zgrat | b12ca6670877a54a4762123516c35021e8ec9c5c231f31a134cde611fea65490

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29-02-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

795921061997e8c1fe2c61df65a8ba2a.exe
Size

5.6MB
MD5

795921061997e8c1fe2c61df65a8ba2a
SHA1

8df4896d0686ba1fb6cb5ad04517019be7a46dde
SHA256

b12ca6670877a54a4762123516c35021e8ec9c5c231f31a134cde611fea65490
SHA512

7d6eb9087ed6eedbda164aada9a3c792e2e03b754cee59402287da26ae58e3c3a6b45bd31dc90a593a627709ba8eae479de91d6929ca7b1a20edc98b2ff780c8
SSDEEP

49152:xLggQyNoVWo1AAP+TxjQV4tuTbBesknFLIxYB0lj81zcZs:6yN8gTxsaQ9wFLIuBI81Us

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2372-2-0x000000001B5A0000-0x000000001B73A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-3-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-4-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-6-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-8-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-10-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-12-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-14-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-16-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-18-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-20-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-22-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-26-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-28-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-24-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-30-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-32-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-34-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-36-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-38-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-40-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-42-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-46-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-48-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-44-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-50-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-52-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-56-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-54-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-58-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-60-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-62-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-64-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1
behavioral1/memory/2372-66-0x000000001B5A0000-0x000000001B733000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2372	795921061997e8c1fe2c61df65a8ba2a.exe
2372	795921061997e8c1fe2c61df65a8ba2a.exe
2372	795921061997e8c1fe2c61df65a8ba2a.exe
2372	795921061997e8c1fe2c61df65a8ba2a.exe
2372	795921061997e8c1fe2c61df65a8ba2a.exe
2372	795921061997e8c1fe2c61df65a8ba2a.exe
2372	795921061997e8c1fe2c61df65a8ba2a.exe
2372	795921061997e8c1fe2c61df65a8ba2a.exe
2372	795921061997e8c1fe2c61df65a8ba2a.exe
2372	795921061997e8c1fe2c61df65a8ba2a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	795921061997e8c1fe2c61df65a8ba2a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1680	2372	795921061997e8c1fe2c61df65a8ba2a.exe	28
PID 2372 wrote to memory of 1680	2372	795921061997e8c1fe2c61df65a8ba2a.exe	28
PID 2372 wrote to memory of 1680	2372	795921061997e8c1fe2c61df65a8ba2a.exe	28
PID 2372 wrote to memory of 1680	2372	795921061997e8c1fe2c61df65a8ba2a.exe	28
PID 2372 wrote to memory of 1680	2372	795921061997e8c1fe2c61df65a8ba2a.exe	28
PID 2372 wrote to memory of 1680	2372	795921061997e8c1fe2c61df65a8ba2a.exe	28
PID 2372 wrote to memory of 1680	2372	795921061997e8c1fe2c61df65a8ba2a.exe	28
PID 2372 wrote to memory of 1680	2372	795921061997e8c1fe2c61df65a8ba2a.exe	28
PID 2372 wrote to memory of 1680	2372	795921061997e8c1fe2c61df65a8ba2a.exe	28
PID 2372 wrote to memory of 1680	2372	795921061997e8c1fe2c61df65a8ba2a.exe	28
PID 2372 wrote to memory of 1628	2372	795921061997e8c1fe2c61df65a8ba2a.exe	29
PID 2372 wrote to memory of 1628	2372	795921061997e8c1fe2c61df65a8ba2a.exe	29
PID 2372 wrote to memory of 1628	2372	795921061997e8c1fe2c61df65a8ba2a.exe	29
PID 2372 wrote to memory of 1628	2372	795921061997e8c1fe2c61df65a8ba2a.exe	29
PID 2372 wrote to memory of 1628	2372	795921061997e8c1fe2c61df65a8ba2a.exe	29
PID 2372 wrote to memory of 1628	2372	795921061997e8c1fe2c61df65a8ba2a.exe	29
PID 2372 wrote to memory of 1628	2372	795921061997e8c1fe2c61df65a8ba2a.exe	29
PID 2372 wrote to memory of 1628	2372	795921061997e8c1fe2c61df65a8ba2a.exe	29
PID 2372 wrote to memory of 1628	2372	795921061997e8c1fe2c61df65a8ba2a.exe	29
PID 2372 wrote to memory of 1628	2372	795921061997e8c1fe2c61df65a8ba2a.exe	29
PID 2372 wrote to memory of 1340	2372	795921061997e8c1fe2c61df65a8ba2a.exe	30
PID 2372 wrote to memory of 1340	2372	795921061997e8c1fe2c61df65a8ba2a.exe	30
PID 2372 wrote to memory of 1340	2372	795921061997e8c1fe2c61df65a8ba2a.exe	30
PID 2372 wrote to memory of 1340	2372	795921061997e8c1fe2c61df65a8ba2a.exe	30
PID 2372 wrote to memory of 1340	2372	795921061997e8c1fe2c61df65a8ba2a.exe	30
PID 2372 wrote to memory of 1340	2372	795921061997e8c1fe2c61df65a8ba2a.exe	30
PID 2372 wrote to memory of 1340	2372	795921061997e8c1fe2c61df65a8ba2a.exe	30
PID 2372 wrote to memory of 1340	2372	795921061997e8c1fe2c61df65a8ba2a.exe	30
PID 2372 wrote to memory of 1340	2372	795921061997e8c1fe2c61df65a8ba2a.exe	30
PID 2372 wrote to memory of 1340	2372	795921061997e8c1fe2c61df65a8ba2a.exe	30
PID 2372 wrote to memory of 960	2372	795921061997e8c1fe2c61df65a8ba2a.exe	31
PID 2372 wrote to memory of 960	2372	795921061997e8c1fe2c61df65a8ba2a.exe	31
PID 2372 wrote to memory of 960	2372	795921061997e8c1fe2c61df65a8ba2a.exe	31
PID 2372 wrote to memory of 960	2372	795921061997e8c1fe2c61df65a8ba2a.exe	31
PID 2372 wrote to memory of 960	2372	795921061997e8c1fe2c61df65a8ba2a.exe	31
PID 2372 wrote to memory of 960	2372	795921061997e8c1fe2c61df65a8ba2a.exe	31
PID 2372 wrote to memory of 960	2372	795921061997e8c1fe2c61df65a8ba2a.exe	31
PID 2372 wrote to memory of 960	2372	795921061997e8c1fe2c61df65a8ba2a.exe	31
PID 2372 wrote to memory of 960	2372	795921061997e8c1fe2c61df65a8ba2a.exe	31
PID 2372 wrote to memory of 960	2372	795921061997e8c1fe2c61df65a8ba2a.exe	31
PID 2372 wrote to memory of 2516	2372	795921061997e8c1fe2c61df65a8ba2a.exe	32
PID 2372 wrote to memory of 2516	2372	795921061997e8c1fe2c61df65a8ba2a.exe	32
PID 2372 wrote to memory of 2516	2372	795921061997e8c1fe2c61df65a8ba2a.exe	32
PID 2372 wrote to memory of 2516	2372	795921061997e8c1fe2c61df65a8ba2a.exe	32
PID 2372 wrote to memory of 2516	2372	795921061997e8c1fe2c61df65a8ba2a.exe	32
PID 2372 wrote to memory of 2516	2372	795921061997e8c1fe2c61df65a8ba2a.exe	32
PID 2372 wrote to memory of 2516	2372	795921061997e8c1fe2c61df65a8ba2a.exe	32
PID 2372 wrote to memory of 2516	2372	795921061997e8c1fe2c61df65a8ba2a.exe	32
PID 2372 wrote to memory of 2516	2372	795921061997e8c1fe2c61df65a8ba2a.exe	32
PID 2372 wrote to memory of 2516	2372	795921061997e8c1fe2c61df65a8ba2a.exe	32
PID 2372 wrote to memory of 664	2372	795921061997e8c1fe2c61df65a8ba2a.exe	33
PID 2372 wrote to memory of 664	2372	795921061997e8c1fe2c61df65a8ba2a.exe	33
PID 2372 wrote to memory of 664	2372	795921061997e8c1fe2c61df65a8ba2a.exe	33
PID 2372 wrote to memory of 664	2372	795921061997e8c1fe2c61df65a8ba2a.exe	33
PID 2372 wrote to memory of 664	2372	795921061997e8c1fe2c61df65a8ba2a.exe	33
PID 2372 wrote to memory of 664	2372	795921061997e8c1fe2c61df65a8ba2a.exe	33
PID 2372 wrote to memory of 664	2372	795921061997e8c1fe2c61df65a8ba2a.exe	33
PID 2372 wrote to memory of 664	2372	795921061997e8c1fe2c61df65a8ba2a.exe	33
PID 2372 wrote to memory of 664	2372	795921061997e8c1fe2c61df65a8ba2a.exe	33
PID 2372 wrote to memory of 664	2372	795921061997e8c1fe2c61df65a8ba2a.exe	33
PID 2372 wrote to memory of 3004	2372	795921061997e8c1fe2c61df65a8ba2a.exe	34
PID 2372 wrote to memory of 3004	2372	795921061997e8c1fe2c61df65a8ba2a.exe	34
PID 2372 wrote to memory of 3004	2372	795921061997e8c1fe2c61df65a8ba2a.exe	34
PID 2372 wrote to memory of 3004	2372	795921061997e8c1fe2c61df65a8ba2a.exe	34

C:\Users\Admin\AppData\Local\Temp\795921061997e8c1fe2c61df65a8ba2a.exe
"C:\Users\Admin\AppData\Local\Temp\795921061997e8c1fe2c61df65a8ba2a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  PID:1680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  PID:1628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  PID:1340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  PID:960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  PID:664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  PID:3004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  PID:888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  PID:1608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  PID:2948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2372-0-0x0000000001040000-0x00000000015DE000-memory.dmp

Filesize
5.6MB

Download
memory/2372-1-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-2-0x000000001B5A0000-0x000000001B73A000-memory.dmp

Filesize
1.6MB

Download
memory/2372-3-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-4-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-6-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-8-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-10-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-12-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-14-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-16-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-18-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-20-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-22-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-26-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-28-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-24-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-30-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-32-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-34-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-36-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-38-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-40-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-42-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-46-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-48-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-44-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-50-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-52-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-56-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-54-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-58-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-60-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-62-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-64-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-66-0x000000001B5A0000-0x000000001B733000-memory.dmp

Filesize
1.6MB

Download
memory/2372-1117-0x000000001B520000-0x000000001B5A0000-memory.dmp

Filesize
512KB

Download
memory/2372-1118-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2372-1119-0x000000001BA20000-0x000000001BB42000-memory.dmp

Filesize
1.1MB

Download
memory/2372-1120-0x0000000000560000-0x00000000005AC000-memory.dmp

Filesize
304KB

Download
memory/2372-1201-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download