zgrat | ae642a285641c3550b613576cba415cf264ce141bdca009138606bbc19fd02b2 | Triage

Submit
Reports

Overview

overview

Static

static

3

ae642a2856...b2.exe

windows7-x64

7

ae642a2856...b2.exe

windows10-2004-x64

Sharing

General

Target

ae642a285641c3550b613576cba415cf264ce141bdca009138606bbc19fd02b2.exe
Size

9.5MB
Sample

240207-z36lmahe6z
MD5

df7431ca929fa1b50704b7856921d574
SHA1

57923f34ead0968933a6a5cb36175c17d5c19e40
SHA256

ae642a285641c3550b613576cba415cf264ce141bdca009138606bbc19fd02b2
SHA512

006256c473889f98ed2101f4323bed4d8e14cf854405b0aebd8f1fa4495e2a1f6bebc19979653b43cffc844df1f2e9fa757d6248d9d432cd85eeb53fc9f7a789
SSDEEP

196608:BmrIbstjT3o8aFmsnLvyzQFlAxbAQrtwq+ZkiKDI5SErx0vJjK1:zq3haFm0yzDxraq+ZkFnsx0xje

Score

10^/10

zgrat evasion pyinstaller rat

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

ae642a285641c3550b613576cba415cf264ce141bdca009138606bbc19fd02b2.exe

Resource

win7-20231215-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral2

Sample

ae642a285641c3550b613576cba415cf264ce141bdca009138606bbc19fd02b2.exe

Resource

win10v2004-20231215-en

zgrat evasion rat

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  ae642a285641c3550b613576cba415cf264ce141bdca009138606bbc19fd02b2.exe
- Size
  
  9.5MB
- MD5
  
  df7431ca929fa1b50704b7856921d574
- SHA1
  
  57923f34ead0968933a6a5cb36175c17d5c19e40
- SHA256
  
  ae642a285641c3550b613576cba415cf264ce141bdca009138606bbc19fd02b2
- SHA512
  
  006256c473889f98ed2101f4323bed4d8e14cf854405b0aebd8f1fa4495e2a1f6bebc19979653b43cffc844df1f2e9fa757d6248d9d432cd85eeb53fc9f7a789
- SSDEEP
  
  196608:BmrIbstjT3o8aFmsnLvyzQFlAxbAQrtwq+ZkiKDI5SErx0vJjK1:zq3haFm0yzDxraq+ZkFnsx0xje
Score

10^/10

zgrat evasion rat
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Detects executables packed with unregistered version of .NET Reactor
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

zgratevasionrat

© 2018-2024

Terms | Privacy