zgrat | 7c13fcd7e8a3212b17e4d80b4497de57c5e05997e711e8135f03670562b3c3de

Analysis

max time kernel
138s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 21:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PURCHASE ORDER No POCON18025.exe
Size

1.2MB
MD5

4aa969c1523e3469cdde09229e8d5295
SHA1

d6f561eaf676d924c733c5d36a4d59cf93c01546
SHA256

7c13fcd7e8a3212b17e4d80b4497de57c5e05997e711e8135f03670562b3c3de
SHA512

d2068902780076d58985162762b62072004c139f89f34d05b05f1a2f0c8dfadcc51da7adc75deaf24041722be10f350f52b204d13a88c626efa456cb1ba7befb
SSDEEP

24576:L3zAWOa3I/MOe2vRFvRo5Dtti7EQFVMTXcGN:BlOeejRsKEyVMY

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/3476-1-0x0000013C9AED0000-0x0000013C9AFB0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-4-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-5-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-7-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-9-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-11-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-13-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-15-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-17-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-19-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-21-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-23-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-27-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-29-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-31-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-25-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-33-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-37-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-43-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-47-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-45-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-49-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-51-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-53-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-41-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-39-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-35-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-55-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-57-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-59-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-61-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-63-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-65-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1
behavioral2/memory/3476-67-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe
3476	PURCHASE ORDER No POCON18025.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3476	PURCHASE ORDER No POCON18025.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 4328	3476	PURCHASE ORDER No POCON18025.exe	83
PID 3476 wrote to memory of 4328	3476	PURCHASE ORDER No POCON18025.exe	83
PID 3476 wrote to memory of 4948	3476	PURCHASE ORDER No POCON18025.exe	84
PID 3476 wrote to memory of 4948	3476	PURCHASE ORDER No POCON18025.exe	84
PID 3476 wrote to memory of 2324	3476	PURCHASE ORDER No POCON18025.exe	85
PID 3476 wrote to memory of 2324	3476	PURCHASE ORDER No POCON18025.exe	85
PID 3476 wrote to memory of 1540	3476	PURCHASE ORDER No POCON18025.exe	86
PID 3476 wrote to memory of 1540	3476	PURCHASE ORDER No POCON18025.exe	86
PID 3476 wrote to memory of 3040	3476	PURCHASE ORDER No POCON18025.exe	87
PID 3476 wrote to memory of 3040	3476	PURCHASE ORDER No POCON18025.exe	87
PID 3476 wrote to memory of 4020	3476	PURCHASE ORDER No POCON18025.exe	88
PID 3476 wrote to memory of 4020	3476	PURCHASE ORDER No POCON18025.exe	88
PID 3476 wrote to memory of 4468	3476	PURCHASE ORDER No POCON18025.exe	89
PID 3476 wrote to memory of 4468	3476	PURCHASE ORDER No POCON18025.exe	89
PID 3476 wrote to memory of 636	3476	PURCHASE ORDER No POCON18025.exe	90
PID 3476 wrote to memory of 636	3476	PURCHASE ORDER No POCON18025.exe	90
PID 3476 wrote to memory of 3456	3476	PURCHASE ORDER No POCON18025.exe	91
PID 3476 wrote to memory of 3456	3476	PURCHASE ORDER No POCON18025.exe	91
PID 3476 wrote to memory of 4300	3476	PURCHASE ORDER No POCON18025.exe	92
PID 3476 wrote to memory of 4300	3476	PURCHASE ORDER No POCON18025.exe	92

C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe
  "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe"
  2⤵
  PID:4328
- C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe
  "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe"
  2⤵
  PID:4948
- C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe
  "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe"
  2⤵
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe
  "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe"
  2⤵
  PID:1540
- C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe
  "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe"
  2⤵
  PID:3040
- C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe
  "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe"
  2⤵
  PID:4020
- C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe
  "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe"
  2⤵
  PID:4468
- C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe
  "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe"
  2⤵
  PID:636
- C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe
  "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe"
  2⤵
  PID:3456
- C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe
  "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No POCON18025.exe"
  2⤵
  PID:4300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3476-0-0x0000013C99180000-0x0000013C992B2000-memory.dmp

Filesize
1.2MB

Download
memory/3476-1-0x0000013C9AED0000-0x0000013C9AFB0000-memory.dmp

Filesize
896KB

Download
memory/3476-2-0x00007FFB69A60000-0x00007FFB6A521000-memory.dmp

Filesize
10.8MB

Download
memory/3476-3-0x0000013CB3980000-0x0000013CB3A8A000-memory.dmp

Filesize
1.0MB

Download
memory/3476-4-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-5-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-7-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-9-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-11-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-13-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-15-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-17-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-19-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-21-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-23-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-27-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-29-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-31-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-25-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-33-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-37-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-43-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-47-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-45-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-49-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-51-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-53-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-41-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-39-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-35-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-55-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-57-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-59-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-61-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-63-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-65-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-67-0x0000013C9AED0000-0x0000013C9AFAB000-memory.dmp

Filesize
876KB

Download
memory/3476-1118-0x0000013CB3970000-0x0000013CB3980000-memory.dmp

Filesize
64KB

Download
memory/3476-1119-0x0000013C99660000-0x0000013C99661000-memory.dmp

Filesize
4KB

Download
memory/3476-1120-0x0000013CB3890000-0x0000013CB38FA000-memory.dmp

Filesize
424KB

Download
memory/3476-1121-0x0000013CB3900000-0x0000013CB394C000-memory.dmp

Filesize
304KB

Download
memory/3476-1123-0x00007FFB69A60000-0x00007FFB6A521000-memory.dmp

Filesize
10.8MB

Download