zgrat | 1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a

Analysis

max time kernel
118s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07-03-2024 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe
Size

2.6MB
MD5

622af327a5c66ca6d6d41bf02384b590
SHA1

2e09d3d9017aec9781b77144323eacb06e7838c4
SHA256

1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a
SHA512

6155abf3c3131a7bfd2a7be9f216ee3e65a3492e8d2de256e98db8569a79cdbab3de710e41fa803aab5f96876a3eaf6ec813bb7320bca36c45d8eded34f1ecb9
SSDEEP

49152:IBJgMDRANx3WB2aXuAoVNcqUhwMH9tM+EvhyJWXovJaDiSNESDgKZR8f:yn0VkZ0yF9tMhGwHuV5KZef

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/files/0x000d000000015c4c-12.dat	family_zgrat_v1
behavioral1/memory/1988-13-0x00000000010C0000-0x0000000001384000-memory.dmp	family_zgrat_v1
behavioral1/memory/1760-83-0x0000000000CB0000-0x0000000000F74000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 3 IoCs

resource	yara_rule
behavioral1/files/0x000d000000015c4c-12.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1988-13-0x00000000010C0000-0x0000000001384000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1760-83-0x0000000000CB0000-0x0000000000F74000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Executes dropped EXE 2 IoCs

pid	Process
1988	hyperbrokerhostNetsvc.exe
1760	hyperbrokerhostNetsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2444	cmd.exe
2444	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\hyperbrokerhostNetsvc.exe	hyperbrokerhostNetsvc.exe
File created	C:\Program Files\Windows Portable Devices\b8bca7ac5230a7	hyperbrokerhostNetsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe	hyperbrokerhostNetsvc.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe	hyperbrokerhostNetsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\42af1c969fbb7b	hyperbrokerhostNetsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe
1988	hyperbrokerhostNetsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	hyperbrokerhostNetsvc.exe
Token: SeDebugPrivilege	1760	hyperbrokerhostNetsvc.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2004	2896	1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe	28
PID 2896 wrote to memory of 2004	2896	1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe	28
PID 2896 wrote to memory of 2004	2896	1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe	28
PID 2896 wrote to memory of 2004	2896	1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe	28
PID 2004 wrote to memory of 2444	2004	WScript.exe	29
PID 2004 wrote to memory of 2444	2004	WScript.exe	29
PID 2004 wrote to memory of 2444	2004	WScript.exe	29
PID 2004 wrote to memory of 2444	2004	WScript.exe	29
PID 2444 wrote to memory of 1988	2444	cmd.exe	31
PID 2444 wrote to memory of 1988	2444	cmd.exe	31
PID 2444 wrote to memory of 1988	2444	cmd.exe	31
PID 2444 wrote to memory of 1988	2444	cmd.exe	31
PID 1988 wrote to memory of 1348	1988	hyperbrokerhostNetsvc.exe	32
PID 1988 wrote to memory of 1348	1988	hyperbrokerhostNetsvc.exe	32
PID 1988 wrote to memory of 1348	1988	hyperbrokerhostNetsvc.exe	32
PID 1348 wrote to memory of 1644	1348	cmd.exe	34
PID 1348 wrote to memory of 1644	1348	cmd.exe	34
PID 1348 wrote to memory of 1644	1348	cmd.exe	34
PID 1348 wrote to memory of 300	1348	cmd.exe	35
PID 1348 wrote to memory of 300	1348	cmd.exe	35
PID 1348 wrote to memory of 300	1348	cmd.exe	35
PID 1348 wrote to memory of 1760	1348	cmd.exe	36
PID 1348 wrote to memory of 1760	1348	cmd.exe	36
PID 1348 wrote to memory of 1760	1348	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe
"C:\Users\Admin\AppData\Local\Temp\1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\PortCommon\rjsrhuSUuh9cpi71VW4.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\PortCommon\nit1Mf9O4EmsELqVOc064rhxVFPSMSL237.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\PortCommon\hyperbrokerhostNetsvc.exe
      "C:\PortCommon/hyperbrokerhostNetsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUdTvbBlbG.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1644
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:300
      - C:\Program Files\Windows Portable Devices\hyperbrokerhostNetsvc.exe
        
        "C:\Program Files\Windows Portable Devices\hyperbrokerhostNetsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortCommon\hyperbrokerhostNetsvc.exe

Filesize
5.7MB

MD5
23710df1e01cfc3fa04052ba9f873d98

SHA1
d94a2da61571f7bb2f8a699cba385ab043c4b26b

SHA256
aec8ca62dea4bc175b0f8aed5a38fda3e879657b9d1e8dea0cdca274c4d1f3d9

SHA512
946409d67f3d4a5536fc7bc2267a1cc3a5b22334c92b635236282a9c348cc6321910e1052e8d70cc41b67d07bda422a6de01423c82c262061d60b3a3c7fcbf66

Download Submit
C:\PortCommon\nit1Mf9O4EmsELqVOc064rhxVFPSMSL237.bat

Filesize
91B

MD5
9e914413951f28ca613d66a082e6bdf5

SHA1
74c3592959853f6798a62cd735e120412d73445a

SHA256
9d67c2b67e4babb2d62c1318bd530c1706a28c7ae662cdf584dd3da06ba8bb03

SHA512
b2e17288b6a06c3ae138efcdf02b9bfc61f7416e109fe4459b9c39b682eed0a303564be7349e02af15bc2eec2c1ae6c1cb347dd7415de49627fed6bfdf7ae2e3

Download Submit
C:\PortCommon\rjsrhuSUuh9cpi71VW4.vbe

Filesize
223B

MD5
cf90e55a446d37686cb2816d101b5bb7

SHA1
7385714bbdeea11d6a430803f05a59ccd7d7e5d9

SHA256
38b60adc9820b53f1e37c5f17efd047e523a3f1b1c0486e5fd289d58b65bb5c2

SHA512
aa74811a63a82d07faa38512d2fbf119cb4c0a35e10443372ffa153fde1ddcaf2781c9b11e8da9fda8becb138050587adfbc57e43e964df1fe4fb2caf86dc86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUdTvbBlbG.bat

Filesize
243B

MD5
f8928795d7012ad7c21407d6fb75f88d

SHA1
b563109b8256ae4004c029e9ceb87fb05587574b

SHA256
5463a53f344c8686aa6b9c5136bc7cdaafad4949b5cbba3400dc2811ab74a15b

SHA512
7c16f19b66068ff9e5a12e033c713df5cd9cba03a60f64dcbb23a54945256097a9fc11dd32ac26e698a8a04a2e86e5635ea4de7e77ed27d8f27412171740e796

Download Submit
memory/1760-104-0x0000000077870000-0x0000000077871000-memory.dmp

Filesize
4KB

Download
memory/1760-137-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/1760-118-0x0000000077830000-0x0000000077831000-memory.dmp

Filesize
4KB

Download
memory/1760-117-0x0000000077850000-0x0000000077851000-memory.dmp

Filesize
4KB

Download
memory/1760-116-0x0000000077810000-0x0000000077811000-memory.dmp

Filesize
4KB

Download
memory/1760-115-0x0000000077820000-0x0000000077821000-memory.dmp

Filesize
4KB

Download
memory/1760-114-0x0000000077840000-0x0000000077841000-memory.dmp

Filesize
4KB

Download
memory/1760-112-0x0000000077860000-0x0000000077861000-memory.dmp

Filesize
4KB

Download
memory/1760-108-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/1760-107-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

Filesize
9.9MB

Download
memory/1760-120-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/1760-101-0x0000000077880000-0x0000000077881000-memory.dmp

Filesize
4KB

Download
memory/1760-100-0x00000000778B0000-0x00000000778B1000-memory.dmp

Filesize
4KB

Download
memory/1760-119-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/1760-98-0x0000000077890000-0x0000000077891000-memory.dmp

Filesize
4KB

Download
memory/1760-97-0x00000000778A0000-0x00000000778A1000-memory.dmp

Filesize
4KB

Download
memory/1760-94-0x00000000778C0000-0x00000000778C1000-memory.dmp

Filesize
4KB

Download
memory/1760-91-0x00000000778D0000-0x00000000778D1000-memory.dmp

Filesize
4KB

Download
memory/1760-90-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/1760-89-0x00000000778E0000-0x00000000778E1000-memory.dmp

Filesize
4KB

Download
memory/1760-87-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/1760-86-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1760-85-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/1760-83-0x0000000000CB0000-0x0000000000F74000-memory.dmp

Filesize
2.8MB

Download
memory/1760-84-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp

Filesize
9.9MB

Download
memory/1988-32-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/1988-40-0x0000000077880000-0x0000000077881000-memory.dmp

Filesize
4KB

Download
memory/1988-51-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/1988-53-0x000000001A8B0000-0x000000001A8C0000-memory.dmp

Filesize
64KB

Download
memory/1988-54-0x0000000077850000-0x0000000077851000-memory.dmp

Filesize
4KB

Download
memory/1988-55-0x0000000077840000-0x0000000077841000-memory.dmp

Filesize
4KB

Download
memory/1988-58-0x000000001A920000-0x000000001A92E000-memory.dmp

Filesize
56KB

Download
memory/1988-57-0x0000000077830000-0x0000000077831000-memory.dmp

Filesize
4KB

Download
memory/1988-60-0x000000001A950000-0x000000001A968000-memory.dmp

Filesize
96KB

Download
memory/1988-61-0x0000000077820000-0x0000000077821000-memory.dmp

Filesize
4KB

Download
memory/1988-62-0x0000000077810000-0x0000000077811000-memory.dmp

Filesize
4KB

Download
memory/1988-64-0x000000001B180000-0x000000001B1CE000-memory.dmp

Filesize
312KB

Download
memory/1988-50-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/1988-80-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

Filesize
9.9MB

Download
memory/1988-47-0x0000000077860000-0x0000000077861000-memory.dmp

Filesize
4KB

Download
memory/1988-46-0x000000001A900000-0x000000001A912000-memory.dmp

Filesize
72KB

Download
memory/1988-41-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/1988-43-0x000000001A8E0000-0x000000001A8F6000-memory.dmp

Filesize
88KB

Download
memory/1988-44-0x0000000077870000-0x0000000077871000-memory.dmp

Filesize
4KB

Download
memory/1988-49-0x000000001A8A0000-0x000000001A8AE000-memory.dmp

Filesize
56KB

Download
memory/1988-39-0x000000001A8C0000-0x000000001A8D2000-memory.dmp

Filesize
72KB

Download
memory/1988-35-0x00000000004C0000-0x00000000004CE000-memory.dmp

Filesize
56KB

Download
memory/1988-37-0x0000000077890000-0x0000000077891000-memory.dmp

Filesize
4KB

Download
memory/1988-36-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

Filesize
9.9MB

Download
memory/1988-33-0x00000000778A0000-0x00000000778A1000-memory.dmp

Filesize
4KB

Download
memory/1988-30-0x00000000778B0000-0x00000000778B1000-memory.dmp

Filesize
4KB

Download
memory/1988-29-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/1988-26-0x0000000000670000-0x0000000000688000-memory.dmp

Filesize
96KB

Download
memory/1988-27-0x00000000778C0000-0x00000000778C1000-memory.dmp

Filesize
4KB

Download
memory/1988-24-0x0000000000650000-0x000000000066C000-memory.dmp

Filesize
112KB

Download
memory/1988-22-0x00000000778D0000-0x00000000778D1000-memory.dmp

Filesize
4KB

Download
memory/1988-20-0x00000000778E0000-0x00000000778E1000-memory.dmp

Filesize
4KB

Download
memory/1988-21-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/1988-19-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/1988-17-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/1988-16-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1988-15-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/1988-14-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

Filesize
9.9MB

Download
memory/1988-13-0x00000000010C0000-0x0000000001384000-memory.dmp

Filesize
2.8MB

Download