zgrat | d90447e02d86b3b7243f34abdebc6d9b918d3405b5091a4e7af3b24db63d7a7d

Analysis

max time kernel
163s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d90447e02d86b3b7243f34abdebc6d9b918d3405b5091a4e7af3b24db63d7a7d.exe
Size

484KB
MD5

b7b5b344c954ff3001df527a1cafeb14
SHA1

51bdf2a31e5dd5408f3dcc6f195142ff68ddeb95
SHA256

d90447e02d86b3b7243f34abdebc6d9b918d3405b5091a4e7af3b24db63d7a7d
SHA512

40cfab33285325859dc28f833d1acae839d27621a36503f6653442368e9131a0c0846b15c52298ea28c41d7e906c8bf68abf28935751fa1e6c70594eaa1fdc1a
SSDEEP

6144:djTnt5sJVZWFMqpmUbdfcPGalT/9oXT+akWoA5P4JnTrRFucI2XFDL2gEX:djTLskMqpmkdE1lz9o/X50Trjn1eh

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/3832-1-0x00000000003E0000-0x0000000000460000-memory.dmp	family_zgrat_v1
behavioral2/memory/4804-5-0x0000000000400000-0x000000000045A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3832 set thread context of 4804	3832	d90447e02d86b3b7243f34abdebc6d9b918d3405b5091a4e7af3b24db63d7a7d.exe	93

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	RegAsm.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 2992	3832	d90447e02d86b3b7243f34abdebc6d9b918d3405b5091a4e7af3b24db63d7a7d.exe	92
PID 3832 wrote to memory of 2992	3832	d90447e02d86b3b7243f34abdebc6d9b918d3405b5091a4e7af3b24db63d7a7d.exe	92
PID 3832 wrote to memory of 2992	3832	d90447e02d86b3b7243f34abdebc6d9b918d3405b5091a4e7af3b24db63d7a7d.exe	92
PID 3832 wrote to memory of 4804	3832	d90447e02d86b3b7243f34abdebc6d9b918d3405b5091a4e7af3b24db63d7a7d.exe	93
PID 3832 wrote to memory of 4804	3832	d90447e02d86b3b7243f34abdebc6d9b918d3405b5091a4e7af3b24db63d7a7d.exe	93
PID 3832 wrote to memory of 4804	3832	d90447e02d86b3b7243f34abdebc6d9b918d3405b5091a4e7af3b24db63d7a7d.exe	93
PID 3832 wrote to memory of 4804	3832	d90447e02d86b3b7243f34abdebc6d9b918d3405b5091a4e7af3b24db63d7a7d.exe	93
PID 3832 wrote to memory of 4804	3832	d90447e02d86b3b7243f34abdebc6d9b918d3405b5091a4e7af3b24db63d7a7d.exe	93
PID 3832 wrote to memory of 4804	3832	d90447e02d86b3b7243f34abdebc6d9b918d3405b5091a4e7af3b24db63d7a7d.exe	93
PID 3832 wrote to memory of 4804	3832	d90447e02d86b3b7243f34abdebc6d9b918d3405b5091a4e7af3b24db63d7a7d.exe	93
PID 3832 wrote to memory of 4804	3832	d90447e02d86b3b7243f34abdebc6d9b918d3405b5091a4e7af3b24db63d7a7d.exe	93

C:\Users\Admin\AppData\Local\Temp\d90447e02d86b3b7243f34abdebc6d9b918d3405b5091a4e7af3b24db63d7a7d.exe
"C:\Users\Admin\AppData\Local\Temp\d90447e02d86b3b7243f34abdebc6d9b918d3405b5091a4e7af3b24db63d7a7d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3832-8-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/3832-1-0x00000000003E0000-0x0000000000460000-memory.dmp

Filesize
512KB

Download
memory/3832-2-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3832-3-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/3832-4-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/3832-0-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/3832-6-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/4804-11-0x00000000058E0000-0x0000000005EF8000-memory.dmp

Filesize
6.1MB

Download
memory/4804-15-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4804-10-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4804-5-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4804-12-0x0000000005190000-0x00000000051A2000-memory.dmp

Filesize
72KB

Download
memory/4804-13-0x00000000053D0000-0x00000000054DA000-memory.dmp

Filesize
1.0MB

Download
memory/4804-14-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4804-9-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4804-16-0x00000000051F0000-0x000000000522C000-memory.dmp

Filesize
240KB

Download
memory/4804-17-0x00000000056E0000-0x000000000572C000-memory.dmp

Filesize
304KB

Download
memory/4804-18-0x0000000001150000-0x00000000011B6000-memory.dmp

Filesize
408KB

Download
memory/4804-19-0x0000000006C30000-0x00000000071D4000-memory.dmp

Filesize
5.6MB

Download
memory/4804-20-0x0000000006780000-0x0000000006812000-memory.dmp

Filesize
584KB

Download
memory/4804-21-0x0000000006820000-0x0000000006896000-memory.dmp

Filesize
472KB

Download
memory/4804-22-0x0000000006A60000-0x0000000006A7E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads