Malware Analysis Report

2025-08-05 12:01

Sample ID 240115-ffe1lsaeg8
Target 18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92
SHA256 18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92
Tags
zgrat sectoprat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92

Threat Level: Known bad

The file 18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92 was found to be: Known bad.

Malicious Activity Summary

zgrat sectoprat rat trojan

SectopRAT

Detects Arechclient2 RAT

SectopRAT payload

ZGRat

Detect ZGRat V1

Zgrat family

Loads dropped DLL

Drops startup file

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:48

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Zgrat family

zgrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:48

Reported

2024-01-15 04:53

Platform

win7-20231129-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Detects Arechclient2 RAT

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2884 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe

"C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Network

N/A

Files

memory/2884-1-0x0000000000990000-0x0000000001020000-memory.dmp

memory/2884-0-0x0000000074B20000-0x000000007520E000-memory.dmp

memory/2884-2-0x0000000074B20000-0x000000007520E000-memory.dmp

memory/2884-3-0x0000000004B40000-0x0000000004B80000-memory.dmp

memory/2884-4-0x00000000069F0000-0x0000000006D3E000-memory.dmp

memory/2884-5-0x0000000007F90000-0x0000000008122000-memory.dmp

memory/2884-14-0x0000000004B40000-0x0000000004B80000-memory.dmp

memory/2884-13-0x0000000000430000-0x0000000000440000-memory.dmp

memory/2884-17-0x0000000004B40000-0x0000000004B80000-memory.dmp

memory/2884-19-0x0000000004B40000-0x0000000004B80000-memory.dmp

memory/2104-23-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/2104-31-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/2104-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2104-27-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/2104-25-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/2104-21-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/2884-20-0x0000000004B40000-0x0000000004B80000-memory.dmp

memory/2884-18-0x00000000082C0000-0x00000000083C0000-memory.dmp

memory/2884-16-0x0000000004B40000-0x0000000004B80000-memory.dmp

memory/2884-15-0x0000000004B40000-0x0000000004B80000-memory.dmp

memory/2884-12-0x0000000004B40000-0x0000000004B80000-memory.dmp

memory/2884-11-0x0000000004B40000-0x0000000004B80000-memory.dmp

memory/2884-10-0x0000000004B40000-0x0000000004B80000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 2cd3fbdf05c11ebc7f9b83a73076c932
SHA1 6811bebe234804ace14ff997f6f6d2c60a6fa9af
SHA256 6cad1be4178e70091a3bb49050e8442d4dfa0b68e4843b2c3c50c8b53357c84e
SHA512 0740492fda533717806dbc1ab8d022eccdb661e0e5605f8d6533134be53af2087ba5c66913b3424e75513a2e7bf32e4d7215933f51c26bc6132f3e1d65a58a9b

memory/2884-32-0x0000000074B20000-0x000000007520E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:48

Reported

2024-01-15 04:53

Platform

win10-20231215-en

Max time kernel

271s

Max time network

294s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Detects Arechclient2 RAT

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Garden_and_vegetable_garden_in_an_easy.lnk C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 220 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 220 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 220 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 220 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 220 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 220 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 220 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 220 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 220 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 220 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe

"C:\Users\Admin\AppData\Local\Temp\18438ba9ff004f421bef169685a080e71fb69f68680411102dbad5d987c01b92.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Network

Country Destination Domain Proto
RU 194.26.29.153:15648 tcp
US 8.8.8.8:53 153.29.26.194.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

memory/220-1-0x00000000006D0000-0x0000000000D60000-memory.dmp

memory/220-0-0x0000000073370000-0x0000000073A5E000-memory.dmp

memory/220-2-0x00000000055E0000-0x000000000567C000-memory.dmp

memory/220-3-0x0000000073370000-0x0000000073A5E000-memory.dmp

memory/220-4-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/220-5-0x0000000006B20000-0x0000000006E6E000-memory.dmp

memory/220-6-0x00000000080C0000-0x0000000008252000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 5807556d5308c2c03cff59a5ff183474
SHA1 dfe800b98a503540a455d40b42b3f0bc48ec6c94
SHA256 44801689814a65c9c04eae38ebb0117abfa05627bac7bbfef831c62230ec55b6
SHA512 5db2496622ac6feee2a804686c234e6a0b7df03552ab352ae9988a37d9f851501418ff45bbacb4e1e65a732a6a0f7e09e437c6468a78697b0313789215bf243a

memory/220-12-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

memory/220-16-0x0000000008620000-0x0000000008720000-memory.dmp

memory/3692-18-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/220-17-0x0000000008620000-0x0000000008720000-memory.dmp

memory/3692-20-0x0000000005050000-0x00000000050E2000-memory.dmp

memory/3692-21-0x0000000005330000-0x0000000005340000-memory.dmp

memory/3692-22-0x0000000005340000-0x0000000005502000-memory.dmp

memory/3692-24-0x00000000050F0000-0x0000000005140000-memory.dmp

memory/3692-23-0x0000000005A10000-0x0000000005F0E000-memory.dmp

memory/3692-19-0x0000000073370000-0x0000000073A5E000-memory.dmp

memory/3692-25-0x0000000005210000-0x0000000005286000-memory.dmp

memory/220-15-0x0000000008620000-0x0000000008720000-memory.dmp

memory/3692-26-0x0000000006440000-0x000000000696C000-memory.dmp

memory/3692-27-0x00000000057F0000-0x000000000580E000-memory.dmp

memory/220-14-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/220-13-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/3692-28-0x00000000058F0000-0x0000000005956000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF484.tmp

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/220-38-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/220-44-0x0000000073370000-0x0000000073A5E000-memory.dmp

memory/3692-45-0x0000000073370000-0x0000000073A5E000-memory.dmp

memory/3692-46-0x0000000005330000-0x0000000005340000-memory.dmp