zgrat | a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02-03-2024 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b.exe
Size

499KB
MD5

764f801b0842d8fe564f01a81cfe4526
SHA1

d3cd929c42f808c1ddfdef4d8b528f1e1d981bba
SHA256

a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b
SHA512

5019550b6c11df7f466531f0564d6f7bfb214a92f0d508bc631e8f0a39b38a4c09611241b87bc74f509e9851c68657363d77d93436b8b2c604d9ed6e6202dc21
SSDEEP

12288:OvnWvqHe7UF6q12BlW7872GOXYtKFlK1CJsIk:UWvUGBlW787+zK1jD

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2460-0-0x0000000001250000-0x00000000012D4000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2460 set thread context of 2984	2460	a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2504	2984	WerFault.exe	29

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2984	2460	a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b.exe	29
PID 2460 wrote to memory of 2984	2460	a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b.exe	29
PID 2460 wrote to memory of 2984	2460	a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b.exe	29
PID 2460 wrote to memory of 2984	2460	a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b.exe	29
PID 2460 wrote to memory of 2984	2460	a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b.exe	29
PID 2460 wrote to memory of 2984	2460	a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b.exe	29
PID 2460 wrote to memory of 2984	2460	a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b.exe	29
PID 2460 wrote to memory of 2984	2460	a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b.exe	29
PID 2460 wrote to memory of 2984	2460	a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b.exe	29
PID 2460 wrote to memory of 2984	2460	a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b.exe	29
PID 2460 wrote to memory of 2984	2460	a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b.exe	29
PID 2460 wrote to memory of 2984	2460	a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b.exe	29
PID 2460 wrote to memory of 2984	2460	a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b.exe	29
PID 2984 wrote to memory of 2504	2984	RegAsm.exe	30
PID 2984 wrote to memory of 2504	2984	RegAsm.exe	30
PID 2984 wrote to memory of 2504	2984	RegAsm.exe	30
PID 2984 wrote to memory of 2504	2984	RegAsm.exe	30

C:\Users\Admin\AppData\Local\Temp\a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b.exe
"C:\Users\Admin\AppData\Local\Temp\a209c55478f217066ba1babd44459d2b0a4da6ed90aa5928280eaf6ac2f0457b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 256
    3⤵
    - Program crash
    PID:2504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2460-1-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2460-0-0x0000000001250000-0x00000000012D4000-memory.dmp

Filesize
528KB

Download
memory/2460-5-0x00000000026E0000-0x00000000046E0000-memory.dmp

Filesize
32.0MB

Download
memory/2460-21-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-9-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2984-11-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2984-4-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2984-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2984-17-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2984-13-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2984-20-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2984-7-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2984-22-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads