zgrat | 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731

General

Target

8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
Size

1.6MB
MD5

a2546c042f4e31597a83d5d0732d4730
SHA1

214f01f4ef0c65e17fb3a42e43b1315c55c3f0c3
SHA256

8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731
SHA512

af5c23994c9a174efd1ac694dbc4aa2649eb8bb795701c8531d4b53d23a7d14ec9b1470b5250429771e8788c6fe7bf77bde549ee0655318777dc9b4ac7213215
SSDEEP

24576:dpvTQJAutjYcQt3icthumBbD73S8GW1VMuAK/vfgGx7Dxeylmwv4SvOnJxKISR:vkqR7CpW1auAufgGFDxeKv/WKV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral1/memory/2208-0-0x0000000001320000-0x00000000014B8000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0006000000016d27-13.dat	family_zgrat_v1
behavioral1/memory/2708-23-0x00000000001A0000-0x0000000000338000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00080000000155ea-22.dat	family_zgrat_v1
behavioral1/files/0x00080000000155ea-21.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 5 IoCs

resource	yara_rule
behavioral1/memory/2208-0-0x0000000001320000-0x00000000014B8000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0006000000016d27-13.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2708-23-0x00000000001A0000-0x0000000000338000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x00080000000155ea-22.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x00080000000155ea-21.dat	INDICATOR_EXE_Packed_DotNetReactor

Executes dropped EXE 1 IoCs

pid	Process
2708	lsass.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\6ccacd8608530f	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2868	PING.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2708	lsass.exe
2708	lsass.exe
2708	lsass.exe
2708	lsass.exe
2708	lsass.exe
2708	lsass.exe
2708	lsass.exe
2708	lsass.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2708	lsass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
Token: SeDebugPrivilege	2708	lsass.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2796	2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	31
PID 2208 wrote to memory of 2796	2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	31
PID 2208 wrote to memory of 2796	2208	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	31
PID 2796 wrote to memory of 2784	2796	cmd.exe	30
PID 2796 wrote to memory of 2784	2796	cmd.exe	30
PID 2796 wrote to memory of 2784	2796	cmd.exe	30
PID 2796 wrote to memory of 2868	2796	cmd.exe	29
PID 2796 wrote to memory of 2868	2796	cmd.exe	29
PID 2796 wrote to memory of 2868	2796	cmd.exe	29
PID 2796 wrote to memory of 2708	2796	cmd.exe	32
PID 2796 wrote to memory of 2708	2796	cmd.exe	32
PID 2796 wrote to memory of 2708	2796	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
"C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wJxXbIWyJW.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\All Users\Microsoft Help\lsass.exe
    "C:\Users\All Users\Microsoft Help\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2708

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2868

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\lsass.exe

Filesize
130KB

MD5
6de1c88cb247ec0fbfe6d5b10a8e6c4c

SHA1
cc3be76de74a8107ee56d69821df7a56da5cd111

SHA256
4f10b4acea57bd4aece59ddd09f404dca1cdda2cf9b324dcb6c3659c62d9d19a

SHA512
318c2f6158ad1f2d68e3925f2d1b6c93154ddce61d63f27e70e3a440688f4bbf16747550a09299c09edb053917b08516080ee896d1557d821e0778bd50c672a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wJxXbIWyJW.bat

Filesize
171B

MD5
32af2a2b366bc19db0df8d92255c84d0

SHA1
00d6b113a8ec88a0ca323066ed0fd9cb55063ce6

SHA256
a7d46bbfee78499eff4e509af5654bc85546385f11c60ee0c19073b8d813cffc

SHA512
3f19d747e570e72686cdf20a05e18ddf3b5b228f061304d60ee7e3ae3998beb4c6ebb3e4cd70526348ae62acead73136240854dbf9499e03b179eb003fd27592

Download Submit
C:\Users\All Users\Microsoft Help\lsass.exe

Filesize
292KB

MD5
9dc79d8ed52cbea27a4d963b48d94380

SHA1
c5451a13cf81026692a3a553adbf6bd949203252

SHA256
15d26f675f1963a83de1a84ca2857b31db08f3f040a150c729f5f9670e49fb30

SHA512
cabd326c63623e8c34271d498f9f6ff19f4279916323ebcb4dbb24d679cd0f65c3aa4c7d27a97d7bf0722aa4801a186d04c87b1ee03e8c4034521efdc1429b30

Download Submit
C:\Users\Public\Downloads\explorer.exe

Filesize
125KB

MD5
9bf58e44b58efc9f4de8031438016d0f

SHA1
d37bbc291cf10b43d4256aed0edfbd202e0df298

SHA256
fda3aa0804d7f65f615372c715b483ca10d2eff69eafb71cf545672858ec3fa9

SHA512
21460676c3393a2378e9cde2bb1c1a7d1cecdb26c5effeb4871c55df57e2b4b0af2a1617169f21e5bbb30d74157cf0073281c491a9ada37086172954ca821a7b

Download Submit
memory/2208-1-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-2-0x000000001B060000-0x000000001B0E0000-memory.dmp

Filesize
512KB

Download
memory/2208-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2208-20-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-0-0x0000000001320000-0x00000000014B8000-memory.dmp

Filesize
1.6MB

Download
memory/2708-24-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

Filesize
9.9MB

Download
memory/2708-23-0x00000000001A0000-0x0000000000338000-memory.dmp

Filesize
1.6MB

Download
memory/2708-25-0x000000001AD60000-0x000000001ADE0000-memory.dmp

Filesize
512KB

Download
memory/2708-26-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2708-27-0x000000001AD60000-0x000000001ADE0000-memory.dmp

Filesize
512KB

Download
memory/2708-28-0x000000001AD60000-0x000000001ADE0000-memory.dmp

Filesize
512KB

Download
memory/2708-30-0x000000001AD60000-0x000000001ADE0000-memory.dmp

Filesize
512KB

Download
memory/2708-29-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

Filesize
9.9MB

Download
memory/2708-31-0x000000001AD60000-0x000000001ADE0000-memory.dmp

Filesize
512KB

Download
memory/2708-32-0x000000001AD60000-0x000000001ADE0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing