zgrat | 73fe0327b943f9b6df757077c1ce09132dafc7a3b7a8b42f9ed4331cff6e8cf1

General

Target

file.exe
Size

4.8MB
MD5

bb1b77d4280450ce1e7b4217aad3c769
SHA1

36ac15b55b045694468434ebde0d748b65f3af01
SHA256

73fe0327b943f9b6df757077c1ce09132dafc7a3b7a8b42f9ed4331cff6e8cf1
SHA512

01bbe1f1f7a876f4e7f42351892f30155b88847a79863122b5909b16a8e116f203867c05b6d5ca224056f362a84757f32d00fb7b15c9be3f7dfddd895499f15b
SSDEEP

98304:cgeNLXGxp/CRfrF8Jyd3D2v1o+/8/pG/1:cpl3D29o+/8xQ

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2016-1-0x0000000000FC0000-0x000000000149A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/2016-1-0x0000000000FC0000-0x000000000149A000-memory.dmp	net_reactor

Loads dropped DLL 1 IoCs

Processes:

file.exe

pid process

2016 file.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 2016 set thread context of 2856 2016 file.exe MsBuild.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2544 2856 WerFault.exe MsBuild.exe

pid	process
2016	file.exe

description	pid	process	target process
PID 2016 set thread context of 2856	2016	file.exe	MsBuild.exe

pid	pid_target	process	target process
2544	2856	WerFault.exe	MsBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

file.exeMsBuild.exe

description	pid	process	target process
PID 2016 wrote to memory of 2856	2016	file.exe	MsBuild.exe
PID 2016 wrote to memory of 2856	2016	file.exe	MsBuild.exe
PID 2016 wrote to memory of 2856	2016	file.exe	MsBuild.exe
PID 2016 wrote to memory of 2856	2016	file.exe	MsBuild.exe
PID 2016 wrote to memory of 2856	2016	file.exe	MsBuild.exe
PID 2016 wrote to memory of 2856	2016	file.exe	MsBuild.exe
PID 2016 wrote to memory of 2856	2016	file.exe	MsBuild.exe
PID 2016 wrote to memory of 2856	2016	file.exe	MsBuild.exe
PID 2016 wrote to memory of 2856	2016	file.exe	MsBuild.exe
PID 2016 wrote to memory of 2856	2016	file.exe	MsBuild.exe
PID 2856 wrote to memory of 2544	2856	MsBuild.exe	WerFault.exe
PID 2856 wrote to memory of 2544	2856	MsBuild.exe	WerFault.exe
PID 2856 wrote to memory of 2544	2856	MsBuild.exe	WerFault.exe
PID 2856 wrote to memory of 2544	2856	MsBuild.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 92
3⤵
- Program crash
PID:2544

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
245KB

MD5
8551f3027c73da8ae533d9bb9a99c233

SHA1
04befcf7a3789856b5ec562c63befd3e12a8fc26

SHA256
2abe17072617a0583e042295d40fe425369b3038ee8696e6b667ac0a2ba48a9a

SHA512
ddecd6260c43cb144ee47ce11c2d3d037eee7b8c721690d52d74efdcd6d47eef90ae7ddb178f934625036da5dfeef11e1d4aee5d5011c4aa18b0f3e29fca5724

Download Submit
memory/2016-17-0x00000000055A0000-0x00000000055E0000-memory.dmp

Filesize
256KB

Download
memory/2016-14-0x00000000055A0000-0x00000000055E0000-memory.dmp

Filesize
256KB

Download
memory/2016-3-0x00000000055A0000-0x00000000055E0000-memory.dmp

Filesize
256KB

Download
memory/2016-4-0x0000000005940000-0x0000000005B76000-memory.dmp

Filesize
2.2MB

Download
memory/2016-5-0x0000000006CB0000-0x0000000006E42000-memory.dmp

Filesize
1.6MB

Download
memory/2016-0-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2016-12-0x00000000055A0000-0x00000000055E0000-memory.dmp

Filesize
256KB

Download
memory/2016-11-0x00000000055A0000-0x00000000055E0000-memory.dmp

Filesize
256KB

Download
memory/2016-10-0x00000000055A0000-0x00000000055E0000-memory.dmp

Filesize
256KB

Download
memory/2016-19-0x00000000055A0000-0x00000000055E0000-memory.dmp

Filesize
256KB

Download
memory/2016-16-0x00000000055A0000-0x00000000055E0000-memory.dmp

Filesize
256KB

Download
memory/2016-15-0x00000000055A0000-0x00000000055E0000-memory.dmp

Filesize
256KB

Download
memory/2016-18-0x0000000007040000-0x0000000007140000-memory.dmp

Filesize
1024KB

Download
memory/2016-2-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2016-1-0x0000000000FC0000-0x000000000149A000-memory.dmp

Filesize
4.9MB

Download
memory/2016-13-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2016-20-0x00000000055A0000-0x00000000055E0000-memory.dmp

Filesize
256KB

Download
memory/2016-32-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2856-34-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2856-29-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2856-21-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2856-31-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2856-28-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2856-27-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2856-26-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2856-23-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2856-33-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2856-25-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads