zgrat | 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731

General

Target

8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
Size

1.6MB
MD5

a2546c042f4e31597a83d5d0732d4730
SHA1

214f01f4ef0c65e17fb3a42e43b1315c55c3f0c3
SHA256

8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731
SHA512

af5c23994c9a174efd1ac694dbc4aa2649eb8bb795701c8531d4b53d23a7d14ec9b1470b5250429771e8788c6fe7bf77bde549ee0655318777dc9b4ac7213215
SSDEEP

24576:dpvTQJAutjYcQt3icthumBbD73S8GW1VMuAK/vfgGx7Dxeylmwv4SvOnJxKISR:vkqR7CpW1auAufgGFDxeKv/WKV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral1/memory/2960-0-0x0000000001390000-0x0000000001528000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00070000000160af-13.dat	family_zgrat_v1
behavioral1/files/0x0009000000015d98-21.dat	family_zgrat_v1
behavioral1/files/0x0009000000015d98-22.dat	family_zgrat_v1
behavioral1/memory/2584-23-0x0000000000320000-0x00000000004B8000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 5 IoCs

resource	yara_rule
behavioral1/memory/2960-0-0x0000000001390000-0x0000000001528000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x00070000000160af-13.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0009000000015d98-21.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0009000000015d98-22.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2584-23-0x0000000000320000-0x00000000004B8000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Executes dropped EXE 1 IoCs

pid	Process
2584	System.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\sppsvc.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\0a1fd5f707cd16	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
Token: SeDebugPrivilege	2584	System.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2916	2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	29
PID 2960 wrote to memory of 2916	2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	29
PID 2960 wrote to memory of 2916	2960	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	29
PID 2916 wrote to memory of 2572	2916	cmd.exe	30
PID 2916 wrote to memory of 2572	2916	cmd.exe	30
PID 2916 wrote to memory of 2572	2916	cmd.exe	30
PID 2916 wrote to memory of 2536	2916	cmd.exe	31
PID 2916 wrote to memory of 2536	2916	cmd.exe	31
PID 2916 wrote to memory of 2536	2916	cmd.exe	31
PID 2916 wrote to memory of 2584	2916	cmd.exe	32
PID 2916 wrote to memory of 2584	2916	cmd.exe	32
PID 2916 wrote to memory of 2584	2916	cmd.exe	32
PID 2584 wrote to memory of 2624	2584	System.exe	33
PID 2584 wrote to memory of 2624	2584	System.exe	33
PID 2584 wrote to memory of 2624	2584	System.exe	33

C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
"C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QwKwML3MOn.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2572
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2536
- - C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\System.exe
    "C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2584 -s 1156
      4⤵
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\System.exe

Filesize
1.1MB

MD5
84335b99118bcbfab3ec26d7a653298c

SHA1
3f59595d288d6bb7e6b633bb7af6075887ffbe23

SHA256
6bcc98a5ca3f4dff1d3e31b79d570f03d8643ba55e0b1ae33b5f7d680d0fe5f9

SHA512
983d7f5882df5c0d779f17eee0263b0b42fcef311ffabf5ead8dc72e21d6f2ef7d35bf0e3ac03ff5d4840b839a2a586f077d0c9f27d64bc6658f88579e56db7e

Download Submit
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\System.exe

Filesize
128KB

MD5
48bd585ebdbe1f66d736bf5fd7753963

SHA1
ac7368b7d0ee94b4093be68265cbba9eb505d43b

SHA256
a6811202c0f5d283f69bb895df136b89071ac05f7b654a96cb021176e633c530

SHA512
f97b9e974a179585eb6cb9e51bfabafce2265ceab108169fa80bf9a657ab9206e3cbe362f8fa0093d7457468e9ccca7dd17e01b49e4e62df88f36b0206a3e917

Download Submit
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\winlogon.exe

Filesize
1.6MB

MD5
a2546c042f4e31597a83d5d0732d4730

SHA1
214f01f4ef0c65e17fb3a42e43b1315c55c3f0c3

SHA256
8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731

SHA512
af5c23994c9a174efd1ac694dbc4aa2649eb8bb795701c8531d4b53d23a7d14ec9b1470b5250429771e8788c6fe7bf77bde549ee0655318777dc9b4ac7213215

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwKwML3MOn.bat

Filesize
235B

MD5
edec1552e8991233d9906ec081e817d1

SHA1
ed19199337a75235ee2bea64a6ab57c44577720c

SHA256
129e12f007e8036da251d978a30bc02eb87c3cb37275c74da84a3041d78a62be

SHA512
ca4f2d0a7b2730f2eb55252dee54baa11fd0bcd4bd392a37d5953db4afdb4205c9fbb4df5eab45bb84765d88ccdf2e53641b133a41aa6b789154f0950891d167

Download Submit
memory/2584-26-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2584-24-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2584-23-0x0000000000320000-0x00000000004B8000-memory.dmp

Filesize
1.6MB

Download
memory/2584-25-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/2584-27-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/2584-28-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2584-29-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/2584-30-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/2960-0-0x0000000001390000-0x0000000001528000-memory.dmp

Filesize
1.6MB

Download
memory/2960-20-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2960-2-0x0000000000A70000-0x0000000000AF0000-memory.dmp

Filesize
512KB

Download
memory/2960-1-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2960-3-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing