zgrat | 6d7fac5d7bfe833eb0756a174ceb9ea8280cd3f9858215924284af1b559bd81f

General

Target

537d313f3dfe75d7a9d4f36f80cce049.exe
Size

1.8MB
MD5

537d313f3dfe75d7a9d4f36f80cce049
SHA1

a9d34d4ef62afbeed8f74c18c212e2c1d4c3f7cb
SHA256

6d7fac5d7bfe833eb0756a174ceb9ea8280cd3f9858215924284af1b559bd81f
SHA512

c4b698a6058f935c1db07ac92ae5e39a2e90f9e07d536ab2b6045ca539115bd1f5c7088f51d12a9edaab76befc41b0e8584a2cef4c1f906366d0a09687bbea9c
SSDEEP

49152:pAESWFubG04k1ImcRlJtquEwR/r28SJ4tIMBegTbV:MZGXk12nt5Fr28Sqt7UgTbV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2376-24-0x00000000023D0000-0x0000000002446000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-28-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-50-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-74-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-88-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-86-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-84-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-82-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-80-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-78-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-76-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-72-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-70-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-68-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-66-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-64-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-62-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-60-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-58-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-56-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-54-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-52-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-48-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-46-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-44-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-42-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-40-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-38-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-36-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-34-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-32-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-30-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-26-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-25-0x00000000023D0000-0x0000000002440000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

537d313f3dfe75d7a9d4f36f80cce049.exe

description	pid	process	target process
PID 2376 wrote to memory of 2988	2376	537d313f3dfe75d7a9d4f36f80cce049.exe	powershell.exe
PID 2376 wrote to memory of 2988	2376	537d313f3dfe75d7a9d4f36f80cce049.exe	powershell.exe
PID 2376 wrote to memory of 2988	2376	537d313f3dfe75d7a9d4f36f80cce049.exe	powershell.exe
PID 2376 wrote to memory of 2988	2376	537d313f3dfe75d7a9d4f36f80cce049.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
"C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
2⤵
PID:2988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
2⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
2⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
2⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
2⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
2⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
2⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
2⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
2⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
2⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
2⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
2⤵
PID:2464

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Kthavoimchnr.vbs"
2⤵
PID:2504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\outlook.exe'
1⤵
PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Kthavoimchnr.vbs
Filesize
137B

MD5
41c8a8551ff6fc7a2b9aadcff976ca0f

SHA1
444db8be2af0b1128229ac46e4963e0570159c3c

SHA256
bc147b5a209f5db13fa86ce6906be0d4dfec76469af3f304d490f10443cf5df5

SHA512
b52b716c3827a20d9298a32c8243f8e506c77c4be10e29e39a17ba303d0c65d70e257ab4f1c7368e99608c53ec12e6a1e7287e3d644df1f4cdbc539a501763c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G1P70OFTQ77TQJBB4KMX.temp
Filesize
7KB

MD5
30ad202af14606df34b8444483831556

SHA1
97925ccb0d13a68b877e2ca0b94bb393a23318b4

SHA256
1e19ca99e65ee11b7b20016a2fe5df3813565c8707c83de06cb1163de3f24e68

SHA512
33fccbc368f36365509be0f346019bd8ebb192547daba6bf6f7095bc32223300b14c2166af0fc0a84c883c6872992c15c693399375f2b7115c5374b621aeb6de

Download Submit
memory/2376-42-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-2-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download
memory/2376-2357-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2376-0-0x00000000001D0000-0x000000000039A000-memory.dmp

Filesize
1.8MB

Download
memory/2376-23-0x0000000005F10000-0x00000000060C2000-memory.dmp

Filesize
1.7MB

Download
memory/2376-25-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-66-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-26-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-30-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-32-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-34-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-36-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-38-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-21-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2376-22-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download
memory/2376-24-0x00000000023D0000-0x0000000002446000-memory.dmp

Filesize
472KB

Download
memory/2376-28-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-50-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-74-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-64-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-86-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-84-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-82-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-80-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-78-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-76-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-72-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-70-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-68-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-40-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-88-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-62-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-60-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-58-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-56-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-54-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-52-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-48-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-46-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-44-0x00000000023D0000-0x0000000002440000-memory.dmp

Filesize
448KB

Download
memory/2376-1-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-2358-0x000000006FAD0000-0x000000007007B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-2359-0x0000000002A60000-0x0000000002AA0000-memory.dmp

Filesize
256KB

Download
memory/2600-2361-0x0000000002A60000-0x0000000002AA0000-memory.dmp

Filesize
256KB

Download
memory/2600-2362-0x000000006FAD0000-0x000000007007B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-2360-0x000000006FAD0000-0x000000007007B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-18-0x000000006F870000-0x000000006FE1B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-20-0x000000006F870000-0x000000006FE1B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-16-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/2764-17-0x000000006F870000-0x000000006FE1B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-19-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/2764-15-0x000000006F870000-0x000000006FE1B000-memory.dmp

Filesize
5.7MB

Download
memory/2988-8-0x0000000002910000-0x0000000002950000-memory.dmp

Filesize
256KB

Download
memory/2988-5-0x000000006FB20000-0x00000000700CB000-memory.dmp

Filesize
5.7MB

Download
memory/2988-7-0x0000000002910000-0x0000000002950000-memory.dmp

Filesize
256KB

Download
memory/2988-9-0x000000006FB20000-0x00000000700CB000-memory.dmp

Filesize
5.7MB

Download
memory/2988-6-0x000000006FB20000-0x00000000700CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing