zgrat | 2501e01c4f196967e005c2969f1d692ca8adcb24a23c5d6fb13f9a0b71f2d8c8

Analysis

max time kernel
0s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53d9dc9fa9cc34f33fe03b7c5f5fce6b.js
Size

1.1MB
MD5

53d9dc9fa9cc34f33fe03b7c5f5fce6b
SHA1

8d906ed4bfd58c0220765721298ce2e75256b568
SHA256

2501e01c4f196967e005c2969f1d692ca8adcb24a23c5d6fb13f9a0b71f2d8c8
SHA512

baa55aa8cad643bf63ef21b6413d4bd3fb92c702588f95b650187b06189ae2a191945a777856662fd5d0801115700e4c7a6de3143b1e03a5bb666040bfdb1ca7
SSDEEP

24576:VnnSnOBVKSjE0WomnrAXLjEYwbsC6fwC1prbsHn0NO2IOU:lcnraeWHrAg0J

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 10 IoCs

resource	yara_rule
behavioral1/memory/2808-173-0x0000000008380000-0x00000000083E6000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-185-0x0000000008380000-0x00000000083E6000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-183-0x0000000008380000-0x00000000083E6000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-181-0x0000000008380000-0x00000000083E6000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-179-0x0000000008380000-0x00000000083E6000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-177-0x0000000008380000-0x00000000083E6000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-175-0x0000000008380000-0x00000000083E6000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-171-0x0000000008380000-0x00000000083E6000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-169-0x0000000008380000-0x00000000083E6000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-168-0x0000000008380000-0x00000000083E6000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	37.235.1.177
Destination IP	37.235.1.174
Destination IP	37.235.1.174
Destination IP	37.235.1.177
Destination IP	37.235.1.174

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\53d9dc9fa9cc34f33fe03b7c5f5fce6b.js
1⤵
PID:2616
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FXdRinYHQL.js"
  2⤵
  PID:2264
- C:\Users\Admin\AppData\Roaming\NEW COPY DOC_SCANNED ORDER_AUG_IMG_6210332111_CIF_EXW.exe
  "C:\Users\Admin\AppData\Roaming\NEW COPY DOC_SCANNED ORDER_AUG_IMG_6210332111_CIF_EXW.exe"
  2⤵
  PID:2808
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
    3⤵
    PID:1864
- - C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    3⤵
    PID:572
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Wbgaudpiceqjoa.vbs"
    3⤵
    PID:1408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\200chrome.exe'
1⤵
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
1KB

MD5
553ecbf87f18653de3b9978e7ceeb20c

SHA1
88f5ed0ad85a66980b628ae720cfaf288c59ea00

SHA256
e6c7c52dcb4b14f2af02291eaa0c3282bd9617cf221fbb8411e85040b8f9ad07

SHA512
7daedce04d6b1da7efbed562b59a633fde9d919472284c14eda2225242576ab2a705d883016056b52da82067ee714ed9013002e07ca2528d54bd174039ef3d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Wbgaudpiceqjoa.vbs

Filesize
177B

MD5
bcc3b867bb0c9c09b3fd8ae278b884b6

SHA1
b5fe9dad81f92ee435ca9c7c4b9e9072e2849190

SHA256
57aa202b554994ab30f3a59b47e7b8044f716eb4a9d1c7ced6b9f79d26de7ad8

SHA512
f30f88b89e505f02529b645f5df7e7c77a540115229c93b42b9e87e3189c3d999f0ad7bc4661c5d487bc6e72650f5e06be1223e8092a9afd0d5482a16e554985

Download Submit
C:\Users\Admin\AppData\Roaming\FXdRinYHQL.js

Filesize
5KB

MD5
a91b9d93780a40804247ad3f0808b05d

SHA1
1e9a4f8a54630ddda3d0f5af04bfe4a022cde583

SHA256
f7f108cd530c91102d39f3c0005e5a4e32a86c17c0a32c15a73dc2482f02b319

SHA512
9660631a4ad6a64460203cc657eecac8e6769746b4534c33d20512e1ff8bff72dac82a503b0a0a45c2335d090971234f5a5085c7f13ea07563203d6a1a383b6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VHON99FTAH7R66MJHHOM.temp

Filesize
7KB

MD5
00289ce20d78c2b17af8029573877a7b

SHA1
401b543a9603eebd4cc1a4939323e641c1a14992

SHA256
74c1c8a752d7ac5ea8a4147d688973daa7d6297632d2faf67e210adc10f22c4b

SHA512
d01a030772f5a6eb8a6d4f2cd1a78b7748841476fe80fea12b76da2c7adaa3a9140ba753dfd1badcae5eca614f26381b87bfd3030035c78e666bf9e62f8dfac9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
5KB

MD5
c778e8209494d369bd84bdac7ca81b3a

SHA1
e07041a7c5abf8a8721a712e9a26fe6bcea13cb8

SHA256
e352682e700635e149b7217ad1f49f6b814d2edbd6c151b8d25604dfae20b255

SHA512
82642fe90933291e5ac86fb7681f88f64206e2731abbf7b13aa48ffe83f53719f62ec524ac2be4c9f780ed026207c607400e4f24f33dbff252e2bacb0e2dc112

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\200chrome.exe

Filesize
47KB

MD5
a9d12917678def9c0a081a649ea1da60

SHA1
662d55c16877dbcea53eb5051024ec6b576a60a2

SHA256
9c1dd90cd201f598910358f40e513db1b8a2fde01cd664d0fc29b6770025486c

SHA512
8c38fc9a894570f224dab5fbaa556d2d7d10361f631aff90dad5b3efc28a7b5d5ae2b08c5fbf6e222531db97c8699842ff311b460b0d53de680878f1464083b8

Download Submit
C:\Users\Admin\AppData\Roaming\NEW COPY DOC_SCANNED ORDER_AUG_IMG_6210332111_CIF_EXW.exe

Filesize
14KB

MD5
28c3030ec392c9db429a9374575a8a50

SHA1
8fd1878a3b15824d9798c2d3da2afa37c484448d

SHA256
806e62f07c9de33199122455713d5304336bc7974c6484903004e8c38d478905

SHA512
7102ee4cdc795bd1ad3e6a72d82fdb8e8d37229969f5e429ba6b3f41efd63d06ec7645dc045fc28d1cd3930bc97489ef01a515de0b70820f97aef5ffcdd032d0

Download Submit
C:\Users\Admin\AppData\Roaming\NEW COPY DOC_SCANNED ORDER_AUG_IMG_6210332111_CIF_EXW.exe

Filesize
15KB

MD5
ad8c5ef8c4f6e74d2341eea74a464d23

SHA1
8ba65d8c09c610215d83fe059d35c1a6d37be2a1

SHA256
40d7c116074a379ceac74b23a142a38e4fe68586443facb5797c9348c0972c97

SHA512
0aa1813c2c4e60e12c774477f0d20a433e34dac54c2739b7f6991772a37bee07f66ddd4022538ab9439e93d8e71788f0d3d43468d9d9d1ea26aaa8782eb5524f

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
1KB

MD5
ac89f5979b9107f597aa2f781133f806

SHA1
072eae4ad2f53a895ce235dc2acaccc18abcb4be

SHA256
930f8868fcb6729cd8b8ddbb5ff81276b234cf90bded05e16b28168fbc070727

SHA512
de530d6fa95af93a4766e0dcd41ef88736b97b6a1f6470a1c74a8416be5805f4eb71c7054cb58030654512da0c4867a34a5ae2e13850180acdf773fb9989295e

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
40KB

MD5
6751274c85a5000bb2237b45915681c1

SHA1
35fb0d82cd50022b314508b42518a55c38c1d471

SHA256
413846b9bd42127228421b688dafeabc4e0a8aaa83511e297260d1d03014ec53

SHA512
d24a7ce7f58e0e366eed255766de695ce9242ad641a3362eedb705c824baf21134839517e63fce98663ccb14447a125543ec27d28c402dcdfc21801a39783a30

Download Submit
memory/1392-75-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/1392-69-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/1392-70-0x0000000002EB0000-0x0000000002EF0000-memory.dmp

Filesize
256KB

Download
memory/1392-71-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/1392-72-0x0000000002EB0000-0x0000000002EF0000-memory.dmp

Filesize
256KB

Download
memory/1392-74-0x0000000002EB0000-0x0000000002EF0000-memory.dmp

Filesize
256KB

Download
memory/1532-108-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-107-0x0000000001C90000-0x0000000001CD0000-memory.dmp

Filesize
256KB

Download
memory/1532-106-0x0000000001C90000-0x0000000001CD0000-memory.dmp

Filesize
256KB

Download
memory/1532-104-0x0000000001C90000-0x0000000001CD0000-memory.dmp

Filesize
256KB

Download
memory/1532-105-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-103-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/1580-40-0x0000000002C30000-0x0000000002C70000-memory.dmp

Filesize
256KB

Download
memory/1580-39-0x0000000002C30000-0x0000000002C70000-memory.dmp

Filesize
256KB

Download
memory/1580-38-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/1580-37-0x0000000002C30000-0x0000000002C70000-memory.dmp

Filesize
256KB

Download
memory/1580-36-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/1580-41-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-62-0x0000000002B70000-0x0000000002BB0000-memory.dmp

Filesize
256KB

Download
memory/1704-57-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-58-0x0000000002B70000-0x0000000002BB0000-memory.dmp

Filesize
256KB

Download
memory/1704-59-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-63-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-61-0x0000000002B70000-0x0000000002BB0000-memory.dmp

Filesize
256KB

Download
memory/1704-60-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/1864-118-0x0000000002EB0000-0x0000000002EF0000-memory.dmp

Filesize
256KB

Download
memory/1864-115-0x0000000002EB0000-0x0000000002EF0000-memory.dmp

Filesize
256KB

Download
memory/1864-117-0x0000000002EB0000-0x0000000002EF0000-memory.dmp

Filesize
256KB

Download
memory/1864-116-0x000000006FC60000-0x000000007020B000-memory.dmp

Filesize
5.7MB

Download
memory/1864-114-0x000000006FC60000-0x000000007020B000-memory.dmp

Filesize
5.7MB

Download
memory/2052-47-0x000000006FC60000-0x000000007020B000-memory.dmp

Filesize
5.7MB

Download
memory/2052-49-0x000000006FC60000-0x000000007020B000-memory.dmp

Filesize
5.7MB

Download
memory/2052-50-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/2052-48-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/2052-51-0x000000006FC60000-0x000000007020B000-memory.dmp

Filesize
5.7MB

Download
memory/2128-93-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download
memory/2128-96-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download
memory/2128-97-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/2128-94-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/2128-92-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/2128-95-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/2344-86-0x000000006FC60000-0x000000007020B000-memory.dmp

Filesize
5.7MB

Download
memory/2344-81-0x000000006FC60000-0x000000007020B000-memory.dmp

Filesize
5.7MB

Download
memory/2344-85-0x0000000002980000-0x00000000029C0000-memory.dmp

Filesize
256KB

Download
memory/2344-83-0x000000006FC60000-0x000000007020B000-memory.dmp

Filesize
5.7MB

Download
memory/2344-82-0x0000000002980000-0x00000000029C0000-memory.dmp

Filesize
256KB

Download
memory/2544-19-0x000000006FC20000-0x00000000701CB000-memory.dmp

Filesize
5.7MB

Download
memory/2544-17-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2544-18-0x000000006FC20000-0x00000000701CB000-memory.dmp

Filesize
5.7MB

Download
memory/2544-16-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2544-15-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2544-14-0x000000006FC20000-0x00000000701CB000-memory.dmp

Filesize
5.7MB

Download
memory/2808-144-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-158-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-11-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/2808-9-0x0000000000E20000-0x0000000000EC0000-memory.dmp

Filesize
640KB

Download
memory/2808-10-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-73-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-119-0x0000000005040000-0x00000000050BE000-memory.dmp

Filesize
504KB

Download
memory/2808-124-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-150-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-166-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-164-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-173-0x0000000008380000-0x00000000083E6000-memory.dmp

Filesize
408KB

Download
memory/2808-185-0x0000000008380000-0x00000000083E6000-memory.dmp

Filesize
408KB

Download
memory/2808-183-0x0000000008380000-0x00000000083E6000-memory.dmp

Filesize
408KB

Download
memory/2808-181-0x0000000008380000-0x00000000083E6000-memory.dmp

Filesize
408KB

Download
memory/2808-179-0x0000000008380000-0x00000000083E6000-memory.dmp

Filesize
408KB

Download
memory/2808-177-0x0000000008380000-0x00000000083E6000-memory.dmp

Filesize
408KB

Download
memory/2808-175-0x0000000008380000-0x00000000083E6000-memory.dmp

Filesize
408KB

Download
memory/2808-171-0x0000000008380000-0x00000000083E6000-memory.dmp

Filesize
408KB

Download
memory/2808-169-0x0000000008380000-0x00000000083E6000-memory.dmp

Filesize
408KB

Download
memory/2808-168-0x0000000008380000-0x00000000083E6000-memory.dmp

Filesize
408KB

Download
memory/2808-162-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-160-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-121-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-156-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-154-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-152-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-148-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-146-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-84-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/2808-142-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-140-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-138-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-136-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-134-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-132-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-130-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-128-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-126-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2808-122-0x0000000005040000-0x00000000050B8000-memory.dmp

Filesize
480KB

Download
memory/2956-25-0x000000006FC20000-0x00000000701CB000-memory.dmp

Filesize
5.7MB

Download
memory/2956-29-0x0000000002A70000-0x0000000002AB0000-memory.dmp

Filesize
256KB

Download
memory/2956-28-0x0000000002A70000-0x0000000002AB0000-memory.dmp

Filesize
256KB

Download
memory/2956-27-0x000000006FC20000-0x00000000701CB000-memory.dmp

Filesize
5.7MB

Download
memory/2956-30-0x000000006FC20000-0x00000000701CB000-memory.dmp

Filesize
5.7MB

Download
memory/2956-26-0x0000000002A70000-0x0000000002AB0000-memory.dmp

Filesize
256KB

Download