zgrat | 12b9219af3987966cff3cb1922724f936db9057a21ec6f583ca61399ae082f13

Analysis

max time kernel
3s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2024 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

458b61b6d0cc95c8b8f9efc039afdee0.exe
Size

1.8MB
MD5

458b61b6d0cc95c8b8f9efc039afdee0
SHA1

2219421a1f46abddc293864cb672be6ac9fb5178
SHA256

12b9219af3987966cff3cb1922724f936db9057a21ec6f583ca61399ae082f13
SHA512

29c86526249f3cd2a84640038246026872dd5345c36b49dd9cd905cc03df898db8d61147e7997bbec6728b36f33c9cfdfb688c265e656c4d2ee99f35b93b93b4
SSDEEP

49152:oJdAMg7BSRxPlpfTuvecJNhVj3BdfaQWg167O:dz7WNpfTuZJNhZ3BdfaQnH

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 32 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3584-144-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-154-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-164-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-170-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-178-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-190-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-198-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-196-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-194-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-192-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-188-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-186-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-184-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-182-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-180-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-176-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-174-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-172-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-168-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-166-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-162-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-160-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-158-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-156-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-152-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-150-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-148-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-146-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-142-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-140-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-138-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1
behavioral2/memory/3584-137-0x00000000061B0000-0x000000000622B000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

458b61b6d0cc95c8b8f9efc039afdee0.exe

pid process

852 458b61b6d0cc95c8b8f9efc039afdee0.exe

pid	process
852	458b61b6d0cc95c8b8f9efc039afdee0.exe

C:\Users\Admin\AppData\Local\Temp\458b61b6d0cc95c8b8f9efc039afdee0.exe
"C:\Users\Admin\AppData\Local\Temp\458b61b6d0cc95c8b8f9efc039afdee0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:852
- C:\ProgramData\Anyname.exe
  "C:\ProgramData\Anyname.exe"
  2⤵
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
  2⤵
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
    C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
    3⤵
    PID:3692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
  2⤵
  PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
  2⤵
  PID:4676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
  2⤵
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
  2⤵
  PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Anyname.exe

Filesize
55KB

MD5
a435c4300b641deb5b4a62b0619b7508

SHA1
ba234df4d680129b8dd4276444c83bfce4601be2

SHA256
ffb3ae06a4aa47f69021f2e56a3c4dde329ec5103694bbc849de7c1b7a1fe943

SHA512
0ffafc60331152fe1bdac9775c2d4727bfced0233e1f8925a125c6bba33a8f5c879d62bbd36c3bb5cc500cf55b5f942197a23d0d93509a5ec86a357e40f3fe9b

Download Submit
C:\ProgramData\Anyname.exe

Filesize
32KB

MD5
88781f6a985ca3a97a897aeecf704fc9

SHA1
c27597226ea3f25e57623bc11d54df3ea2b055f6

SHA256
9efd7c68a70a36b4ab8313f653009c0cca4e3768e29c41360eed55618f01fc15

SHA512
9d4a5b6c4c15109492eb6750a947b72aa357d5d74038c1b2215a3976c77085b5dd4b7916c2a21f5d5420443cfa1accc45889d835c38041e0aeb7433230dd9649

Download Submit
C:\ProgramData\Anyname.exe

Filesize
37KB

MD5
f246b698ac69af03d5bd61fd22a83815

SHA1
c0caadee0eb894ef0c55ad2a7bc17d58ad0c4c8e

SHA256
eae30e75c8a87358c7104a3874c953a621bbb4e72ed6c88f67bf397d5d44b138

SHA512
1046ef8141312113744edb0eab17c37c5d8fcd1883de39b178a1c4e27ebfe5e343ff64667e0dd23f4a5c241455340115e926232fda78c17785e280c383e094bf

Download Submit
memory/852-74-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-72-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-15-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-18-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-20-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-25-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-31-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/852-33-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-38-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-40-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-42-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-71-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-45-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-48-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/852-50-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-52-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/852-54-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-58-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-60-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/852-65-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/852-68-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-70-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-75-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-79-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-82-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-84-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-83-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/852-81-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-80-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-101-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/852-99-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-103-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-107-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-109-0x0000000003A00000-0x0000000003A08000-memory.dmp

Filesize
32KB

Download
memory/852-108-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/852-105-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-104-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-113-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-117-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-73-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-2-0x00000000772A2000-0x00000000772A3000-memory.dmp

Filesize
4KB

Download
memory/852-3-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/852-78-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-13-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-77-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-14-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-76-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-8-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-16-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/852-44-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-12-0x0000000074EF0000-0x000000007504D000-memory.dmp

Filesize
1.4MB

Download
memory/852-67-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/852-62-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-56-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/852-36-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-29-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/852-27-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/852-23-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1732-106-0x00000000009B0000-0x0000000000A3C000-memory.dmp

Filesize
560KB

Download
memory/1732-115-0x0000000005310000-0x000000000531A000-memory.dmp

Filesize
40KB

Download
memory/1732-114-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/1732-112-0x00000000053D0000-0x0000000005462000-memory.dmp

Filesize
584KB

Download
memory/1732-111-0x0000000073280000-0x0000000073A30000-memory.dmp

Filesize
7.7MB

Download
memory/1732-110-0x00000000058E0000-0x0000000005E84000-memory.dmp

Filesize
5.6MB

Download
memory/3584-148-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-174-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-154-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-164-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-170-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-178-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-190-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-198-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-196-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-194-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-184-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-116-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/3584-188-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-192-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-182-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-180-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-176-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-144-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-172-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-168-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-166-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-162-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-160-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-158-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-156-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-152-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-150-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-186-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-146-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-142-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-140-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-138-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download
memory/3584-137-0x00000000061B0000-0x000000000622B000-memory.dmp

Filesize
492KB

Download