zgrat | 2af462168bad2cb895fdaf9f778fa2021d8e77ba7212f02f3cb3f3ac0f03431d

Analysis

max time kernel
131s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-02-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4168406dbd28c5b416f4435e0c40644c.exe
Size

2.3MB
MD5

4168406dbd28c5b416f4435e0c40644c
SHA1

a9bd0155ab9bf43fd0fd92ade8e860333cbac098
SHA256

2af462168bad2cb895fdaf9f778fa2021d8e77ba7212f02f3cb3f3ac0f03431d
SHA512

acba52424c66e8998c4642b1cb55ed99f3f53867483640a62f3aa171234ee4e04f4394b2f7eb09944e6fe259866460a9feaeddcb7555d9a3503b545da3ebfc12
SSDEEP

49152:tBXEr/iSw+0VETjpsFjo4HceGVhp3aZRle4WhpjNp8Wb:nULpw+5TT4HOZahe4GNp8S

Score

10^/10

zgrat evasion rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012252-10.dat	family_zgrat_v1
behavioral1/files/0x000d000000012252-12.dat	family_zgrat_v1
behavioral1/files/0x000d000000012252-11.dat	family_zgrat_v1
behavioral1/files/0x000d000000012252-9.dat	family_zgrat_v1
behavioral1/memory/2808-13-0x0000000000100000-0x0000000000334000-memory.dmp	family_zgrat_v1
behavioral1/memory/2144-64-0x0000000001320000-0x0000000001554000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2808	AgentcomponentWinhostDll.exe
2144	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2912	cmd.exe
2912	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\winlogon.exe	AgentcomponentWinhostDll.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\cc11b995f2a76d	AgentcomponentWinhostDll.exe
File created	C:\Program Files\Common Files\csrss.exe	AgentcomponentWinhostDll.exe
File created	C:\Program Files\Common Files\886983d96e3d3e	AgentcomponentWinhostDll.exe
File created	C:\Program Files\Windows Mail\Idle.exe	AgentcomponentWinhostDll.exe
File created	C:\Program Files\Windows Mail\6ccacd8608530f	AgentcomponentWinhostDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2740	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe
2808	AgentcomponentWinhostDll.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2144	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	AgentcomponentWinhostDll.exe
Token: SeDebugPrivilege	2144	csrss.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2440	1964	4168406dbd28c5b416f4435e0c40644c.exe	28
PID 1964 wrote to memory of 2440	1964	4168406dbd28c5b416f4435e0c40644c.exe	28
PID 1964 wrote to memory of 2440	1964	4168406dbd28c5b416f4435e0c40644c.exe	28
PID 1964 wrote to memory of 2440	1964	4168406dbd28c5b416f4435e0c40644c.exe	28
PID 2440 wrote to memory of 2912	2440	WScript.exe	29
PID 2440 wrote to memory of 2912	2440	WScript.exe	29
PID 2440 wrote to memory of 2912	2440	WScript.exe	29
PID 2440 wrote to memory of 2912	2440	WScript.exe	29
PID 2912 wrote to memory of 2740	2912	cmd.exe	31
PID 2912 wrote to memory of 2740	2912	cmd.exe	31
PID 2912 wrote to memory of 2740	2912	cmd.exe	31
PID 2912 wrote to memory of 2740	2912	cmd.exe	31
PID 2912 wrote to memory of 2808	2912	cmd.exe	32
PID 2912 wrote to memory of 2808	2912	cmd.exe	32
PID 2912 wrote to memory of 2808	2912	cmd.exe	32
PID 2912 wrote to memory of 2808	2912	cmd.exe	32
PID 2808 wrote to memory of 2956	2808	AgentcomponentWinhostDll.exe	33
PID 2808 wrote to memory of 2956	2808	AgentcomponentWinhostDll.exe	33
PID 2808 wrote to memory of 2956	2808	AgentcomponentWinhostDll.exe	33
PID 2956 wrote to memory of 1732	2956	cmd.exe	35
PID 2956 wrote to memory of 1732	2956	cmd.exe	35
PID 2956 wrote to memory of 1732	2956	cmd.exe	35
PID 2956 wrote to memory of 3064	2956	cmd.exe	36
PID 2956 wrote to memory of 3064	2956	cmd.exe	36
PID 2956 wrote to memory of 3064	2956	cmd.exe	36
PID 2956 wrote to memory of 2144	2956	cmd.exe	37
PID 2956 wrote to memory of 2144	2956	cmd.exe	37
PID 2956 wrote to memory of 2144	2956	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\4168406dbd28c5b416f4435e0c40644c.exe
"C:\Users\Admin\AppData\Local\Temp\4168406dbd28c5b416f4435e0c40644c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgeComcomponentRefcrt\1ldIcBYEQg7RjcVGSq1ng9KiAB3AQy7htAmpoYpl9wYMA.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\BridgeComcomponentRefcrt\wdXGsvxl0pdrLsLPPCPXx3825LswXliS6Ryz.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2740
  - - C:\BridgeComcomponentRefcrt\AgentcomponentWinhostDll.exe
      "C:\BridgeComcomponentRefcrt/AgentcomponentWinhostDll.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rAgSC1JOJf.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2956
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1732
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3064
      - C:\Program Files\Common Files\csrss.exe
        
        "C:\Program Files\Common Files\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgeComcomponentRefcrt\1ldIcBYEQg7RjcVGSq1ng9KiAB3AQy7htAmpoYpl9wYMA.vbe

Filesize
238B

MD5
d0e7d23e5ae90f5357d76ab2cc26724b

SHA1
6651290f841eaafec1016677b8d59fd79a3b314b

SHA256
965f6f5bc53e0b6de78fe1cbb9473055c66a56958c120adde959cf0861c344c4

SHA512
216dcc38fe7ddea60960f15d45ed570e4386764d6e1a12ad0cc3a3cb9aa27d909cec1b3c50a38a54ba6772c2bf1629c115f3a35af19b387288787e02dd81cb23

Download Submit
C:\BridgeComcomponentRefcrt\AgentcomponentWinhostDll.exe

Filesize
1.5MB

MD5
30900c7abce8343a397be02ef103b002

SHA1
bc9914313335d22e622ea469351d4529c1e43147

SHA256
307d2546fcce09e2b6969fdbcf682b35cb523ffc093308065bc426b469b7488e

SHA512
ef9bbae0673eccb9cae6fd6ce72f11cb85ab52b3944318e0976d340c67855a899667fd6e34bc58297d225d800745195098bcd946fe471d544b6e79f4f0bf22d2

Download Submit
C:\BridgeComcomponentRefcrt\AgentcomponentWinhostDll.exe

Filesize
1.7MB

MD5
049496fee3f4e811988a9f0e49a37368

SHA1
390193185fe8012273d885f541d64986d64196f2

SHA256
48a5a55ec328470a0277ec1facbbd19d2256b64e97544b63bdc4a0833661a62c

SHA512
727422e6ba6fe689a1aec7420b223ec04f058b6cd9031807ef617c95e152d728b9343d2506ef82c44de2d23546144daab8b2f7faa8710462a09a98f08f672841

Download Submit
C:\BridgeComcomponentRefcrt\wdXGsvxl0pdrLsLPPCPXx3825LswXliS6Ryz.bat

Filesize
227B

MD5
ae228c7e7072b7087b1594b052797062

SHA1
f46d1e6240f6105effb0a8a8cfe70faf01573fe6

SHA256
934a37052592bcb2ed1ea0d4ecf5cdcea85b42583e776da939301a400e6b58ec

SHA512
886d71f897cce717047c8bb035abf3dd0724f68736d742786772876024b8e9a57d41ec2bb3c9d89c1cc19f66bac19678be64c32e761180a90b9f516bb742d84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAgSC1JOJf.bat

Filesize
215B

MD5
0b2ad0196c860adcad561b567407387e

SHA1
118eb84420f6ff21c1627828e22d756f3ef392df

SHA256
17de2b89930113448202bf030ad50ce6b4f60cdcd04f7a27229bd906d7a464d9

SHA512
1d7d85eacfd476f4a310c54cca4e6699f5310f8e0dc35edcb26be469fb4ce3f276bd8465090f32306ac8e06dbaa348670778b52b45779513fd755db60e95897e

Download Submit
\BridgeComcomponentRefcrt\AgentcomponentWinhostDll.exe

Filesize
2.1MB

MD5
0df3910b044eea89ec69d676e932b5b4

SHA1
923dd21631f1ea092f0f583e42a5ee4268f692c8

SHA256
06e4302873574bbaa239dd8431268dc7b6a6b4e6763f821070f299522269b3d6

SHA512
fe5a73698aa5647193143e8985283763108d237a7e9fd67dd942882da8a8f6135f10d35de7c3fda29dcbb10b6b8cb3aed237a6fbadbd147cfb32313d25958146

Download Submit
\BridgeComcomponentRefcrt\AgentcomponentWinhostDll.exe

Filesize
2.2MB

MD5
900246653d3c4582b86ba8c3f363c814

SHA1
ebb4194497160b7770cd9c543141a9bce458fe79

SHA256
f5cfd67248766681a0adf219ddd04a1ea1c78157be90a7d7c92d115bd1fab22c

SHA512
54b16b68143cfdb995b9e5bac9474e3f83a32fffe74310371e89590f279a5650763c2cd17761c5989137b57eed229b06a5521c522f739f173733602f92794e33

Download Submit
memory/2144-84-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-78-0x0000000077770000-0x0000000077771000-memory.dmp

Filesize
4KB

Download
memory/2144-88-0x000000001ADD0000-0x000000001AE50000-memory.dmp

Filesize
512KB

Download
memory/2144-87-0x000000001ADD0000-0x000000001AE50000-memory.dmp

Filesize
512KB

Download
memory/2144-86-0x0000000077740000-0x0000000077741000-memory.dmp

Filesize
4KB

Download
memory/2144-106-0x000000001ADD0000-0x000000001AE50000-memory.dmp

Filesize
512KB

Download
memory/2144-108-0x000000001ADD0000-0x000000001AE50000-memory.dmp

Filesize
512KB

Download
memory/2144-85-0x0000000077750000-0x0000000077751000-memory.dmp

Filesize
4KB

Download
memory/2144-81-0x0000000077760000-0x0000000077761000-memory.dmp

Filesize
4KB

Download
memory/2144-89-0x000000001ADD0000-0x000000001AE50000-memory.dmp

Filesize
512KB

Download
memory/2144-77-0x0000000077780000-0x0000000077781000-memory.dmp

Filesize
4KB

Download
memory/2144-75-0x0000000077790000-0x0000000077791000-memory.dmp

Filesize
4KB

Download
memory/2144-72-0x00000000777A0000-0x00000000777A1000-memory.dmp

Filesize
4KB

Download
memory/2144-70-0x000000001ADD0000-0x000000001AE50000-memory.dmp

Filesize
512KB

Download
memory/2144-69-0x00000000777B0000-0x00000000777B1000-memory.dmp

Filesize
4KB

Download
memory/2144-68-0x000000001ADD0000-0x000000001AE50000-memory.dmp

Filesize
512KB

Download
memory/2144-67-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2144-66-0x000000001ADD0000-0x000000001AE50000-memory.dmp

Filesize
512KB

Download
memory/2144-64-0x0000000001320000-0x0000000001554000-memory.dmp

Filesize
2.2MB

Download
memory/2144-65-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2808-20-0x0000000000710000-0x0000000000736000-memory.dmp

Filesize
152KB

Download
memory/2808-42-0x0000000077750000-0x0000000077751000-memory.dmp

Filesize
4KB

Download
memory/2808-44-0x000000001B600000-0x000000001B680000-memory.dmp

Filesize
512KB

Download
memory/2808-43-0x0000000077740000-0x0000000077741000-memory.dmp

Filesize
4KB

Download
memory/2808-61-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/2808-41-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/2808-40-0x0000000000780000-0x0000000000798000-memory.dmp

Filesize
96KB

Download
memory/2808-38-0x0000000000700000-0x000000000070E000-memory.dmp

Filesize
56KB

Download
memory/2808-36-0x0000000077760000-0x0000000077761000-memory.dmp

Filesize
4KB

Download
memory/2808-35-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/2808-33-0x0000000000760000-0x0000000000778000-memory.dmp

Filesize
96KB

Download
memory/2808-31-0x0000000077770000-0x0000000077771000-memory.dmp

Filesize
4KB

Download
memory/2808-30-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/2808-28-0x0000000077780000-0x0000000077781000-memory.dmp

Filesize
4KB

Download
memory/2808-27-0x0000000077790000-0x0000000077791000-memory.dmp

Filesize
4KB

Download
memory/2808-26-0x00000000006E0000-0x00000000006FC000-memory.dmp

Filesize
112KB

Download
memory/2808-22-0x00000000777A0000-0x00000000777A1000-memory.dmp

Filesize
4KB

Download
memory/2808-24-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/2808-21-0x000000001B600000-0x000000001B680000-memory.dmp

Filesize
512KB

Download
memory/2808-18-0x00000000777B0000-0x00000000777B1000-memory.dmp

Filesize
4KB

Download
memory/2808-17-0x000000001B600000-0x000000001B680000-memory.dmp

Filesize
512KB

Download
memory/2808-16-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2808-15-0x000000001B600000-0x000000001B680000-memory.dmp

Filesize
512KB

Download
memory/2808-14-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/2808-13-0x0000000000100000-0x0000000000334000-memory.dmp

Filesize
2.2MB

Download