zgrat | 7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f

General

Target

2cae1b3be4c37e8f0ca5dac99dbbac17.exe
Size

1.2MB
MD5

2cae1b3be4c37e8f0ca5dac99dbbac17
SHA1

fea201d9f1b3d81c67abead708afee8f619785d7
SHA256

7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f
SHA512

1caaf89b50be197446e4194205b6d4165c3406fd32f39598ee52195f0c83f085bbe8297bdc518d581618b62d11b38b1602a508d6f5f77f90260fa3ee651e5ec5
SSDEEP

24576:kiKH63AanJL5WRxc493rVedPdiHxO0KQJ2dJd0+Tf7Lsg77R:vZA0L5WRq493heB2ydJ/LsS7R

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1696-7-0x0000000008510000-0x0000000008620000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-9-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-19-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-29-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-49-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-65-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-71-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-69-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-67-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-63-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-61-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-59-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-57-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-55-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-53-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-51-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-47-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-45-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-43-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-41-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-39-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-37-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-35-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-33-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-31-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-27-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-25-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-23-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-21-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-17-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-15-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-13-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-11-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1696-8-0x0000000008510000-0x000000000861A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-2405-0x0000000006070000-0x0000000006124000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2cae1b3be4c37e8f0ca5dac99dbbac17.exe

description pid process

Token: SeDebugPrivilege 1696 2cae1b3be4c37e8f0ca5dac99dbbac17.exe

description	pid	process
Token: SeDebugPrivilege	1696	2cae1b3be4c37e8f0ca5dac99dbbac17.exe

C:\Users\Admin\AppData\Local\Temp\2cae1b3be4c37e8f0ca5dac99dbbac17.exe
"C:\Users\Admin\AppData\Local\Temp\2cae1b3be4c37e8f0ca5dac99dbbac17.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Users\Admin\AppData\Local\Temp\2cae1b3be4c37e8f0ca5dac99dbbac17.exe
C:\Users\Admin\AppData\Local\Temp\2cae1b3be4c37e8f0ca5dac99dbbac17.exe
2⤵
PID:392

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Skcczlqwcscgqo.vbs"
2⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
"C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe"
1⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
2⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
2⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
2⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
2⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
2⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
2⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
2⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
2⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
2⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
C:\Users\Admin\AppData\Local\Temp\Qhbcytidvconsoleapp6aa.exe
2⤵
PID:1016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Evpctmxstsshc.vbs"
2⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe
"C:\Users\Admin\AppData\Local\Temp\Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe"
1⤵
PID:2460

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1456-2400-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1456-4187-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/1456-2505-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1456-2405-0x0000000006070000-0x0000000006124000-memory.dmp

Filesize
720KB

Download
memory/1456-2404-0x0000000005AD0000-0x0000000005B6C000-memory.dmp

Filesize
624KB

Download
memory/1456-2403-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1456-2402-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/1456-2397-0x0000000000370000-0x0000000000414000-memory.dmp

Filesize
656KB

Download
memory/1456-2398-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/1456-2401-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1696-69-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-25-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-65-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-71-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-0-0x0000000000AA0000-0x0000000000BCE000-memory.dmp

Filesize
1.2MB

Download
memory/1696-67-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-63-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-61-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-59-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-57-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-55-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-53-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-51-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-47-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-45-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-43-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-41-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-39-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-37-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-35-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-33-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-31-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-27-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-49-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-23-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-21-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-17-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-15-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-13-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-11-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-8-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-667-0x0000000004960000-0x00000000049A0000-memory.dmp

Filesize
256KB

Download
memory/1696-29-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-19-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-9-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/1696-7-0x0000000008510000-0x0000000008620000-memory.dmp

Filesize
1.1MB

Download
memory/1696-6-0x0000000005EA0000-0x0000000005FC6000-memory.dmp

Filesize
1.1MB

Download
memory/1696-5-0x0000000004960000-0x00000000049A0000-memory.dmp

Filesize
256KB

Download
memory/1696-4-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/1696-3-0x0000000004960000-0x00000000049A0000-memory.dmp

Filesize
256KB

Download
memory/1696-2-0x0000000004960000-0x00000000049A0000-memory.dmp

Filesize
256KB

Download
memory/1696-1-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2460-4185-0x0000000004700000-0x0000000004740000-memory.dmp

Filesize
256KB

Download
memory/2460-4184-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2460-4186-0x0000000004700000-0x0000000004740000-memory.dmp

Filesize
256KB

Download
memory/2460-4183-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads