0x0000000000302000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

35755b2520fd50c49cbdcce4627a79ae.exe

description pid process target process

PID 1256 set thread context of 2824 1256 35755b2520fd50c49cbdcce4627a79ae.exe 35755b2520fd50c49cbdcce4627a79ae.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2828 2824 WerFault.exe 35755b2520fd50c49cbdcce4627a79ae.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

35755b2520fd50c49cbdcce4627a79ae.exe

pid process

1256 35755b2520fd50c49cbdcce4627a79ae.exe
1256 35755b2520fd50c49cbdcce4627a79ae.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

35755b2520fd50c49cbdcce4627a79ae.exe35755b2520fd50c49cbdcce4627a79ae.exe

description pid process

Token: SeDebugPrivilege 1256 35755b2520fd50c49cbdcce4627a79ae.exe
Token: SeDebugPrivilege 2824 35755b2520fd50c49cbdcce4627a79ae.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

description	pid	process	target process
PID 1256 set thread context of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe

pid	pid_target	process	target process
2828	2824	WerFault.exe	35755b2520fd50c49cbdcce4627a79ae.exe

pid	process
1256	35755b2520fd50c49cbdcce4627a79ae.exe
1256	35755b2520fd50c49cbdcce4627a79ae.exe

description	pid	process
Token: SeDebugPrivilege	1256	35755b2520fd50c49cbdcce4627a79ae.exe
Token: SeDebugPrivilege	2824	35755b2520fd50c49cbdcce4627a79ae.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

35755b2520fd50c49cbdcce4627a79ae.exe35755b2520fd50c49cbdcce4627a79ae.exe

C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe
"C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe
"C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe"
2⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe
"C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe"
2⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe
"C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1364
3⤵
- Program crash
PID:2828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-0-0x00000000001D0000-0x00000000002C0000-memory.dmp

Filesize
960KB

Download
memory/1256-1-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/1256-2-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/1256-3-0x00000000005A0000-0x00000000005E0000-memory.dmp

Filesize
256KB

Download
memory/1256-4-0x0000000000630000-0x00000000006AA000-memory.dmp

Filesize
488KB

Download
memory/1256-5-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/1256-14-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2824-8-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2824-9-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2824-7-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2824-12-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2824-15-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2824-6-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2824-17-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2824-18-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/2824-19-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/2824-20-0x0000000005DD0000-0x0000000005E46000-memory.dmp

Filesize
472KB

Download
memory/2824-21-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/2824-22-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download

description	pid	process	target process
PID 1256 wrote to memory of 2760	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 1256 wrote to memory of 2760	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 1256 wrote to memory of 2760	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 1256 wrote to memory of 2760	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 1256 wrote to memory of 2932	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 1256 wrote to memory of 2932	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 1256 wrote to memory of 2932	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 1256 wrote to memory of 2932	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	35755b2520fd50c49cbdcce4627a79ae.exe
PID 2824 wrote to memory of 2828	2824	35755b2520fd50c49cbdcce4627a79ae.exe	WerFault.exe
PID 2824 wrote to memory of 2828	2824	35755b2520fd50c49cbdcce4627a79ae.exe	WerFault.exe
PID 2824 wrote to memory of 2828	2824	35755b2520fd50c49cbdcce4627a79ae.exe	WerFault.exe
PID 2824 wrote to memory of 2828	2824	35755b2520fd50c49cbdcce4627a79ae.exe	WerFault.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads