Malware Analysis Report

2025-08-05 12:01

Sample ID 240115-ffkwvshfbj
Target 1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f
SHA256 1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f
Tags
zgrat sectoprat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f

Threat Level: Known bad

The file 1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f was found to be: Known bad.

Malicious Activity Summary

zgrat sectoprat rat trojan

SectopRAT

Detect ZGRat V1

Zgrat family

Detects Arechclient2 RAT

SectopRAT payload

ZGRat

Drops startup file

.NET Reactor proctector

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:48

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Zgrat family

zgrat

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:48

Reported

2024-01-15 04:54

Platform

win7-20231215-en

Max time kernel

256s

Max time network

262s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Detects Arechclient2 RAT

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1048 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1048 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1048 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1048 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1048 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1048 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1048 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1048 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe

"C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Network

Country Destination Domain Proto
RU 194.26.29.153:15648 tcp

Files

memory/1048-0-0x0000000000F50000-0x00000000014E0000-memory.dmp

memory/1048-1-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/1048-2-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/1048-3-0x0000000005310000-0x0000000005350000-memory.dmp

memory/1048-4-0x0000000006900000-0x0000000006BEE000-memory.dmp

memory/1048-5-0x0000000006BF0000-0x0000000006D82000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/1048-10-0x0000000005310000-0x0000000005350000-memory.dmp

memory/1048-11-0x0000000005310000-0x0000000005350000-memory.dmp

memory/1048-12-0x0000000005310000-0x0000000005350000-memory.dmp

memory/1048-13-0x0000000000210000-0x0000000000220000-memory.dmp

memory/1048-14-0x0000000005310000-0x0000000005350000-memory.dmp

memory/1048-15-0x0000000005310000-0x0000000005350000-memory.dmp

memory/1048-16-0x0000000006F40000-0x0000000007040000-memory.dmp

memory/1048-17-0x0000000005310000-0x0000000005350000-memory.dmp

memory/1048-18-0x0000000005310000-0x0000000005350000-memory.dmp

memory/3020-19-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/3020-20-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/3020-21-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/3020-22-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/3020-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3020-25-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/3020-27-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/3020-29-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/3020-30-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/3020-31-0x00000000048E0000-0x0000000004920000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp143E.tmp

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/1048-41-0x0000000005310000-0x0000000005350000-memory.dmp

memory/1048-42-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/3020-43-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/3020-44-0x00000000048E0000-0x0000000004920000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:48

Reported

2024-01-15 04:54

Platform

win10-20231220-en

Max time kernel

293s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Detects Arechclient2 RAT

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Watches_by_country_of_the_world.lnk C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4344 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 4344 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 4344 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 4344 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 4344 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 4344 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 4344 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 4344 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe

"C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Network

Country Destination Domain Proto
RU 194.26.29.153:15648 tcp
US 8.8.8.8:53 153.29.26.194.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

memory/4344-1-0x0000000000A60000-0x0000000000FF0000-memory.dmp

memory/4344-2-0x00000000057E0000-0x000000000587C000-memory.dmp

memory/4344-0-0x0000000073CC0000-0x00000000743AE000-memory.dmp

memory/4344-3-0x0000000073CC0000-0x00000000743AE000-memory.dmp

memory/4344-4-0x00000000058F0000-0x0000000005900000-memory.dmp

memory/4344-5-0x0000000006D60000-0x000000000704E000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 67fe1a8534edd1220c838cb9a18a2752
SHA1 b617f6eadd2d95b54a4c6eae4529fb642ee4b7f8
SHA256 d5eea0e906a4c071a7132c732a59493c0c92c8b96b35d87004c59718cce9e5da
SHA512 2bf3fa27420cc4e6ef72e7d0f6b7c03a24407223dc928cb9ae4b687945db275899ad64ecc0c4325a00f92a617eb59c9685d9924dccb40d7e430f047be63fee20

memory/4344-16-0x00000000058F0000-0x0000000005900000-memory.dmp

memory/4344-17-0x00000000058F0000-0x0000000005900000-memory.dmp

memory/5068-21-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/5068-23-0x0000000073CC0000-0x00000000743AE000-memory.dmp

memory/5068-25-0x0000000005800000-0x00000000059C2000-memory.dmp

memory/5068-26-0x0000000005ED0000-0x00000000063CE000-memory.dmp

memory/5068-27-0x00000000054D0000-0x0000000005520000-memory.dmp

memory/5068-24-0x0000000005620000-0x0000000005630000-memory.dmp

memory/5068-28-0x00000000056B0000-0x0000000005726000-memory.dmp

memory/5068-22-0x0000000005430000-0x00000000054C2000-memory.dmp

memory/4344-20-0x00000000075E0000-0x00000000076E0000-memory.dmp

memory/4344-19-0x00000000075E0000-0x00000000076E0000-memory.dmp

memory/5068-29-0x0000000006900000-0x0000000006E2C000-memory.dmp

memory/4344-18-0x00000000075E0000-0x00000000076E0000-memory.dmp

memory/5068-30-0x0000000005C00000-0x0000000005C1E000-memory.dmp

memory/4344-15-0x00000000058F0000-0x0000000005900000-memory.dmp

memory/4344-14-0x00000000058F0000-0x0000000005900000-memory.dmp

memory/5068-31-0x0000000005CE0000-0x0000000005D46000-memory.dmp

memory/4344-13-0x00000000052E0000-0x00000000052F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF157.tmp

MD5 f315177aec6837695aee27159dd37670
SHA1 ac0a434cad40715cb5382555eb5ee0cf28543196
SHA256 0a0206a8be439430546babbca6c7790927ef1b63b388eb072d67eed266002ba7
SHA512 5d3b6a0c5bf0aa761dd394fbb176a2d783add7203fe7f4e9b75f091561612be556c7d465b16036574c90a149413ae130a59977645eba5dae2e8543758558d563

memory/4344-12-0x00000000058F0000-0x0000000005900000-memory.dmp

memory/4344-6-0x0000000007050000-0x00000000071E2000-memory.dmp

memory/4344-41-0x00000000058F0000-0x0000000005900000-memory.dmp

memory/4344-47-0x0000000073CC0000-0x00000000743AE000-memory.dmp

memory/5068-48-0x0000000073CC0000-0x00000000743AE000-memory.dmp

memory/5068-49-0x0000000005620000-0x0000000005630000-memory.dmp