zgrat | 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731

General

Target

8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
Size

1.6MB
MD5

a2546c042f4e31597a83d5d0732d4730
SHA1

214f01f4ef0c65e17fb3a42e43b1315c55c3f0c3
SHA256

8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731
SHA512

af5c23994c9a174efd1ac694dbc4aa2649eb8bb795701c8531d4b53d23a7d14ec9b1470b5250429771e8788c6fe7bf77bde549ee0655318777dc9b4ac7213215
SSDEEP

24576:dpvTQJAutjYcQt3icthumBbD73S8GW1VMuAK/vfgGx7Dxeylmwv4SvOnJxKISR:vkqR7CpW1auAufgGFDxeKv/WKV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral1/memory/2424-0-0x0000000000370000-0x0000000000508000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0006000000016cf7-13.dat	family_zgrat_v1
behavioral1/files/0x0008000000015be4-21.dat	family_zgrat_v1
behavioral1/files/0x0008000000015be4-22.dat	family_zgrat_v1
behavioral1/memory/2552-23-0x0000000000380000-0x0000000000518000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 5 IoCs

resource	yara_rule
behavioral1/memory/2424-0-0x0000000000370000-0x0000000000508000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0006000000016cf7-13.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0008000000015be4-21.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0008000000015be4-22.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2552-23-0x0000000000380000-0x0000000000518000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Executes dropped EXE 1 IoCs

pid	Process
2552	lsm.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\en-US\lsm.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Program Files\Windows Defender\en-US\101b941d020240	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\taskhost.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\b75386f1303e64	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Program Files\Windows Journal\es-ES\winlogon.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Program Files\Windows Journal\es-ES\cc11b995f2a76d	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2784	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2424	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2424	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2424	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2424	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2424	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2424	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2424	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2552	lsm.exe
2552	lsm.exe
2552	lsm.exe
2552	lsm.exe
2552	lsm.exe
2552	lsm.exe
2552	lsm.exe
2552	lsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2552	lsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
Token: SeDebugPrivilege	2552	lsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2808	2424	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	31
PID 2424 wrote to memory of 2808	2424	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	31
PID 2424 wrote to memory of 2808	2424	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	31
PID 2808 wrote to memory of 1288	2808	cmd.exe	28
PID 2808 wrote to memory of 1288	2808	cmd.exe	28
PID 2808 wrote to memory of 1288	2808	cmd.exe	28
PID 2808 wrote to memory of 2784	2808	cmd.exe	29
PID 2808 wrote to memory of 2784	2808	cmd.exe	29
PID 2808 wrote to memory of 2784	2808	cmd.exe	29
PID 2808 wrote to memory of 2552	2808	cmd.exe	32
PID 2808 wrote to memory of 2552	2808	cmd.exe	32
PID 2808 wrote to memory of 2552	2808	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
"C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iAXkGkYzAg.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Program Files\Windows Defender\en-US\lsm.exe
    "C:\Program Files\Windows Defender\en-US\lsm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2552

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1288

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\SIGNUP\taskhost.exe

Filesize
1.1MB

MD5
916350ccc2d93f8d091ff247f7384cfe

SHA1
f14db4eb90b52f038f6b635a55af6f46e82438b1

SHA256
f6ddacf0d7ff3fa583df097be8de57d75b21e1e6da9a936a2ddf049c45a7cbaf

SHA512
4c7f2ea883079ecdc2dc83ff4b23bac8ce9891d27f860db04f82451f3fe11972862751d1958deb63cb5638420582b7b1995334592903b9be8a50ae2521949416

Download Submit
C:\Program Files\Windows Defender\en-US\lsm.exe

Filesize
79KB

MD5
215a128915894dd352e86b7cf80275fe

SHA1
8369377aa96cd305f49b20ed57989d452ac87971

SHA256
226c60253e5dc34de01855b11ec66b31ffe5329dda5709fa4288b0ee1aa4fa4d

SHA512
71cb404ac3f5f70b904284ade667e152fa081a8ed1af40619246e00c58869cae8789b027fb4a83921bc4c3a46b45c43a3402920923e1587b0df7099bc58d4d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAXkGkYzAg.bat

Filesize
175B

MD5
7e0050c4a1863965d47792d5519cbf39

SHA1
ae6298c037068f819164348aa4604ea2c82bb9d8

SHA256
2598d995643d61defb4578d194fad3d906fdb72fd09c7cf4841cd4503f8813dc

SHA512
c78a53a56e5fe872ce153a7b0875785aaa88cd7f557c6b6a74f62b61f5691e213f6c24c645921c0acbb0b5829b14d7792ad839299fcf9235fff32faf4e81197f

Download Submit
memory/2424-3-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2424-2-0x000000001AE30000-0x000000001AEB0000-memory.dmp

Filesize
512KB

Download
memory/2424-20-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-1-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/2424-0-0x0000000000370000-0x0000000000508000-memory.dmp

Filesize
1.6MB

Download
memory/2552-25-0x000000001B000000-0x000000001B080000-memory.dmp

Filesize
512KB

Download
memory/2552-24-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

Filesize
9.9MB

Download
memory/2552-23-0x0000000000380000-0x0000000000518000-memory.dmp

Filesize
1.6MB

Download
memory/2552-26-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2552-27-0x000000001B000000-0x000000001B080000-memory.dmp

Filesize
512KB

Download
memory/2552-28-0x000000001B000000-0x000000001B080000-memory.dmp

Filesize
512KB

Download
memory/2552-29-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

Filesize
9.9MB

Download
memory/2552-30-0x000000001B000000-0x000000001B080000-memory.dmp

Filesize
512KB

Download
memory/2552-31-0x000000001B000000-0x000000001B080000-memory.dmp

Filesize
512KB

Download
memory/2552-32-0x000000001B000000-0x000000001B080000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing