r77 | a0ee5664312e247585b9b1ec5744c18380a5bb8cb56e044084d52e330002ee56 | Triage

Submit
Reports

Overview

overview

Static

static

3

156a71da2a...16.exe

windows7-x64

156a71da2a...16.exe

windows10-2004-x64

Sharing

General

Target

156a71da2a68110469c383da6c39c616
Size

5.6MB
Sample

231230-l6pwdsghe5
MD5

156a71da2a68110469c383da6c39c616
SHA1

912915419f719f8de18aa486737cfb8ad3b02ff9
SHA256

a0ee5664312e247585b9b1ec5744c18380a5bb8cb56e044084d52e330002ee56
SHA512

802d7cb717e2917de634048448fc4397b8e41a52a6d9929633dff7974e740fe6d4c50ca06b044155248bdd4ac6e634cc968fbda60ae9eb504fb0b268acb42a9c
SSDEEP

98304:npTr9Ki6iH0eOZI39nQLB3L+mQ6QgLYIyM7aam+4Q3sclQ1+g5u:ph6m0eF9nQl3L+mQ6Q/te4Q3scRgE

Score

10^/10

r77 zgrat rat rootkit

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

156a71da2a68110469c383da6c39c616.exe

Resource

win7-20231215-en

r77 zgrat rat rootkit

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

156a71da2a68110469c383da6c39c616.exe

Resource

win10v2004-20231215-en

r77 zgrat rat rootkit

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  156a71da2a68110469c383da6c39c616
- Size
  
  5.6MB
- MD5
  
  156a71da2a68110469c383da6c39c616
- SHA1
  
  912915419f719f8de18aa486737cfb8ad3b02ff9
- SHA256
  
  a0ee5664312e247585b9b1ec5744c18380a5bb8cb56e044084d52e330002ee56
- SHA512
  
  802d7cb717e2917de634048448fc4397b8e41a52a6d9929633dff7974e740fe6d4c50ca06b044155248bdd4ac6e634cc968fbda60ae9eb504fb0b268acb42a9c
- SSDEEP
  
  98304:npTr9Ki6iH0eOZI39nQLB3L+mQ6QgLYIyM7aam+4Q3sclQ1+g5u:ph6m0eF9nQl3L+mQ6Q/te4Q3scRgE
Score

10^/10

r77 zgrat rat rootkit
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- r77
  r77 is an open-source, userland rootkit.
  rootkit r77
- r77 rootkit payload
  Detects the payload of the r77 rootkit.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

r77zgratratrootkit

behavioral2

r77zgratratrootkit

© 2018-2024

Terms | Privacy