zgrat | e065974b0db0079fcc57cf5d209fa267c852772a58a68cee307a72c91d382a8e

Analysis

max time kernel
126s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-01-2024 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D3C4575E325D9B2EA4375BE6AE184469.exe
Size

3.7MB
MD5

d3c4575e325d9b2ea4375be6ae184469
SHA1

dba82c40924a219234c29c7ab7d6da4e715c8aa2
SHA256

e065974b0db0079fcc57cf5d209fa267c852772a58a68cee307a72c91d382a8e
SHA512

75d19580269523c1eedbcf3079c6bd15dd4848d212e81028af1a7363927153451b3d579dd5f158df787edd246a9fcc18f7b48d67629e8f120bdd998d6641ef7d
SSDEEP

98304:723bBil+7+NRBY2V9sJg2E65NEOzobiP8Xlb46LqpGVP:70BioqNbY2nsJg2E6Npzobi0Xlb462

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral1/memory/1640-0-0x0000000000C60000-0x000000000101A000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0005000000019595-89.dat	family_zgrat_v1
behavioral1/files/0x0005000000019595-97.dat	family_zgrat_v1
behavioral1/files/0x0005000000019595-98.dat	family_zgrat_v1
behavioral1/memory/1532-99-0x0000000000110000-0x00000000004CA000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
1532	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\smss.exe	D3C4575E325D9B2EA4375BE6AE184469.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\69ddcba757bf72	D3C4575E325D9B2EA4375BE6AE184469.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\services.exe	D3C4575E325D9B2EA4375BE6AE184469.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\c5b4cb5e9653cc	D3C4575E325D9B2EA4375BE6AE184469.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\services.exe	D3C4575E325D9B2EA4375BE6AE184469.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\c5b4cb5e9653cc	D3C4575E325D9B2EA4375BE6AE184469.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\spoolsv.exe	D3C4575E325D9B2EA4375BE6AE184469.exe
File created	C:\Windows\ShellNew\f3b6ecef712a24	D3C4575E325D9B2EA4375BE6AE184469.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe
1640	D3C4575E325D9B2EA4375BE6AE184469.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	D3C4575E325D9B2EA4375BE6AE184469.exe
Token: SeDebugPrivilege	1532	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 3012	1640	D3C4575E325D9B2EA4375BE6AE184469.exe	28
PID 1640 wrote to memory of 3012	1640	D3C4575E325D9B2EA4375BE6AE184469.exe	28
PID 1640 wrote to memory of 3012	1640	D3C4575E325D9B2EA4375BE6AE184469.exe	28
PID 3012 wrote to memory of 3024	3012	cmd.exe	30
PID 3012 wrote to memory of 3024	3012	cmd.exe	30
PID 3012 wrote to memory of 3024	3012	cmd.exe	30
PID 3012 wrote to memory of 1280	3012	cmd.exe	31
PID 3012 wrote to memory of 1280	3012	cmd.exe	31
PID 3012 wrote to memory of 1280	3012	cmd.exe	31
PID 3012 wrote to memory of 1532	3012	cmd.exe	32
PID 3012 wrote to memory of 1532	3012	cmd.exe	32
PID 3012 wrote to memory of 1532	3012	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\D3C4575E325D9B2EA4375BE6AE184469.exe
"C:\Users\Admin\AppData\Local\Temp\D3C4575E325D9B2EA4375BE6AE184469.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JHgg5rfgMC.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3024
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1280
- - C:\Windows\ShellNew\spoolsv.exe
    "C:\Windows\ShellNew\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JHgg5rfgMC.bat

Filesize
207B

MD5
5c479df038a55d8c533acbf75b6b78ab

SHA1
662a04951cab5c101a5745b8b1266a6c043faf6b

SHA256
03e3fae9a098cef17298fd3a5ed104d7e71704aee34a8fb2ec813b44a880beec

SHA512
8b99f8d8f03975948586df60bec76e518aad1dd8c3cc406c482b08daf2bd421ba4e8a4ecc60a5f3eaf5754ac449da28ca0f7c5823a84c3676c7d678a51ee28af

Download Submit
C:\Windows\ShellNew\spoolsv.exe

Filesize
3.7MB

MD5
d3c4575e325d9b2ea4375be6ae184469

SHA1
dba82c40924a219234c29c7ab7d6da4e715c8aa2

SHA256
e065974b0db0079fcc57cf5d209fa267c852772a58a68cee307a72c91d382a8e

SHA512
75d19580269523c1eedbcf3079c6bd15dd4848d212e81028af1a7363927153451b3d579dd5f158df787edd246a9fcc18f7b48d67629e8f120bdd998d6641ef7d

Download Submit
C:\Windows\ShellNew\spoolsv.exe

Filesize
832KB

MD5
a6d8ec8990c3fc131ec218d2a4e9c98b

SHA1
3ef3a9fd909fa419d67c23626f28b62850344942

SHA256
d4939623ded6377951319a0b89df8e94e401ac12069115232d17041395a6c964

SHA512
98f5d8d8bf7076ebb7b2488264f29f1ee1d9932715d200d6c5240918692d45ed8f0ef38660c88626f3ece707fefb435e79bfab3326b99292deb620d923fc059e

Download Submit
C:\Windows\ShellNew\spoolsv.exe

Filesize
640KB

MD5
d5f317408f7592cb1897ed4bc09c599b

SHA1
c253c00b5f572c220822a220b73eeda2b5bf7807

SHA256
b1fe971908e90c982b45f7f54d2fd319107cdeb169d7f0723d946fcb1c311a3b

SHA512
8f874aa9d437ddf180bc9a724a2644cadd13157fc3943e32f88ebb3a9a8f6a151ca41258e117b1896f82f06a9d2f1d76d2c801862eab55ee62508559b3173b53

Download Submit
memory/1532-100-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1532-112-0x0000000077590000-0x0000000077591000-memory.dmp

Filesize
4KB

Download
memory/1532-111-0x00000000775A0000-0x00000000775A1000-memory.dmp

Filesize
4KB

Download
memory/1532-109-0x00000000775B0000-0x00000000775B1000-memory.dmp

Filesize
4KB

Download
memory/1532-106-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/1532-105-0x00000000775D0000-0x00000000775D1000-memory.dmp

Filesize
4KB

Download
memory/1532-103-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/1532-102-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1532-101-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/1532-99-0x0000000000110000-0x00000000004CA000-memory.dmp

Filesize
3.7MB

Download
memory/1640-40-0x0000000002540000-0x000000000254E000-memory.dmp

Filesize
56KB

Download
memory/1640-50-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/1640-14-0x00000000775B0000-0x00000000775B1000-memory.dmp

Filesize
4KB

Download
memory/1640-17-0x00000000775A0000-0x00000000775A1000-memory.dmp

Filesize
4KB

Download
memory/1640-16-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/1640-19-0x0000000000490000-0x00000000004A8000-memory.dmp

Filesize
96KB

Download
memory/1640-20-0x0000000077590000-0x0000000077591000-memory.dmp

Filesize
4KB

Download
memory/1640-21-0x0000000077580000-0x0000000077581000-memory.dmp

Filesize
4KB

Download
memory/1640-23-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/1640-25-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/1640-27-0x0000000077570000-0x0000000077571000-memory.dmp

Filesize
4KB

Download
memory/1640-26-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/1640-30-0x00000000004B0000-0x00000000004BE000-memory.dmp

Filesize
56KB

Download
memory/1640-28-0x000000001B730000-0x000000001B7B0000-memory.dmp

Filesize
512KB

Download
memory/1640-31-0x0000000077560000-0x0000000077561000-memory.dmp

Filesize
4KB

Download
memory/1640-32-0x0000000077550000-0x0000000077551000-memory.dmp

Filesize
4KB

Download
memory/1640-34-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/1640-37-0x000000001B730000-0x000000001B7B0000-memory.dmp

