zgrat | d19a0d180f6f962ea912480c752eafe875eb2d869bc4214e4304c6ea3c525ec3

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17-02-2024 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C94596D2DD331B02A3BDF89A8A528880.exe
Size

3.1MB
MD5

c94596d2dd331b02a3bdf89a8a528880
SHA1

fa42da7569f0baf01185969915372c068f80d926
SHA256

d19a0d180f6f962ea912480c752eafe875eb2d869bc4214e4304c6ea3c525ec3
SHA512

68d9296bc3575da5ffb6c83e811ff7129d100d6aef767c1fd7998050cdcc9ce47f28a05cbb11b11473045144d95e1b02d16dc0879c31aa701ee1637fefaeb508
SSDEEP

49152:t/5oiXZgc3ZLp7PXi19L2xjNlQH/OaZc6mwkD75TwXNElsBLtRgJjOv+7p4:t/5jXZg49oLcN+Hm7AElMLJv

Score

10^/10

zgrat discovery rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000015da6-70.dat	family_zgrat_v1
behavioral1/memory/2996-73-0x0000000000920000-0x0000000000A4A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Installer.exe

Executes dropped EXE 9 IoCs

pid	Process
2296	7z.exe
2020	7z.exe
2644	7z.exe
756	7z.exe
2156	7z.exe
2564	7z.exe
2928	7z.exe
2996	Installer.exe
1916	qemu-ga.exe

Loads dropped DLL 15 IoCs

pid	Process
2840	cmd.exe
2296	7z.exe
2840	cmd.exe
2020	7z.exe
2840	cmd.exe
2644	7z.exe
2840	cmd.exe
756	7z.exe
2840	cmd.exe
2156	7z.exe
2840	cmd.exe
2564	7z.exe
2840	cmd.exe
2928	7z.exe
2996	Installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2996	Installer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2996	Installer.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeRestorePrivilege	2296	7z.exe
Token: 35	2296	7z.exe
Token: SeSecurityPrivilege	2296	7z.exe
Token: SeSecurityPrivilege	2296	7z.exe
Token: SeRestorePrivilege	2020	7z.exe
Token: 35	2020	7z.exe
Token: SeSecurityPrivilege	2020	7z.exe
Token: SeSecurityPrivilege	2020	7z.exe
Token: SeRestorePrivilege	2644	7z.exe
Token: 35	2644	7z.exe
Token: SeSecurityPrivilege	2644	7z.exe
Token: SeSecurityPrivilege	2644	7z.exe
Token: SeRestorePrivilege	756	7z.exe
Token: 35	756	7z.exe
Token: SeSecurityPrivilege	756	7z.exe
Token: SeSecurityPrivilege	756	7z.exe
Token: SeRestorePrivilege	2156	7z.exe
Token: 35	2156	7z.exe
Token: SeSecurityPrivilege	2156	7z.exe
Token: SeSecurityPrivilege	2156	7z.exe
Token: SeRestorePrivilege	2564	7z.exe
Token: 35	2564	7z.exe
Token: SeSecurityPrivilege	2564	7z.exe
Token: SeSecurityPrivilege	2564	7z.exe
Token: SeRestorePrivilege	2928	7z.exe
Token: 35	2928	7z.exe
Token: SeSecurityPrivilege	2928	7z.exe
Token: SeSecurityPrivilege	2928	7z.exe
Token: SeDebugPrivilege	2996	Installer.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2840	2528	C94596D2DD331B02A3BDF89A8A528880.exe	28
PID 2528 wrote to memory of 2840	2528	C94596D2DD331B02A3BDF89A8A528880.exe	28
PID 2528 wrote to memory of 2840	2528	C94596D2DD331B02A3BDF89A8A528880.exe	28
PID 2528 wrote to memory of 2840	2528	C94596D2DD331B02A3BDF89A8A528880.exe	28
PID 2840 wrote to memory of 2716	2840	cmd.exe	30
PID 2840 wrote to memory of 2716	2840	cmd.exe	30
PID 2840 wrote to memory of 2716	2840	cmd.exe	30
PID 2840 wrote to memory of 2296	2840	cmd.exe	31
PID 2840 wrote to memory of 2296	2840	cmd.exe	31
PID 2840 wrote to memory of 2296	2840	cmd.exe	31
PID 2840 wrote to memory of 2020	2840	cmd.exe	32
PID 2840 wrote to memory of 2020	2840	cmd.exe	32
PID 2840 wrote to memory of 2020	2840	cmd.exe	32
PID 2840 wrote to memory of 2644	2840	cmd.exe	33
PID 2840 wrote to memory of 2644	2840	cmd.exe	33
PID 2840 wrote to memory of 2644	2840	cmd.exe	33
PID 2840 wrote to memory of 756	2840	cmd.exe	34
PID 2840 wrote to memory of 756	2840	cmd.exe	34
PID 2840 wrote to memory of 756	2840	cmd.exe	34
PID 2840 wrote to memory of 2156	2840	cmd.exe	35
PID 2840 wrote to memory of 2156	2840	cmd.exe	35
PID 2840 wrote to memory of 2156	2840	cmd.exe	35
PID 2840 wrote to memory of 2564	2840	cmd.exe	36
PID 2840 wrote to memory of 2564	2840	cmd.exe	36
PID 2840 wrote to memory of 2564	2840	cmd.exe	36
PID 2840 wrote to memory of 2928	2840	cmd.exe	37
PID 2840 wrote to memory of 2928	2840	cmd.exe	37
PID 2840 wrote to memory of 2928	2840	cmd.exe	37
PID 2840 wrote to memory of 2972	2840	cmd.exe	38
PID 2840 wrote to memory of 2972	2840	cmd.exe	38
PID 2840 wrote to memory of 2972	2840	cmd.exe	38
PID 2840 wrote to memory of 2996	2840	cmd.exe	39
PID 2840 wrote to memory of 2996	2840	cmd.exe	39
PID 2840 wrote to memory of 2996	2840	cmd.exe	39
PID 2840 wrote to memory of 2996	2840	cmd.exe	39
PID 2840 wrote to memory of 2996	2840	cmd.exe	39
PID 2840 wrote to memory of 2996	2840	cmd.exe	39
PID 2840 wrote to memory of 2996	2840	cmd.exe	39
PID 2996 wrote to memory of 1916	2996	Installer.exe	41
PID 2996 wrote to memory of 1916	2996	Installer.exe	41
PID 2996 wrote to memory of 1916	2996	Installer.exe	41
PID 2996 wrote to memory of 1916	2996	Installer.exe	41

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2972	attrib.exe

C:\Users\Admin\AppData\Local\Temp\C94596D2DD331B02A3BDF89A8A528880.exe
"C:\Users\Admin\AppData\Local\Temp\C94596D2DD331B02A3BDF89A8A528880.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2716
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p7970281081126315687166120894 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\system32\attrib.exe
    attrib +H "Installer.exe"
    3⤵
    - Views/modifies file attributes
    PID:2972
- - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
    "Installer.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
      4⤵
      Executes dropped EXE
      PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
566KB

MD5
72217dcbc53091c9f393f7d9223bf126

SHA1
57c70b5c47317e90a307e29ab2f67328689728e2

SHA256
4133b0d6bbceb61692eafc6d811bac538e5bbe295e6527bb00b0fd7deb78bacf

SHA512
6f56305b64fa8b79daaf6a9ab2e98da9bc359d7142c9117fcf145a7c5cf69bd87805c879e11dc6302f9273b0b842422530d7b2b5d274b5377ebda3908c6fd848

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
1.4MB

MD5
b9d6ac46e587e0cba0dc808ddf8ff4a6

SHA1
13212f0294d8f33237546a1d8ebe3ad46bb9cdb4

SHA256
c16aa9e4dbd48e1ed8c464857adec7f8ab96c7bb99ebe5ed515e606f6f9fc5d6

SHA512
b79aa6b188ee506c4f731c50e2eef91cdf6a451c2b9f624cc3deb5cdec1ae67a8e28da7178b7c89d6bd2e35c809436a684a7dc7923d2e0f6c15476f3f91865e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

Filesize
1.1MB

MD5
78ef711c75b0f00a7ec1896a98e9ad6b

SHA1
7862c574e0b5b947696e3a29e57f08112c0393a7

SHA256
3ca5c5b0e1af091f87b12ea3ebf2619dbe887e4612574be460d62ec0a28437c6

SHA512
93cfa803a611263e22ab0ff2ff2e122b61be0d066a4d549bbb6328d8734a761eee8ebba32ea1c1065040f3aa171e224660ed7820080503097232191f4024eecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
708KB

MD5
9d30ca6da7e697982048ba84c29913a0

SHA1
6a06eae30d3e8b40f8ef5df176a191de14bf136f

SHA256
badfe21ce2d922a3ac0a9df2d2041e99d87d452cc8a671a85a391aed708ef133

SHA512
b13fcc5ec3808e399adf62ba82043d40f7c43be760fc75c6d631aff9bebe9734b421b338775a40d6451b501b87e35ea997d442af316095b7942be142c85f1f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
708KB

MD5
3e2b235216c8830e1cb25e3dd6622071

SHA1
a12c13f28b841464bf7587c839b1bb802fecad81

SHA256
8790903f776e9ec58a75a7826a3a399fb01f65bc2bdcdd6b2d16c9a988a34f5f

SHA512
625aec87871753ea83a522c83bf1a839eb54b6a83f41e31f48c6fadcf5f931701296dddd886430bb74762eb0091201810810df4ab9c3da7276eaae72bd347e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
708KB

MD5
064959833820f24eeeb7a74e186bde96

SHA1
135afc640ab3eb78c5e1652d14dc3933d1e97fbc

SHA256
3088acfe10a83c9ee3151982a1c71a5c337c33a0468bcdb9f70abb5fe9b07ce7

SHA512
5eda06609e9093572b3c1d0f542c35ba4d73a6e49cb4fa99f34594cfff660b88028d0c813b4b7e0cd9b418a8f248cc6617d3f45c5827d8a62eceba3de8a21af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
708KB

MD5
e7ae493241e1314a72d457b4507a387d

SHA1
d71493466b0c83a2e18cb014a615ff6bd2a0560f

SHA256
3df263e125f143021977fb89faf4ebe1a21f99e3350a6bc566a6ee05e9b547df

SHA512
99018dbf53ab57e38ea0636e2e7b8f746adb2298360bf3ff1beb5d631ab42b4ecc65a27a468c8babdd8b2f9ad8a76cf61606166a620088286411f2e999226795

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
708KB

MD5
04b6aa753c909dff7a2548fc692d5d7e

SHA1
38b44f053d544d4e7930018a4058d821e68f3f68

SHA256
5936e29e28ad110b0b701539046434c823da0a125058cf11880f0b1ffabf0243

SHA512
78940c624439760967ba338b8f2c2319b6b532410f2f37222a276cb899f8f447b48e4305cd9a2039a663fcccbbde119423ad5dba885651b0d03a2a869b293d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
2.3MB

MD5
7c26068740afaabc9c296da6ba850afe

SHA1
9ff0aa43b492ea7e5f94b2d31ef9ba75d49121bb

SHA256
7fda8d2a2b1c242bb5382a5ae90fb4e5897882e30f472f604722aebc5951d821

SHA512
eedf144eeab2dc79c5552e8442c90c2a8d773081607c724d294bfbac26f6467eb5eb761d6c7f849c4e88eccd1a534608f521ff9dac497f35b1396aee2c144cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
2.3MB

MD5
92109861d8cd3b7c3d6b3040e32cca5a

SHA1
08b1a473bd8a070df3c1003a8f5bd5191885c0b0

SHA256
a014444ff475d3b0e3498a9324d5f7bab55073ef53ee32414ea6de886154c0f1

SHA512
5d47ecff1c03d59e7b020561577bf03b3e66c1a73fba5cc8cb52d45ab47056efbc1bacf9741558835c68fa616d7414d065335f101ac16e99744d6fbd8bdb8478

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
474B

MD5
eff7f771389f9f45dea4b3237e2b4edc

SHA1
b8f77db37dd2e395c4df239e904ba16b6ede5d10

SHA256
c01ec7124093a6708fc1b49264b8990a6b34bcca5120b464ef810d2ef38e588b

SHA512
98f4d39115ce2691bbee37114572b89ead766f24aa1817ec0bb64f3308a882bb343add378ae2bdeb8a6feb15e90f54574c136faf77de7e751d2f8ba09f7adc6e

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
memory/1916-86-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-85-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-84-0x0000000000D40000-0x0000000000D48000-memory.dmp

Filesize
32KB

Download
memory/2996-75-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/2996-83-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2996-76-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2996-73-0x0000000000920000-0x0000000000A4A000-memory.dmp

Filesize
1.2MB

Download
memory/2996-74-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download