zgrat | 36c04fff4cb95fcc397afe6ab4d32a3e9dc9c4d68e621f56dd9f8ae975a4a1fe

General

Target

35755b2520fd50c49cbdcce4627a79ae.exe
Size

944KB
MD5

35755b2520fd50c49cbdcce4627a79ae
SHA1

03d5ca3ba3eb3a6b92f2038248510cea88ea3952
SHA256

36c04fff4cb95fcc397afe6ab4d32a3e9dc9c4d68e621f56dd9f8ae975a4a1fe
SHA512

124943e2486c9ac50ee9a883f0b230447cf8de3f29cd0c299a3cb457a2f58cbb26681fdabdd2368bf72301a304a53c6b0d0e6870544e487b1cae58d8e97febbc
SSDEEP

12288:bGH/W5wqrqsyLDMKKMBhHsvhw46Dd9QC1uv3JVMO0PbkDaNarG3i6va/4JN5J:bceI1HfHs7U0/JGA20Gy6i/e9

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1256-5-0x00000000002F0000-0x0000000000302000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

35755b2520fd50c49cbdcce4627a79ae.exe

description	pid	Process	procid_target
PID 1256 set thread context of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	32

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2828	2824	WerFault.exe	32

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

35755b2520fd50c49cbdcce4627a79ae.exe

pid	Process
1256	35755b2520fd50c49cbdcce4627a79ae.exe
1256	35755b2520fd50c49cbdcce4627a79ae.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

35755b2520fd50c49cbdcce4627a79ae.exe35755b2520fd50c49cbdcce4627a79ae.exe

description	pid	Process
Token: SeDebugPrivilege	1256	35755b2520fd50c49cbdcce4627a79ae.exe
Token: SeDebugPrivilege	2824	35755b2520fd50c49cbdcce4627a79ae.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

35755b2520fd50c49cbdcce4627a79ae.exe35755b2520fd50c49cbdcce4627a79ae.exe

description	pid	Process	procid_target
PID 1256 wrote to memory of 2760	1256	35755b2520fd50c49cbdcce4627a79ae.exe	30
PID 1256 wrote to memory of 2760	1256	35755b2520fd50c49cbdcce4627a79ae.exe	30
PID 1256 wrote to memory of 2760	1256	35755b2520fd50c49cbdcce4627a79ae.exe	30
PID 1256 wrote to memory of 2760	1256	35755b2520fd50c49cbdcce4627a79ae.exe	30
PID 1256 wrote to memory of 2932	1256	35755b2520fd50c49cbdcce4627a79ae.exe	31
PID 1256 wrote to memory of 2932	1256	35755b2520fd50c49cbdcce4627a79ae.exe	31
PID 1256 wrote to memory of 2932	1256	35755b2520fd50c49cbdcce4627a79ae.exe	31
PID 1256 wrote to memory of 2932	1256	35755b2520fd50c49cbdcce4627a79ae.exe	31
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	32
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	32
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	32
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	32
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	32
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	32
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	32
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	32
PID 1256 wrote to memory of 2824	1256	35755b2520fd50c49cbdcce4627a79ae.exe	32
PID 2824 wrote to memory of 2828	2824	35755b2520fd50c49cbdcce4627a79ae.exe	34
PID 2824 wrote to memory of 2828	2824	35755b2520fd50c49cbdcce4627a79ae.exe	34
PID 2824 wrote to memory of 2828	2824	35755b2520fd50c49cbdcce4627a79ae.exe	34
PID 2824 wrote to memory of 2828	2824	35755b2520fd50c49cbdcce4627a79ae.exe	34

C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe
"C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe
  "C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe"
  2⤵
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe
  "C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe"
  2⤵
  PID:2932
- C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe
  "C:\Users\Admin\AppData\Local\Temp\35755b2520fd50c49cbdcce4627a79ae.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1364
    3⤵
    - Program crash
    PID:2828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-0-0x00000000001D0000-0x00000000002C0000-memory.dmp

Filesize
960KB

Download
memory/1256-1-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/1256-2-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/1256-3-0x00000000005A0000-0x00000000005E0000-memory.dmp

Filesize
256KB

Download
memory/1256-4-0x0000000000630000-0x00000000006AA000-memory.dmp

Filesize
488KB

Download
memory/1256-5-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/1256-14-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2824-8-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2824-9-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2824-7-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2824-12-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2824-15-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2824-6-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2824-17-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2824-18-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/2824-19-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/2824-20-0x0000000005DD0000-0x0000000005E46000-memory.dmp

Filesize
472KB

Download
memory/2824-21-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/2824-22-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads