zgrat | 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce

Analysis

max time kernel
139s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 04:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
Size

1.8MB
MD5

afa014338532a8f730aa8e6b5ca09874
SHA1

0a55224d9cf55e5ab12087a8af15612d75753d33
SHA256

78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce
SHA512

5c947b9342d83147633c0956d3af8453b7d6390c78836c810d13d60fe30528d2a74720430104503650ab1ba426cae8554ddd10e002f32d83855b220eb4ac881f
SSDEEP

24576:XZkERkn0rQKC/L5ZQk/Pv6mD6JtkOW4l2f1yz+dGP4hSjdirHEbxn4uYRtqMSZ8I:XZbRk0wXPvp0kNxdCgkdi4tnYnJI

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral2/memory/1368-0-0x00000000002B0000-0x000000000048E000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000600000002313c-30.dat	family_zgrat_v1
behavioral2/files/0x000600000002313a-42.dat	family_zgrat_v1
behavioral2/files/0x000600000002313a-41.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 4 IoCs

resource	yara_rule
behavioral2/memory/1368-0-0x00000000002B0000-0x000000000048E000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000600000002313c-30.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000600000002313a-42.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000600000002313a-41.dat	INDICATOR_EXE_Packed_DotNetReactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe

Executes dropped EXE 1 IoCs

pid	Process
3172	Idle.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\es-ES\Idle.exe	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\Idle.exe	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\6ccacd8608530f	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
File created	C:\Program Files\VideoLAN\System.exe	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
File created	C:\Program Files\VideoLAN\27d1bcfc3c54e0	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\DiagTrack\f3b6ecef712a24	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
File created	C:\Windows\SystemResources\Windows.UI.AccountsControl\PRIS\RuntimeBroker.exe	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
File created	C:\Windows\SystemResources\Windows.UI.AccountsControl\PRIS\9e8d7a4ca61bd9	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
File created	C:\Windows\DiagTrack\spoolsv.exe	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
3172	Idle.exe
3172	Idle.exe
3172	Idle.exe
3172	Idle.exe
3172	Idle.exe
3172	Idle.exe
3172	Idle.exe
3172	Idle.exe
3172	Idle.exe
3172	Idle.exe
3172	Idle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
Token: SeDebugPrivilege	3172	Idle.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1316	1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe	84
PID 1368 wrote to memory of 1316	1368	78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe	84
PID 1316 wrote to memory of 2624	1316	cmd.exe	86
PID 1316 wrote to memory of 2624	1316	cmd.exe	86
PID 1316 wrote to memory of 4844	1316	cmd.exe	87
PID 1316 wrote to memory of 4844	1316	cmd.exe	87
PID 1316 wrote to memory of 3172	1316	cmd.exe	88
PID 1316 wrote to memory of 3172	1316	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
"C:\Users\Admin\AppData\Local\Temp\78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VtBvt13PT0.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2624
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4844
- - C:\Users\Default User\Idle.exe
    "C:\Users\Default User\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VideoLAN\System.exe

Filesize
1.8MB

MD5
afa014338532a8f730aa8e6b5ca09874

SHA1
0a55224d9cf55e5ab12087a8af15612d75753d33

SHA256
78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce

SHA512
5c947b9342d83147633c0956d3af8453b7d6390c78836c810d13d60fe30528d2a74720430104503650ab1ba426cae8554ddd10e002f32d83855b220eb4ac881f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VtBvt13PT0.bat

Filesize
206B

MD5
089a219a48dab3ecfc0fb8b1cfe74b29

SHA1
cc7daef502226078c192a9296e65006a25c014af

SHA256
e5e491deedee961070dc3fe35f2670142252eb188d00735c59ab9162d2d27f67

SHA512
2eafbde875546b5aa76aaafe2ad36416bc8b5f2d7b0ab67429f4fcd00c714a775c3c734253df5d8016775353f616ce9efa28fd916bf6097da6d4360baea064bf

Download Submit
C:\Users\Default User\Idle.exe

Filesize
1.3MB

MD5
09d9a33ab3f424bba7baebf5b01d47cd

SHA1
a6425416d050388becc5367a18df4776c80065be

SHA256
356c5fd8284f7d2612c95045604186ebb5d0848e22f0ab89515e71f02227bf23

SHA512
0d93bbd487888e691a874404a8b621856a6787dc769d6c17316d8afbbf14a171d853d6f7f4b278f30cfda42d3c393baf9671bdfadabc5d704b206f854923f8dd

Download Submit
C:\Users\Default\Idle.exe

Filesize
1.3MB

MD5
f41399dde2b9b466c63861dfaa6acf5f

SHA1
8ad4f595b18acfda3d38a1f2503f9005eebbfd67

SHA256
f8e4a85a6108df991b8d079048de393a0589ac329bb608d233bbb8ae781e3451

SHA512
e000f138457001108cb87b648b92fcbdbc65397479b11e5dc464022953daebbad3af7e185f680cae8e303d4c3cd1a9c4af9601bff581150bfa7ac34ed7094c2b

Download Submit
memory/1368-13-0x00007FFD79840000-0x00007FFD7A301000-memory.dmp

Filesize
10.8MB

Download
memory/1368-5-0x00007FFD96C00000-0x00007FFD96CBE000-memory.dmp

Filesize
760KB

Download
memory/1368-6-0x00007FFD96BC0000-0x00007FFD96BC1000-memory.dmp

Filesize
4KB

Download
memory/1368-9-0x0000000002550000-0x000000000255E000-memory.dmp

Filesize
56KB

Download
memory/1368-7-0x000000001B140000-0x000000001B150000-memory.dmp

Filesize
64KB

Download
memory/1368-10-0x00007FFD96C00000-0x00007FFD96CBE000-memory.dmp

Filesize
760KB

Download
memory/1368-0-0x00000000002B0000-0x000000000048E000-memory.dmp

Filesize
1.9MB

Download
memory/1368-14-0x00007FFD96BB0000-0x00007FFD96BB1000-memory.dmp

Filesize
4KB

Download
memory/1368-12-0x000000001B0C0000-0x000000001B0DC000-memory.dmp

Filesize
112KB

Download
memory/1368-15-0x000000001B250000-0x000000001B2A0000-memory.dmp

Filesize
320KB

Download
memory/1368-16-0x00007FFD96BA0000-0x00007FFD96BA1000-memory.dmp

Filesize
4KB

Download
memory/1368-18-0x000000001B0E0000-0x000000001B0F8000-memory.dmp

Filesize
96KB

Download
memory/1368-19-0x00007FFD96B90000-0x00007FFD96B91000-memory.dmp

Filesize
4KB

Download
memory/1368-21-0x00000000026B0000-0x00000000026BE000-memory.dmp

Filesize
56KB

Download
memory/1368-4-0x000000001B140000-0x000000001B150000-memory.dmp

Filesize
64KB

Download
memory/1368-37-0x00007FFD96C00000-0x00007FFD96CBE000-memory.dmp

Filesize
760KB

Download
memory/1368-39-0x00007FFD79840000-0x00007FFD7A301000-memory.dmp

Filesize
10.8MB

Download
memory/1368-3-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1368-2-0x000000001B140000-0x000000001B150000-memory.dmp

Filesize
64KB

Download
memory/1368-1-0x00007FFD79840000-0x00007FFD7A301000-memory.dmp

Filesize
10.8MB

Download
memory/3172-49-0x00007FFD96C00000-0x00007FFD96CBE000-memory.dmp

Filesize
760KB

Download
memory/3172-52-0x00007FFD96BB0000-0x00007FFD96BB1000-memory.dmp

Filesize
4KB

Download
memory/3172-45-0x00000000016C0000-0x00000000016C1000-memory.dmp

Filesize
4KB

Download
memory/3172-46-0x000000001BC00000-0x000000001BC10000-memory.dmp

Filesize
64KB

Download
memory/3172-48-0x00007FFD96C00000-0x00007FFD96CBE000-memory.dmp

Filesize
760KB

Download
memory/3172-51-0x000000001BC00000-0x000000001BC10000-memory.dmp

Filesize
64KB

Download
memory/3172-44-0x000000001BC00000-0x000000001BC10000-memory.dmp

Filesize
64KB

Download
memory/3172-50-0x00007FFD96BC0000-0x00007FFD96BC1000-memory.dmp

Filesize
4KB

Download
memory/3172-55-0x00007FFD96BA0000-0x00007FFD96BA1000-memory.dmp

Filesize
4KB

Download
memory/3172-43-0x00007FFD79350000-0x00007FFD79E11000-memory.dmp

Filesize
10.8MB

Download
memory/3172-57-0x00007FFD96B90000-0x00007FFD96B91000-memory.dmp

Filesize
4KB

Download
memory/3172-56-0x00007FFD79350000-0x00007FFD79E11000-memory.dmp

Filesize
10.8MB

Download
memory/3172-59-0x000000001BC00000-0x000000001BC10000-memory.dmp

Filesize
64KB

Download
memory/3172-60-0x000000001BC00000-0x000000001BC10000-memory.dmp

Filesize
64KB

Download
memory/3172-61-0x000000001BC00000-0x000000001BC10000-memory.dmp

Filesize
64KB

Download
memory/3172-88-0x000000001BC00000-0x000000001BC10000-memory.dmp

Filesize
64KB

Download