zgrat

General

Target

RUN.exe
Size

25.5MB
Sample

240122-xrc4tsdaa4
MD5

f559e8fbcaf4bf3decd0e959883674b8
SHA1

a0bde63feed25ed365ba4bacccfc2e20fff3972d
SHA256

f4f8f06d721e990735ac49cd219c8039b4f43d919305aee5282249e8d4db9063
SHA512

4c65ed26ae899189ef65ac9d36757405e5cb9220e62bb4a4d3fca91e21b9ba9a2d7cd495fe2998d25488025bfeacc299a3bf5a323832f9e3cd3ab4ef74e97d7a
SSDEEP

393216:XOIAa2nR1/+ryDP5YKgoWWCdffSwObQFmSLeLVpevjpsJaxkFrphpLo6baYByTK4:oao/x5XWWKo7SLe7e9iBrhdNmYByTLP

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/washywashy14/7zip-bin/master/win/Uemlxaw.zip

Targets

- Target
  
  RUN.exe
- Size
  
  25.5MB
- MD5
  
  f559e8fbcaf4bf3decd0e959883674b8
- SHA1
  
  a0bde63feed25ed365ba4bacccfc2e20fff3972d
- SHA256
  
  f4f8f06d721e990735ac49cd219c8039b4f43d919305aee5282249e8d4db9063
- SHA512
  
  4c65ed26ae899189ef65ac9d36757405e5cb9220e62bb4a4d3fca91e21b9ba9a2d7cd495fe2998d25488025bfeacc299a3bf5a323832f9e3cd3ab4ef74e97d7a
- SSDEEP
  
  393216:XOIAa2nR1/+ryDP5YKgoWWCdffSwObQFmSLeLVpevjpsJaxkFrphpLo6baYByTK4:oao/x5XWWKo7SLe7e9iBrhdNmYByTLP
Score

10^/10

zgrat collection discovery evasion persistence rat spyware stealer trojan
- Detect ZGRat V1
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies security service
  evasion
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1