Filesize
512KB

Download
memory/1640-38-0x0000000077540000-0x0000000077541000-memory.dmp

Filesize
4KB

Download
memory/1640-36-0x0000000002530000-0x000000000253C000-memory.dmp

Filesize
48KB

Download
memory/1640-11-0x00000000775C0000-0x00000000775C1000-memory.dmp

Filesize
4KB

Download
memory/1640-41-0x000000001B730000-0x000000001B7B0000-memory.dmp

Filesize
512KB

Download
memory/1640-42-0x0000000077530000-0x0000000077531000-memory.dmp

Filesize
4KB

Download
memory/1640-44-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/1640-45-0x0000000077520000-0x0000000077521000-memory.dmp

Filesize
4KB

Download
memory/1640-46-0x0000000077510000-0x0000000077511000-memory.dmp

Filesize
4KB

Download
memory/1640-48-0x0000000002550000-0x000000000255C000-memory.dmp

Filesize
48KB

Download
memory/1640-13-0x0000000000470000-0x000000000048C000-memory.dmp

Filesize
112KB

Download
memory/1640-52-0x0000000002740000-0x0000000002756000-memory.dmp

Filesize
88KB

Download
memory/1640-54-0x000000001AB60000-0x000000001AB72000-memory.dmp

Filesize
72KB

Download
memory/1640-55-0x00000000774D0000-0x00000000774D1000-memory.dmp

Filesize
4KB

Download
memory/1640-57-0x0000000002610000-0x000000000261E000-memory.dmp

Filesize
56KB

Download
memory/1640-60-0x00000000774C0000-0x00000000774C1000-memory.dmp

Filesize
4KB

Download
memory/1640-59-0x0000000002720000-0x000000000272C000-memory.dmp

Filesize
48KB

Download
memory/1640-62-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/1640-64-0x000000001AB80000-0x000000001AB90000-memory.dmp

Filesize
64KB

Download
memory/1640-66-0x000000001B120000-0x000000001B17A000-memory.dmp

Filesize
360KB

Download
memory/1640-68-0x000000001AB90000-0x000000001AB9E000-memory.dmp

Filesize
56KB

Download
memory/1640-69-0x0000000077480000-0x0000000077481000-memory.dmp

Filesize
4KB

Download
memory/1640-71-0x000000001ABA0000-0x000000001ABB0000-memory.dmp

Filesize
64KB

Download
memory/1640-73-0x000000001ABB0000-0x000000001ABBE000-memory.dmp

Filesize
56KB

Download
memory/1640-75-0x000000001B0C0000-0x000000001B0D8000-memory.dmp

Filesize
96KB

Download
memory/1640-10-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/1640-5-0x00000000775D0000-0x00000000775D1000-memory.dmp

Filesize
4KB

Download
memory/1640-6-0x000000001B730000-0x000000001B7B0000-memory.dmp

Filesize
512KB

Download
memory/1640-8-0x0000000000440000-0x0000000000466000-memory.dmp

Filesize
152KB

Download
memory/1640-4-0x000000001B730000-0x000000001B7B0000-memory.dmp

Filesize
512KB

Download
memory/1640-3-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1640-2-0x000000001B730000-0x000000001B7B0000-memory.dmp

Filesize
512KB

Download
memory/1640-1-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/1640-0-0x0000000000C60000-0x000000000101A000-memory.dmp

Filesize
3.7MB

Download
memory/1640-77-0x000000001ABC0000-0x000000001ABCC000-memory.dmp

Filesize
48KB

Download
memory/1640-79-0x000000001B540000-0x000000001B58E000-memory.dmp

Filesize
312KB

Download
memory/1640-96-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download