zgrat | 150db7e3c65a152c3a056733e8b42451ff22f13b10c6676bf4933d6f4e0797ad

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 02:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PO 803707375.exe
Size

1.6MB
MD5

d76fbdd502935147727b658a1f54606b
SHA1

5b34d209f664bb04f4a9fa431159cc1e24ccf641
SHA256

767ba9a305c7ecb8bf1779211e93bd673a8520015e64013f6e43a7ddd355f92f
SHA512

c460b4706f85507d12b00a878585db4fbdeaca2abe9fe22239c67dbab9e12dbb3b64f212e5d0461b37254ce02bbcdbe0a7b3862155f387baebf3e6ca16f979d2
SSDEEP

24576:Bu3lUF+zynY3kq1EP07HlzrGyiXoX/njc+9cRQ38mG:Bu+Y3kqJFzrcoX/njB9cY8

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/1688-2-0x0000000004390000-0x0000000004476000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-3-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-4-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-6-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-8-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-10-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-12-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-14-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-16-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-18-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-20-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-22-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-24-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-26-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-28-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-30-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-32-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-34-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-36-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-38-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-40-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-42-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-44-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-46-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-48-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-50-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-52-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-54-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-56-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-58-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-60-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-62-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-64-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1
behavioral1/memory/1688-66-0x0000000004390000-0x0000000004470000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\DATE STAMP = "C:\\Users\\Admin\\AppData\\Roaming\\DATE STAMP.exe"	PO 803707375.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 1872	1688	PO 803707375.exe	29

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	PO 803707375.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1872	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1872	1688	PO 803707375.exe	29
PID 1688 wrote to memory of 1872	1688	PO 803707375.exe	29
PID 1688 wrote to memory of 1872	1688	PO 803707375.exe	29
PID 1688 wrote to memory of 1872	1688	PO 803707375.exe	29
PID 1688 wrote to memory of 1872	1688	PO 803707375.exe	29
PID 1688 wrote to memory of 1872	1688	PO 803707375.exe	29
PID 1688 wrote to memory of 1872	1688	PO 803707375.exe	29
PID 1688 wrote to memory of 1872	1688	PO 803707375.exe	29
PID 1688 wrote to memory of 1872	1688	PO 803707375.exe	29
PID 1688 wrote to memory of 1872	1688	PO 803707375.exe	29
PID 1688 wrote to memory of 1872	1688	PO 803707375.exe	29
PID 1688 wrote to memory of 1872	1688	PO 803707375.exe	29
PID 1688 wrote to memory of 1872	1688	PO 803707375.exe	29
PID 1688 wrote to memory of 1872	1688	PO 803707375.exe	29
PID 1688 wrote to memory of 1872	1688	PO 803707375.exe	29
PID 1688 wrote to memory of 1872	1688	PO 803707375.exe	29

C:\Users\Admin\AppData\Local\Temp\PO 803707375.exe
"C:\Users\Admin\AppData\Local\Temp\PO 803707375.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
23264f3129a5d4820524bb177ff42887

SHA1
81c089417c8cda4e79528e1a8ac72a85c614a64e

SHA256
0c8da64787ff59f2494a390ae65627398ee917162960330cdba9532d4fcb8ed2

SHA512
be66e84d4df8dc686eacebdc3661421e26fd03d952a1ddf4551d7b377174c4b92fdd3f22dd1d1d3ba5f4d8cf095828d4728f2effe1edfd68d92d9b64f5302e22

Download Submit
memory/1688-36-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-40-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-3-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-4-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-6-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-8-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-10-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-12-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-14-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-16-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-18-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-20-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-22-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-24-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-26-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-28-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-30-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-32-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-34-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-0-0x00000000001F0000-0x000000000039A000-memory.dmp

Filesize
1.7MB

Download
memory/1688-2-0x0000000004390000-0x0000000004476000-memory.dmp

Filesize
920KB

Download
memory/1688-42-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-38-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-44-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-46-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-48-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-50-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-52-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-54-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-56-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-58-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-60-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-62-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-64-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-66-0x0000000004390000-0x0000000004470000-memory.dmp

Filesize
896KB

Download
memory/1688-1117-0x00000000021D0000-0x0000000002210000-memory.dmp

Filesize
256KB

Download
memory/1688-1118-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/1688-1119-0x0000000002130000-0x000000000219E000-memory.dmp

Filesize
440KB

Download
memory/1688-1120-0x0000000000970000-0x00000000009BC000-memory.dmp

Filesize
304KB

Download
memory/1688-1135-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/1688-1-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads