zgrat | 8a62013424695bf95dea19f504de1636f2093be8b27c3f314b2daf617b00ec1d

Resubmissions

06-02-2024 17:01

240206-vjm8qabeh3 10

31-01-2024 04:26

240131-e2kbsabeh3 10

Analysis

max time kernel
32s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8370e6258d17dbbf8e9f4f3dced934ab.exe
Size

465KB
MD5

8370e6258d17dbbf8e9f4f3dced934ab
SHA1

0a276283e3784d2d5443deee623fc1ed29ae21d4
SHA256

8a62013424695bf95dea19f504de1636f2093be8b27c3f314b2daf617b00ec1d
SHA512

46b70138cc34405df1a4f716064e137ba7b1f69f178de9a1988e63734fe21d066c4f3a4818676ca7e8df720086446db94b59c5fd0bacfb07cc8c72b635f2b014
SSDEEP

6144:GhzpyQ/Hr2KeDYdk495R+2rbjUR0oXFL9P2XYtJkWDGDS9Jo4IZNW8u2wND8:GdF/HRly4rnrbCLMXYXDGAJoT2T/I

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 30 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3076-30-0x0000000007B30000-0x0000000007BAA000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-35-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-36-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-38-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-40-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-42-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-44-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-46-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-49-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-51-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-53-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-55-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-57-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-59-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-61-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-64-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-66-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-68-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-70-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-72-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-74-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-77-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-79-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-81-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-83-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-85-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-87-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-89-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-91-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1
behavioral1/memory/3076-93-0x0000000007B30000-0x0000000007BA3000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3860 WINWORD.EXE
3860 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

3860 WINWORD.EXE
3860 WINWORD.EXE

pid	process
3860	WINWORD.EXE
3860	WINWORD.EXE

pid	process
3860	WINWORD.EXE
3860	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\8370e6258d17dbbf8e9f4f3dced934ab.exe
"C:\Users\Admin\AppData\Local\Temp\8370e6258d17dbbf8e9f4f3dced934ab.exe"
1⤵
PID:3076

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\UnlockInstall.dotx"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3076-59-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-70-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-2-0x0000000005800000-0x0000000005DA4000-memory.dmp

Filesize
5.6MB

Download
memory/3076-3-0x0000000005180000-0x0000000005212000-memory.dmp

Filesize
584KB

Download
memory/3076-4-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/3076-5-0x0000000005130000-0x000000000513A000-memory.dmp

Filesize
40KB

Download
memory/3076-35-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-93-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-91-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-89-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-87-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-85-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-83-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-81-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-79-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-1-0x00000000006C0000-0x000000000073A000-memory.dmp

Filesize
488KB

Download
memory/3076-77-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-74-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-72-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-53-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-68-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-66-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-64-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-61-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-0-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3076-36-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-30-0x0000000007B30000-0x0000000007BAA000-memory.dmp

Filesize
488KB

Download
memory/3076-29-0x0000000006520000-0x0000000006568000-memory.dmp

Filesize
288KB

Download
memory/3076-57-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-6-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3076-55-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-38-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-40-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-42-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-44-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-46-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-47-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/3076-49-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3076-51-0x0000000007B30000-0x0000000007BA3000-memory.dmp

Filesize
460KB

Download
memory/3860-15-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-25-0x00007FFADA730000-0x00007FFADA740000-memory.dmp

Filesize
64KB

Download
memory/3860-26-0x00007FFADA730000-0x00007FFADA740000-memory.dmp

Filesize
64KB

Download
memory/3860-24-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-23-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-22-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-21-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-20-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-19-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-13-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

Filesize
64KB

Download
memory/3860-18-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-17-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-16-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

Filesize
64KB

Download
memory/3860-14-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-11-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

Filesize
64KB

Download
memory/3860-12-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-9-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-10-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

Filesize
64KB

Download
memory/3860-8-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/3860-7-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

Filesize
64KB

Download