zgrat | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral2/files/0x000300000002272c-8.dat	family_zgrat_v1
behavioral2/files/0x000300000002272c-14.dat	family_zgrat_v1
behavioral2/memory/4760-15-0x0000000000590000-0x00000000005EA000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000300000002272c-13.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe

Executes dropped EXE 1 IoCs

pid	Process
4760	flesh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4760	flesh.exe
4760	flesh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1824	4363463463464363463463463.exe
Token: SeDebugPrivilege	4760	flesh.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 4760	1824	4363463463464363463463463.exe	92
PID 1824 wrote to memory of 4760	1824	4363463463464363463463463.exe	92
PID 1824 wrote to memory of 4760	1824	4363463463464363463463463.exe	92

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\Files\flesh.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\flesh.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe"
  2⤵
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe

Filesize
62KB

MD5
5f691c24c109a5bf58dd5035d409b51a

SHA1
ae1110d5bbe2036579c7e7373bfd7fc78252cd5b

SHA256
f2d062f2d4b94e715bc289364b06e0c8c553d48ad9db25f4c8b272e31c1e1247

SHA512
aff65f8224e38da0d1589e468160931e7b69a2d78b32fe3929c3f583f94a2c822b2b173e67f149099f762dc86f0a2e75e840533705f6805f13b67952f1022a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe

Filesize
54KB

MD5
4a5281097c7a60edb10a2807a6f3236b

SHA1
65efc50d6ac630d2c3ca60e5936860630b9d5dec

SHA256
d59d1f60c7fb9585b234cdf8905672ee6ff05684ace2286a8b1b5313e58f2f3a

SHA512
b73d2b49d6a5e5c8d0b8e9bcdf50a1c97f262e5c336682073bbe0d8fe54b999a26411038831e881544d39c4e46c5bcec101a350a015d8addb650b4eaaa41a0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe

Filesize
58KB

MD5
b4834d12a9f05625cc999f47ce290158

SHA1
d3cc5f15a71c9c3014d6a65caa45ebb862338cf8

SHA256
304b3f6aa26a8ec0b9a2966b1eee674368cc6d6e37f2bfda851adf881d95b994

SHA512
cb7728e29d4c8ebf0538c9ed3a01de0f53e1822b17a3cc442a5793d5018670d43dc313ef20103c7c8119c6ebab7588fcb5a515949491a2d95ff53b93f1596894

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\flesh.exe

Filesize
160KB

MD5
0d63d73b6c5d284b1d29897d15d167e3

SHA1
54fdb14689b4e181aaea111b01935d8409a2bbfc

SHA256
13c8c726182c101b81fa758e4b467c86a64c492507f6f2bf7f9ae4e2db49c319

SHA512
9d2c5fd4d176cca06aece75cb322a995eda934fbcb3b0099e9fede4f4236a8889a5da0ad591de5b630082d3b6b69075f5b7ae93744354bc2eaf678e95e0fc373

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\flesh.exe

Filesize
130KB

MD5
8c847e80f700d312d59d5d761e5075ce

SHA1
ab951e2d6f6e69befa09107e31127f1795bd3b97

SHA256
564afd8b9d3eefe5381919a25751eece619dac36697ae36c89bbd4a1401a6157

SHA512
13c949b83ecdfce480ebf3fe23376f0ca719f9ae25588d3be433814ba275bbdf856db6d74bd38d57b9ded4d8d4a03230488d3f2fa4aed7affd7264d965c6682b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\flesh.exe

Filesize
149KB

MD5
8d339be0801701230971f52ee55c66d9

SHA1
e4927d0bae0cdf46770365ad8a0d5651d68623de

SHA256
5384edcbfc10a3209a373a095453a6c6ac922aee8505b968a604610e85f579c8

SHA512
35a80b4de388bbeecbb684590da2203d9560decb8e29e76bca9eadb3270e337695cbbefa9ba95ce146443e5680a5720ca075af584c00a3abd36dd4d7a49afa15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe

Filesize
998KB

MD5
cc3e279aa72e600ac7aec70790daca32

SHA1
3d1ef11fc3cfd4455e21db50da467d7e4e2f2632

SHA256
2cb109c5b7a21c8ad1904a99670d7b97eb4c2ce0241c7d01b6cb66f7cc170027

SHA512
18cc116dfb07f9c169b2ad704936f979311782e8900c2979c947d29b0b4043cb93520922fbbbc31f4be43624b974224358f7079f159f2dd72d4dc0039eec78e7

Download Submit
memory/1824-3-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/1824-2-0x0000000004B30000-0x0000000004BCC000-memory.dmp

Filesize
624KB

Download
memory/1824-1-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/1824-0-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/1824-32-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/1824-31-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/4760-22-0x0000000004F40000-0x0000000004F8C000-memory.dmp

Filesize
304KB

Download
memory/4760-30-0x0000000007A80000-0x0000000007FAC000-memory.dmp

Filesize
5.2MB

Download
memory/4760-23-0x00000000052C0000-0x0000000005326000-memory.dmp

Filesize
408KB

Download
memory/4760-24-0x0000000005D80000-0x0000000005DF6000-memory.dmp

Filesize
472KB

Download
memory/4760-25-0x0000000005EA0000-0x0000000005F32000-memory.dmp

Filesize
584KB

Download
memory/4760-26-0x00000000064F0000-0x0000000006A94000-memory.dmp

Filesize
5.6MB

Download
memory/4760-27-0x0000000006080000-0x000000000609E000-memory.dmp

Filesize
120KB

Download
memory/4760-28-0x0000000006AF0000-0x0000000006B40000-memory.dmp

Filesize
320KB

Download
memory/4760-29-0x0000000006D10000-0x0000000006ED2000-memory.dmp

Filesize
1.8MB

Download
memory/4760-21-0x0000000004F00000-0x0000000004F3C000-memory.dmp

Filesize
240KB

Download
memory/4760-19-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

Filesize
72KB

Download
memory/4760-20-0x0000000004FD0000-0x00000000050DA000-memory.dmp

Filesize
1.0MB

Download
memory/4760-33-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/4760-34-0x0000000002910000-0x0000000002920000-memory.dmp

Filesize
64KB

Download
memory/4760-18-0x00000000054A0000-0x0000000005AB8000-memory.dmp

Filesize
6.1MB

Download
memory/4760-16-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/4760-17-0x0000000002910000-0x0000000002920000-memory.dmp

Filesize
64KB

Download
memory/4760-15-0x0000000000590000-0x00000000005EA000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing