zgrat | 129e52b2c93cc026192d8cc216c345ec4492e9f67e6e0a80daa3619c6857574e

Analysis

max time kernel
6s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-01-2024 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f7feb8491c4b21321d60b2422d82e97.exe
Size

6.1MB
MD5

3f7feb8491c4b21321d60b2422d82e97
SHA1

4718dd599d5ae6f08093d1bc251b3564d71b1fc2
SHA256

129e52b2c93cc026192d8cc216c345ec4492e9f67e6e0a80daa3619c6857574e
SHA512

24342cff0dfea810c5df9ef11d933d1d630fdfff6576b930d10db089ffac341cedd18fce9f1dc7d824578259cf4bd5fce443ca7a32ab15c90c5275a4e02e93c9
SSDEEP

196608:/GSGzpnyRAiW9M5tfKY3QbZHEpVsv1LpOrx:/GSGzpytW9egk7OdO

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 27 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2092-54-0x000000001D930000-0x000000001DF70000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-55-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-56-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-58-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-60-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-62-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-64-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-66-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-68-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-70-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-72-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-74-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-76-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-78-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-80-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-82-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-84-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-86-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-88-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-90-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-92-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-94-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-96-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-98-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-100-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-102-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2092-104-0x000000001D930000-0x000000001DF6C000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3f7feb8491c4b21321d60b2422d82e97.exe

description	pid	process	target process
PID 2092 wrote to memory of 2148	2092	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 2092 wrote to memory of 2148	2092	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 2092 wrote to memory of 2148	2092	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\3f7feb8491c4b21321d60b2422d82e97.exe
"C:\Users\Admin\AppData\Local\Temp\3f7feb8491c4b21321d60b2422d82e97.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
2⤵
PID:2148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
2⤵
PID:1668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
2⤵
PID:2872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
2⤵
PID:2476

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-21-0x000007FEF2360000-0x000007FEF2CFD000-memory.dmp

Filesize
9.6MB

Download
memory/1668-28-0x000007FEF2360000-0x000007FEF2CFD000-memory.dmp

Filesize
9.6MB

Download
memory/1668-20-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/1668-24-0x000007FEF2360000-0x000007FEF2CFD000-memory.dmp

Filesize
9.6MB

Download
memory/1668-25-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1668-27-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1668-26-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1668-22-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1668-23-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2092-54-0x000000001D930000-0x000000001DF70000-memory.dmp

Filesize
6.2MB

Download
memory/2092-92-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-667-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2092-118-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-116-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-114-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-112-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-110-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-108-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-106-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-1-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-104-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-102-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-100-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-98-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-96-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-94-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-14-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-90-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-88-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-86-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-84-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-82-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-80-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-78-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-53-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2092-0-0x000000013F480000-0x000000013FAAA000-memory.dmp

Filesize
6.2MB

Download
memory/2092-55-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-56-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-58-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-60-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-62-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-64-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-66-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-68-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-70-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-72-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-74-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2092-76-0x000000001D930000-0x000000001DF6C000-memory.dmp

Filesize
6.2MB

Download
memory/2148-8-0x000007FEF2D00000-0x000007FEF369D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-13-0x000007FEF2D00000-0x000007FEF369D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-6-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2148-7-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2148-12-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2148-11-0x000007FEF2D00000-0x000007FEF369D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-10-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2148-9-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2476-47-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2476-46-0x000007FEF2360000-0x000007FEF2CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2476-49-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2476-50-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2476-51-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2476-48-0x000007FEF2360000-0x000007FEF2CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2476-52-0x000007FEF2360000-0x000007FEF2CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2872-35-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2872-40-0x000007FEF2D00000-0x000007FEF369D000-memory.dmp

Filesize
9.6MB

Download
memory/2872-36-0x000007FEF2D00000-0x000007FEF369D000-memory.dmp

Filesize
9.6MB

Download
memory/2872-34-0x000007FEF2D00000-0x000007FEF369D000-memory.dmp

Filesize
9.6MB

Download
memory/2872-37-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2872-39-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2872-38-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download