zgrat | a8db619c3a1f082794d5b3837c574ea528724ee2e324677362c4f49ef8fb98a3

Analysis

max time kernel
134s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17/02/2024, 07:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b9ed84696306d78e044856c1051e185c.exe
Size

1.5MB
MD5

b9ed84696306d78e044856c1051e185c
SHA1

4f290faab5808fa54bccd39e3db42df60d42351d
SHA256

a8db619c3a1f082794d5b3837c574ea528724ee2e324677362c4f49ef8fb98a3
SHA512

e7b61275c4b4ab99b3a51c9004c712851ec4efc54c3cbe2828ed49aa065254f6710d837850ef9cf1e3fbec3deb3c314d97f6b26ced0bd0419bde4ae0a80cd46f
SSDEEP

24576:2TbBv5rUyXVUgH7jDkPlYGxvxDFvwKY/X7PJbxxqf1++Pq/IrKQL9R5nKKFwkKS5:IBJUgHQuMF43/rw0uq/IdR9K6wC

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012284-9.dat	family_zgrat_v1
behavioral1/memory/3032-13-0x00000000002C0000-0x000000000049A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2948-50-0x0000000000990000-0x0000000000B6A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 2 IoCs

pid	Process
3032	providerhostcrt.exe
2948	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	cmd.exe
2732	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\it-IT\dwm.exe	providerhostcrt.exe
File created	C:\Program Files\Windows Media Player\it-IT\6cb0b6c459d5d3	providerhostcrt.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\winlogon.exe	providerhostcrt.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\cc11b995f2a76d	providerhostcrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe
3032	providerhostcrt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2948	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	providerhostcrt.exe
Token: SeDebugPrivilege	2948	sppsvc.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 1884	2484	b9ed84696306d78e044856c1051e185c.exe	28
PID 2484 wrote to memory of 1884	2484	b9ed84696306d78e044856c1051e185c.exe	28
PID 2484 wrote to memory of 1884	2484	b9ed84696306d78e044856c1051e185c.exe	28
PID 2484 wrote to memory of 1884	2484	b9ed84696306d78e044856c1051e185c.exe	28
PID 1884 wrote to memory of 2732	1884	WScript.exe	29
PID 1884 wrote to memory of 2732	1884	WScript.exe	29
PID 1884 wrote to memory of 2732	1884	WScript.exe	29
PID 1884 wrote to memory of 2732	1884	WScript.exe	29
PID 2732 wrote to memory of 3032	2732	cmd.exe	31
PID 2732 wrote to memory of 3032	2732	cmd.exe	31
PID 2732 wrote to memory of 3032	2732	cmd.exe	31
PID 2732 wrote to memory of 3032	2732	cmd.exe	31
PID 3032 wrote to memory of 2116	3032	providerhostcrt.exe	32
PID 3032 wrote to memory of 2116	3032	providerhostcrt.exe	32
PID 3032 wrote to memory of 2116	3032	providerhostcrt.exe	32
PID 2116 wrote to memory of 2556	2116	cmd.exe	34
PID 2116 wrote to memory of 2556	2116	cmd.exe	34
PID 2116 wrote to memory of 2556	2116	cmd.exe	34
PID 2116 wrote to memory of 1072	2116	cmd.exe	35
PID 2116 wrote to memory of 1072	2116	cmd.exe	35
PID 2116 wrote to memory of 1072	2116	cmd.exe	35
PID 2116 wrote to memory of 2948	2116	cmd.exe	36
PID 2116 wrote to memory of 2948	2116	cmd.exe	36
PID 2116 wrote to memory of 2948	2116	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\b9ed84696306d78e044856c1051e185c.exe
"C:\Users\Admin\AppData\Local\Temp\b9ed84696306d78e044856c1051e185c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\agentWeb\1SpFc312MG8OzbJyV.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\agentWeb\QBjPWG9lUhILsJfDWr.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\agentWeb\providerhostcrt.exe
      "C:\agentWeb/providerhostcrt.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TV0JfAZ736.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2556
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1072
      - C:\Users\All Users\Templates\sppsvc.exe
        
        "C:\Users\All Users\Templates\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TV0JfAZ736.bat

Filesize
215B

MD5
fafec2595073fe9b1520ddc5e986617a

SHA1
82febece9c8584fffc405c11a0264881cb08a7f2

SHA256
6153f19722d1209321a1882827fd3c47b033f9b3415911791120ca2c40585c2c

SHA512
e18a0a957e7c64588e399d6dd68fe84c5e07750ae479de4f952963d50c987effa6c282db8397e4b7dd13203c3a4c4b3675e0fb7eba387c5d1edf8d89c68d9187

Download Submit
C:\agentWeb\1SpFc312MG8OzbJyV.vbe

Filesize
204B

MD5
bd266be679acbbfdb6ea472cbe045624

SHA1
96cf8f5c9006f5ee2b3313a5a151deecaa18f567

SHA256
0e35c21718454a6a5c430cb17fc63bfb20d0d2ca403d932704a0be28bd8b2888

SHA512
0fef40415556e65d6147c8754a6fcb56540b2d845b0521fbe9bc3c0e3d22e6a44197b8747d93dcb9f16cb528dc1a9f772870ce691a05c6282652131885b6bed0

Download Submit
C:\agentWeb\QBjPWG9lUhILsJfDWr.bat

Filesize
80B

MD5
658ab5e03b061c9c3581039abea93bcc

SHA1
5b834e72e07f8cd6618c847a9d73341aac7ed8ce

SHA256
8351e808fe2e3d2d672187f297d47a38e48f281a7b52498a571115a3cdead923

SHA512
b177a56853964d1ea4a18d9927eb3d55f43088572b678349b17f758006d3bb25b41a65128f73ef54fd8b831a3ec7f0ee1d7ea40d31ab2ae0962a52d757234d64

Download Submit
\agentWeb\providerhostcrt.exe

Filesize
1.8MB

MD5
564a6f8b6ecb3be4fc83f1a73521c8fc

SHA1
301f2a1617078ae2baa61a7e6a89ce7ac921aae0

SHA256
aa0b3b46d6234c773138281fbd0bd1c950fa5124d5ebd3ecc3c8046119a391fe

SHA512
406e737caec0268114dbc6c34f455b693528579aabcad0cbd7c897ad882af0c6afe9bd5fef26f25d9ae4bf1ffcb2f2edb807f9d8258fc714d8ac326e2822694f

Download Submit
memory/2948-63-0x0000000076CD0000-0x0000000076CD1000-memory.dmp

Filesize
4KB

Download
memory/2948-61-0x0000000076CE0000-0x0000000076CE1000-memory.dmp

Filesize
4KB

Download
memory/2948-66-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2948-65-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2948-84-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2948-64-0x000007FEF4BC0000-0x000007FEF55AC000-memory.dmp

Filesize
9.9MB

Download
memory/2948-51-0x000007FEF4BC0000-0x000007FEF55AC000-memory.dmp

Filesize
9.9MB

Download
memory/2948-67-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2948-59-0x0000000076CF0000-0x0000000076CF1000-memory.dmp

Filesize
4KB

Download
memory/2948-57-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2948-56-0x0000000076D00000-0x0000000076D01000-memory.dmp

Filesize
4KB

Download
memory/2948-54-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2948-53-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2948-86-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2948-52-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2948-50-0x0000000000990000-0x0000000000B6A000-memory.dmp

Filesize
1.9MB

Download
memory/3032-18-0x0000000076D00000-0x0000000076D01000-memory.dmp

Filesize
4KB

Download
memory/3032-47-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-30-0x00000000020B0000-0x00000000020BC000-memory.dmp

Filesize
48KB

Download
memory/3032-28-0x0000000076CD0000-0x0000000076CD1000-memory.dmp

Filesize
4KB

Download
memory/3032-27-0x0000000076CE0000-0x0000000076CE1000-memory.dmp

Filesize
4KB

Download
memory/3032-26-0x0000000002180000-0x0000000002198000-memory.dmp

Filesize
96KB

Download
memory/3032-22-0x0000000076CF0000-0x0000000076CF1000-memory.dmp

Filesize
4KB

Download
memory/3032-24-0x0000000002160000-0x000000000217C000-memory.dmp

Filesize
112KB

Download
memory/3032-21-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/3032-20-0x00000000020A0000-0x00000000020AE000-memory.dmp

Filesize
56KB

Download
memory/3032-17-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/3032-16-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/3032-15-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/3032-14-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-13-0x00000000002C0000-0x000000000049A000-memory.dmp

Filesize
1.9MB

Download