zgrat | 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731

General

Target

8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
Size

1.6MB
MD5

a2546c042f4e31597a83d5d0732d4730
SHA1

214f01f4ef0c65e17fb3a42e43b1315c55c3f0c3
SHA256

8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731
SHA512

af5c23994c9a174efd1ac694dbc4aa2649eb8bb795701c8531d4b53d23a7d14ec9b1470b5250429771e8788c6fe7bf77bde549ee0655318777dc9b4ac7213215
SSDEEP

24576:dpvTQJAutjYcQt3icthumBbD73S8GW1VMuAK/vfgGx7Dxeylmwv4SvOnJxKISR:vkqR7CpW1auAufgGFDxeKv/WKV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral1/memory/1032-0-0x0000000000990000-0x0000000000B28000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0006000000018af3-13.dat	family_zgrat_v1
behavioral1/files/0x0006000000018af3-21.dat	family_zgrat_v1
behavioral1/files/0x0006000000018af3-22.dat	family_zgrat_v1
behavioral1/memory/2796-23-0x0000000000060000-0x00000000001F8000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 5 IoCs

resource	yara_rule
behavioral1/memory/1032-0-0x0000000000990000-0x0000000000B28000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0006000000018af3-13.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0006000000018af3-21.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0006000000018af3-22.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2796-23-0x0000000000060000-0x00000000001F8000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Executes dropped EXE 1 IoCs

pid	Process
2796	smss.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\smss.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File opened for modification	C:\Program Files\Windows Journal\smss.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Program Files\Windows Journal\69ddcba757bf72	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Program Files (x86)\Uninstall Information\sppsvc.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Program Files (x86)\Uninstall Information\0a1fd5f707cd16	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2796	smss.exe
2796	smss.exe
2796	smss.exe
2796	smss.exe
2796	smss.exe
2796	smss.exe
2796	smss.exe
2796	smss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2796	smss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
Token: SeDebugPrivilege	2796	smss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2760	1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	31
PID 1032 wrote to memory of 2760	1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	31
PID 1032 wrote to memory of 2760	1032	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	31
PID 2760 wrote to memory of 2684	2760	cmd.exe	28
PID 2760 wrote to memory of 2684	2760	cmd.exe	28
PID 2760 wrote to memory of 2684	2760	cmd.exe	28
PID 2760 wrote to memory of 2640	2760	cmd.exe	29
PID 2760 wrote to memory of 2640	2760	cmd.exe	29
PID 2760 wrote to memory of 2640	2760	cmd.exe	29
PID 2760 wrote to memory of 2796	2760	cmd.exe	32
PID 2760 wrote to memory of 2796	2760	cmd.exe	32
PID 2760 wrote to memory of 2796	2760	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
"C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BqTVbcFHTW.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\smss.exe
    "C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2796

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2684

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\smss.exe

Filesize
1.4MB

MD5
3da31ba6fd15a08541a09d34bcf54b6b

SHA1
4ba4a7850bdd4e610d7d8c5f53f8128d4d0458a1

SHA256
ef7da75fb60aee457c172a12085788498870c2c751cc0488b3df06781bf256e1

SHA512
0986655b0248751b0160216e62aaf55596c9612fd2d183582c20da8260456d84547de04a4dfc15075afe05b6c99420b162670576fed70826eae01b73719d541b

Download Submit
C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\smss.exe

Filesize
92KB

MD5
25e0fe0387fd413729558a16e928923f

SHA1
148c8d042e46ebd1eae506a310f019db007be837

SHA256
1fd8763ad1230e072df2bde13f6151fb1dbc255644994f5069c1ec639b06b0bb

SHA512
c3518ac2d1782422c22f04e93356d886572b11c24947ae4c3df71aa648016969d2529ee80f675281d3ecb060ab049af794da4095443f814315b81ca25f982ad7

Download Submit
C:\Recovery\7156ad82-9b8d-11ee-a45c-bce704e297ea\smss.exe

Filesize
42KB

MD5
bb08b8d6abbda3f0bb935afc602cac12

SHA1
e7cc301f1e99f7720e6b7e38617d5a98114d603d

SHA256
0b333bdbc79ea8d93eb5251e5a7c8746e83b085f7dc5e0f57abce6442b435a29

SHA512
70d04904cfd765f939fe58d42ac25285624d9f4c4d7cbe0a7a0026cae05092e80eb34ae78f28437e08887159b962f7e9019dc2f477acefdda71b633b9b34935c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BqTVbcFHTW.bat

Filesize
233B

MD5
4de74e64fab5719f0e1d919dce0745df

SHA1
60b01c003bbc0c353990788d702324448a539fc4

SHA256
323609f8141dccd816cdd5d800a4ed70cfb921b4d2529802da08fa58932b6cd3

SHA512
3d8f7a9b22f4cd294b7bbb81d15a214da7f3efa6cdabbe5e7fb5238b39373a67eb60b80a5b308b60a964610a87344de5d5df8187869ce307e2aa3f7f5685ac55

Download Submit
memory/1032-0-0x0000000000990000-0x0000000000B28000-memory.dmp

Filesize
1.6MB

Download
memory/1032-1-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/1032-2-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/1032-3-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1032-20-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-24-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-23-0x0000000000060000-0x00000000001F8000-memory.dmp

Filesize
1.6MB

Download
memory/2796-25-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download
memory/2796-26-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2796-27-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download
memory/2796-28-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download
memory/2796-30-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download
memory/2796-29-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-31-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download
memory/2796-32-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download
memory/2796-33-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download
memory/2796-34-0x000000001B380000-0x000000001B400000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing