zgrat | 24ac39ad4adc56c46b6466604d944bb34aac3ab817c506350abed729fe6d7aab

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cdd7f15270fe8305ec32f250b83b68b.exe
Size

481KB
MD5

8cdd7f15270fe8305ec32f250b83b68b
SHA1

417a634f26dd234910cf797a83956d3e27e3b828
SHA256

24ac39ad4adc56c46b6466604d944bb34aac3ab817c506350abed729fe6d7aab
SHA512

e60eadc3f9ea64514677c8059c0525f916612216c1a9914e79dbedf909007f01dbccdf8f5ce7b9fee7436e854a0b92da5adec6856337bf6f3684970aa595f43a
SSDEEP

12288:vNpszYhvXWSVJdMaeNOSMkEPnW7+JD7kay0pAXhw:FhvJVJdMZbM7Ly0ixw

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral1/files/0x000e0000000122f5-9.dat	family_zgrat_v1
behavioral1/memory/2716-13-0x0000000000DC0000-0x0000000000E2C000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
2716	VIP-AntiBan.exe

Loads dropped DLL 1 IoCs

pid	Process
2756	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2716	VIP-AntiBan.exe
2716	VIP-AntiBan.exe
2716	VIP-AntiBan.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	VIP-AntiBan.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2756	2448	8cdd7f15270fe8305ec32f250b83b68b.exe	28
PID 2448 wrote to memory of 2756	2448	8cdd7f15270fe8305ec32f250b83b68b.exe	28
PID 2448 wrote to memory of 2756	2448	8cdd7f15270fe8305ec32f250b83b68b.exe	28
PID 2448 wrote to memory of 2756	2448	8cdd7f15270fe8305ec32f250b83b68b.exe	28
PID 2756 wrote to memory of 2716	2756	WScript.exe	29
PID 2756 wrote to memory of 2716	2756	WScript.exe	29
PID 2756 wrote to memory of 2716	2756	WScript.exe	29
PID 2756 wrote to memory of 2716	2756	WScript.exe	29
PID 2756 wrote to memory of 2292	2756	WScript.exe	30
PID 2756 wrote to memory of 2292	2756	WScript.exe	30
PID 2756 wrote to memory of 2292	2756	WScript.exe	30
PID 2756 wrote to memory of 2292	2756	WScript.exe	30

C:\Users\Admin\AppData\Local\Temp\8cdd7f15270fe8305ec32f250b83b68b.exe
"C:\Users\Admin\AppData\Local\Temp\8cdd7f15270fe8305ec32f250b83b68b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIP-AntiBan.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIP-AntiBan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\site.vbs"
    3⤵
    PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIP-AntiBan.exe

Filesize
410KB

MD5
b06fcf709860a9e24360edd651cff73c

SHA1
56d2da71f0fd7aff82c7c8e338b4fd1ce7b2a65c

SHA256
7d7d125fe3fcbde446c5e24e09587e3aefc94a8d8402cd07d71d89c34b1d6cff

SHA512
63cb11aaf5094ba0bc6c3acb713f3be0e5b01ad888f2f25729b7b6ae3a0281c5f58ba97548790c006c726be585611ff073db38ea4d1728862edbf94a33210022

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs

Filesize
141B

MD5
02d3bb0fff7a7f920c647853bc20dc4c

SHA1
ab3a8e7391d47e74ee65a1a9b33fd4f912b4b218

SHA256
a1d7ffafca174571519648c7cb2835a7df5eabf37adc2a82c54a624337250711

SHA512
a017ec48295a45ac1ba21a4802d1537d8a364f3f9e81e57709096d125f753f55e7fbbbe3e3a433b69b3c17b701a4a3074a7f77dd7d56139b7b7fbb6a4fc967a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\site.vbs

Filesize
467B

MD5
374c308441641bbea48170f6da5c15fd

SHA1
65250859f6f2375772bf14c4db8ada6af5fca692

SHA256
a75fa4ef266b2f13fe44d3c5a05aec84696d67bbe11f5d83948e9c41f92a6518

SHA512
d6bf4544a987b8ca8b9b10eda079af00b2dbffc804038744237de988fc9dfba61b57bed9b54084ac2b994e343d74f2a003703022d6ec091407374e87b3c77a2b

Download Submit
memory/2716-13-0x0000000000DC0000-0x0000000000E2C000-memory.dmp

Filesize
432KB

Download
memory/2716-14-0x0000000072D70000-0x000000007345E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-15-0x00000000009C0000-0x0000000000A00000-memory.dmp

Filesize
256KB

Download
memory/2716-16-0x0000000000580000-0x0000000000596000-memory.dmp

Filesize
88KB

Download
memory/2716-17-0x00000000004D0000-0x0000000000526000-memory.dmp

Filesize
344KB

Download
memory/2716-18-0x00000000009C0000-0x0000000000A00000-memory.dmp

Filesize
256KB

Download
memory/2716-19-0x0000000072D70000-0x000000007345E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-20-0x00000000009C0000-0x0000000000A00000-memory.dmp

Filesize
256KB

Download