zgrat | 0b5b79893faa97f10737f52617ff8cdf0de0c0e064ae8303cd12eddf23ee2141

Analysis

max time kernel
1574s
max time network
1792s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2024 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd2739067bfd088a6a1e5f7502105643.exe
Size

721KB
MD5

dd2739067bfd088a6a1e5f7502105643
SHA1

819dd6a079abab8d34f85d9a1d06a0d556745fb7
SHA256

0b5b79893faa97f10737f52617ff8cdf0de0c0e064ae8303cd12eddf23ee2141
SHA512

b246edb5d53c1794dab80a6bbcb2997e47a5868e7ccb67accebaf3797413d66edd82a73aeb4444aadea8fcc7f9e0bc3c83ae806caf78e4f16db0c0688801f9ad
SSDEEP

12288:3izZBEP85HLKFLHOa8VnCTvy3PvoD5Xi0ztOTQHmO8eaktaLh/x2:S9BEP8RLKFLuPnCJln5OcHh8eaiC52

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/2288-11-0x0000000006B50000-0x0000000006BC0000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2288 set thread context of 2512	2288	dd2739067bfd088a6a1e5f7502105643.exe	102

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2512	dd2739067bfd088a6a1e5f7502105643.exe
2512	dd2739067bfd088a6a1e5f7502105643.exe
2512	dd2739067bfd088a6a1e5f7502105643.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2512	2288	dd2739067bfd088a6a1e5f7502105643.exe	102
PID 2288 wrote to memory of 2512	2288	dd2739067bfd088a6a1e5f7502105643.exe	102
PID 2288 wrote to memory of 2512	2288	dd2739067bfd088a6a1e5f7502105643.exe	102
PID 2288 wrote to memory of 2512	2288	dd2739067bfd088a6a1e5f7502105643.exe	102
PID 2288 wrote to memory of 2512	2288	dd2739067bfd088a6a1e5f7502105643.exe	102
PID 2288 wrote to memory of 2512	2288	dd2739067bfd088a6a1e5f7502105643.exe	102

C:\Users\Admin\AppData\Local\Temp\dd2739067bfd088a6a1e5f7502105643.exe
"C:\Users\Admin\AppData\Local\Temp\dd2739067bfd088a6a1e5f7502105643.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\dd2739067bfd088a6a1e5f7502105643.exe
  "C:\Users\Admin\AppData\Local\Temp\dd2739067bfd088a6a1e5f7502105643.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2288-8-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/2288-13-0x0000000006AE0000-0x0000000006B18000-memory.dmp

Filesize
224KB

Download
memory/2288-0-0x00000000000A0000-0x000000000015A000-memory.dmp

Filesize
744KB

Download
memory/2288-3-0x0000000004BC0000-0x0000000004C52000-memory.dmp

Filesize
584KB

Download
memory/2288-4-0x0000000004E00000-0x0000000005154000-memory.dmp

Filesize
3.3MB

Download
memory/2288-5-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/2288-6-0x0000000004CF0000-0x0000000004CFA000-memory.dmp

Filesize
40KB

Download
memory/2288-7-0x0000000006300000-0x0000000006310000-memory.dmp

Filesize
64KB

Download
memory/2288-2-0x0000000005170000-0x0000000005714000-memory.dmp

Filesize
5.6MB

Download
memory/2288-9-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/2288-11-0x0000000006B50000-0x0000000006BC0000-memory.dmp

Filesize
448KB

Download
memory/2288-10-0x00000000068A0000-0x00000000068AA000-memory.dmp

Filesize
40KB

Download
memory/2288-12-0x0000000007F30000-0x0000000007FCC000-memory.dmp

Filesize
624KB

Download
memory/2288-1-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/2288-17-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/2512-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-18-0x0000000001340000-0x000000000168A000-memory.dmp

Filesize
3.3MB

Download
memory/2512-19-0x0000000001340000-0x000000000168A000-memory.dmp

Filesize
3.3MB

Download