zgrat | 7257e33f527df5f7820d5dfd9022d923b5fb6cdef21d402c54fc9d3f3106f3a3

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06-02-2024 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

943244db3bce1498ee39206c5e0f2bbc.exe
Size

2.7MB
MD5

943244db3bce1498ee39206c5e0f2bbc
SHA1

026cf4e2deae460e56675e827b408c17db0b16fe
SHA256

7257e33f527df5f7820d5dfd9022d923b5fb6cdef21d402c54fc9d3f3106f3a3
SHA512

c674637360aae0ea0eeafb773d6befbe5ff43ec93a0201b50731d1d4615b4701810923a5411be531914e92336b28cf43941ab06124a0e8e0cb8e58324925e7e5
SSDEEP

24576:KKVIwZqiBUljqRuth3CSb9F9C14mL0OIntkrUZbnLATHGK2SfRtiHbhwrDzE:LIe/a8UQrUSHGK2Sjr3E

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/1616-4-0x0000000000680000-0x0000000000696000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1616	943244db3bce1498ee39206c5e0f2bbc.exe
1616	943244db3bce1498ee39206c5e0f2bbc.exe
1616	943244db3bce1498ee39206c5e0f2bbc.exe
1616	943244db3bce1498ee39206c5e0f2bbc.exe
1616	943244db3bce1498ee39206c5e0f2bbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1616	943244db3bce1498ee39206c5e0f2bbc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 2656	1616	943244db3bce1498ee39206c5e0f2bbc.exe	28
PID 1616 wrote to memory of 2656	1616	943244db3bce1498ee39206c5e0f2bbc.exe	28
PID 1616 wrote to memory of 2656	1616	943244db3bce1498ee39206c5e0f2bbc.exe	28
PID 1616 wrote to memory of 2656	1616	943244db3bce1498ee39206c5e0f2bbc.exe	28
PID 1616 wrote to memory of 2124	1616	943244db3bce1498ee39206c5e0f2bbc.exe	29
PID 1616 wrote to memory of 2124	1616	943244db3bce1498ee39206c5e0f2bbc.exe	29
PID 1616 wrote to memory of 2124	1616	943244db3bce1498ee39206c5e0f2bbc.exe	29
PID 1616 wrote to memory of 2124	1616	943244db3bce1498ee39206c5e0f2bbc.exe	29
PID 1616 wrote to memory of 2392	1616	943244db3bce1498ee39206c5e0f2bbc.exe	30
PID 1616 wrote to memory of 2392	1616	943244db3bce1498ee39206c5e0f2bbc.exe	30
PID 1616 wrote to memory of 2392	1616	943244db3bce1498ee39206c5e0f2bbc.exe	30
PID 1616 wrote to memory of 2392	1616	943244db3bce1498ee39206c5e0f2bbc.exe	30
PID 1616 wrote to memory of 2256	1616	943244db3bce1498ee39206c5e0f2bbc.exe	32
PID 1616 wrote to memory of 2256	1616	943244db3bce1498ee39206c5e0f2bbc.exe	32
PID 1616 wrote to memory of 2256	1616	943244db3bce1498ee39206c5e0f2bbc.exe	32
PID 1616 wrote to memory of 2256	1616	943244db3bce1498ee39206c5e0f2bbc.exe	32
PID 1616 wrote to memory of 2308	1616	943244db3bce1498ee39206c5e0f2bbc.exe	31
PID 1616 wrote to memory of 2308	1616	943244db3bce1498ee39206c5e0f2bbc.exe	31
PID 1616 wrote to memory of 2308	1616	943244db3bce1498ee39206c5e0f2bbc.exe	31
PID 1616 wrote to memory of 2308	1616	943244db3bce1498ee39206c5e0f2bbc.exe	31

C:\Users\Admin\AppData\Local\Temp\943244db3bce1498ee39206c5e0f2bbc.exe
"C:\Users\Admin\AppData\Local\Temp\943244db3bce1498ee39206c5e0f2bbc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\AppData\Local\Temp\943244db3bce1498ee39206c5e0f2bbc.exe
  "C:\Users\Admin\AppData\Local\Temp\943244db3bce1498ee39206c5e0f2bbc.exe"
  2⤵
  PID:2656
- C:\Users\Admin\AppData\Local\Temp\943244db3bce1498ee39206c5e0f2bbc.exe
  "C:\Users\Admin\AppData\Local\Temp\943244db3bce1498ee39206c5e0f2bbc.exe"
  2⤵
  PID:2124
- C:\Users\Admin\AppData\Local\Temp\943244db3bce1498ee39206c5e0f2bbc.exe
  "C:\Users\Admin\AppData\Local\Temp\943244db3bce1498ee39206c5e0f2bbc.exe"
  2⤵
  PID:2392
- C:\Users\Admin\AppData\Local\Temp\943244db3bce1498ee39206c5e0f2bbc.exe
  "C:\Users\Admin\AppData\Local\Temp\943244db3bce1498ee39206c5e0f2bbc.exe"
  2⤵
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\943244db3bce1498ee39206c5e0f2bbc.exe
  "C:\Users\Admin\AppData\Local\Temp\943244db3bce1498ee39206c5e0f2bbc.exe"
  2⤵
  PID:2256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1616-1-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/1616-0-0x0000000000380000-0x0000000000636000-memory.dmp

Filesize
2.7MB

Download
memory/1616-2-0x0000000000760000-0x00000000007A0000-memory.dmp

Filesize
256KB

Download
memory/1616-3-0x0000000004E00000-0x0000000004F76000-memory.dmp

Filesize
1.5MB

Download
memory/1616-4-0x0000000000680000-0x0000000000696000-memory.dmp

Filesize
88KB

Download
memory/1616-5-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download