Malware Analysis Report

2024-09-23 14:11

Sample ID 240206-vjm8qabeh3
Target 8370e6258d17dbbf8e9f4f3dced934ab
SHA256 8a62013424695bf95dea19f504de1636f2093be8b27c3f314b2daf617b00ec1d
Tags
zgrat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a62013424695bf95dea19f504de1636f2093be8b27c3f314b2daf617b00ec1d

Threat Level: Known bad

The file 8370e6258d17dbbf8e9f4f3dced934ab was found to be: Known bad.

Malicious Activity Summary

zgrat rat

Detect ZGRat V1

ZGRat

Unsigned PE

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-06 17:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 17:01

Reported

2024-02-06 17:02

Platform

win10v2004-20231215-en

Max time kernel

32s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8370e6258d17dbbf8e9f4f3dced934ab.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8370e6258d17dbbf8e9f4f3dced934ab.exe

"C:\Users\Admin\AppData\Local\Temp\8370e6258d17dbbf8e9f4f3dced934ab.exe"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\UnlockInstall.dotx"

Network

Country Destination Domain Proto
US 8.8.8.8:53 216.120.118.100.in-addr.arpa udp
US 8.8.8.8:53 118.255.100.100.in-addr.arpa udp
US 8.8.8.8:53 106.237.102.100.in-addr.arpa udp
US 8.8.8.8:53 226.195.83.100.in-addr.arpa udp
US 8.8.8.8:53 110.116.99.100.in-addr.arpa udp
US 8.8.8.8:53 178.234.66.100.in-addr.arpa udp
US 8.8.8.8:53 148.6.77.100.in-addr.arpa udp

Files

memory/3076-0-0x00000000752A0000-0x0000000075A50000-memory.dmp

memory/3076-1-0x00000000006C0000-0x000000000073A000-memory.dmp

memory/3076-2-0x0000000005800000-0x0000000005DA4000-memory.dmp

memory/3076-3-0x0000000005180000-0x0000000005212000-memory.dmp

memory/3076-4-0x0000000005170000-0x0000000005180000-memory.dmp

memory/3076-5-0x0000000005130000-0x000000000513A000-memory.dmp

memory/3076-6-0x00000000752A0000-0x0000000075A50000-memory.dmp

memory/3860-7-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

memory/3860-8-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

memory/3860-10-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

memory/3860-9-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

memory/3860-12-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

memory/3860-11-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

memory/3860-14-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

memory/3860-16-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

memory/3860-15-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

memory/3860-17-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

memory/3860-18-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

memory/3860-13-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp

memory/3860-19-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

memory/3860-20-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

memory/3860-21-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

memory/3860-22-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

memory/3860-23-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

memory/3860-24-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp

memory/3860-25-0x00007FFADA730000-0x00007FFADA740000-memory.dmp

memory/3860-26-0x00007FFADA730000-0x00007FFADA740000-memory.dmp

memory/3076-29-0x0000000006520000-0x0000000006568000-memory.dmp

memory/3076-30-0x0000000007B30000-0x0000000007BAA000-memory.dmp

memory/3076-35-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-36-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-38-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-40-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-42-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-44-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-46-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-47-0x0000000005170000-0x0000000005180000-memory.dmp

memory/3076-49-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-51-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-53-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-55-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-57-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-59-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-61-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-64-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-66-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-68-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-70-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-72-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-74-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-77-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-79-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-81-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-83-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-85-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-87-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-89-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-91-0x0000000007B30000-0x0000000007BA3000-memory.dmp

memory/3076-93-0x0000000007B30000-0x0000000007BA3000-memory.dmp