zgrat | b20682412165f6a01fc877eeedce94553542d45c8fd952c5198a95984b17f92f

Analysis

max time kernel
132s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2024 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b20682412165f6a01fc877eeedce94553542d45c8fd952c5198a95984b17f92f.exe
Size

812KB
MD5

5a97f5e907d0d08e660191e5b340ea4a
SHA1

4ff5d824392c7b3fd7b2d13d657cb20020934532
SHA256

b20682412165f6a01fc877eeedce94553542d45c8fd952c5198a95984b17f92f
SHA512

eca2a2d33c9b12cbce1e082fdb553b6279e1fb2abc1e4aad1b5cb0f7cc0f021638a7241b00aef0189c730d7fdbed3778761bdaf833f7d377f71709acd0088f5a
SSDEEP

6144:W9/XXL5hWSEfh8uveT25mbkYjF/mbkYjFJRHpV3x:W9/XXL5xs62QwYjFuwYjFJ/Vh

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/1280-28-0x0000000006F20000-0x000000000712C000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-30-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-34-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-40-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-44-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-48-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-52-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-58-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-60-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-62-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-64-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-68-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-70-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-74-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-80-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-82-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-84-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-86-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-88-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-92-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-90-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-78-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-76-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-72-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-66-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-56-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-54-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-50-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-46-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-42-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-38-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-36-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-32-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1
behavioral2/memory/1280-29-0x0000000006F20000-0x0000000007126000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with Babel 1 IoCs

resource	yara_rule
behavioral2/memory/1516-0-0x0000000000750000-0x00000000007F2000-memory.dmp	INDICATOR_EXE_Packed_Babel

Detects executables packed with SmartAssembly 3 IoCs

resource	yara_rule
behavioral2/files/0x000800000001e59a-18.dat	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/files/0x000800000001e59a-20.dat	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/1280-22-0x00000000009F0000-0x0000000000CC4000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1516	b20682412165f6a01fc877eeedce94553542d45c8fd952c5198a95984b17f92f.exe
1516	b20682412165f6a01fc877eeedce94553542d45c8fd952c5198a95984b17f92f.exe
1516	b20682412165f6a01fc877eeedce94553542d45c8fd952c5198a95984b17f92f.exe
1516	b20682412165f6a01fc877eeedce94553542d45c8fd952c5198a95984b17f92f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1516	b20682412165f6a01fc877eeedce94553542d45c8fd952c5198a95984b17f92f.exe

C:\Users\Admin\AppData\Local\Temp\b20682412165f6a01fc877eeedce94553542d45c8fd952c5198a95984b17f92f.exe
"C:\Users\Admin\AppData\Local\Temp\b20682412165f6a01fc877eeedce94553542d45c8fd952c5198a95984b17f92f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
- C:\Users\Admin\AppData\Local\Temp\sTS7gfSinef.pif
  "C:\Users\Admin\AppData\Local\Temp\sTS7gfSinef.pif"
  2⤵
  PID:1280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mxezppfj.hrf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sTS7gfSinef.pif

Filesize
40KB

MD5
2e82a5d215aac0b422943c0f35862c5c

SHA1
4d10250e3f2d51b34b19df802cb317267db62d6a

SHA256
4e862c5edb2886eff892e80676c18f5fa472ccf2acc2302c2597dbf3a14f64b8

SHA512
3ca9c7a9dab2e1dd90222102e9ded2b88c42a997a5dcf36f09dea4b95ce4f4920e45627543b31ba9f0eebd7859e612e65a177e69e75bbfaae6b23a4640d009ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\sTS7gfSinef.pif

Filesize
27KB

MD5
fe75805e83940b9d8d824b067be80688

SHA1
ed9724331efe9acc0be715968667f27a011ac346

SHA256
82814c333a4feb6bd46031a7ce65229cba65cd016b3f4db9e3e747ca7674e9c1

SHA512
28eaffc42c720670b795eed48cdcb10f934525800dc32502bdb21acecc5689d99496028da96d4987ece0c1d7a997c077b09566c6d27cb0d8458b160767b2151b

Download Submit
memory/1280-64-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-38-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-68-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-29-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-32-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-36-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-70-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-24-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/1280-25-0x0000000005780000-0x0000000005990000-memory.dmp

Filesize
2.1MB

Download
memory/1280-26-0x0000000006B00000-0x0000000006D10000-memory.dmp

Filesize
2.1MB

Download
memory/1280-27-0x0000000006D10000-0x0000000006F20000-memory.dmp

Filesize
2.1MB

Download
memory/1280-28-0x0000000006F20000-0x000000000712C000-memory.dmp

Filesize
2.0MB

Download
memory/1280-30-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-34-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-40-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-44-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-48-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-52-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-58-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-60-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-62-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-22-0x00000000009F0000-0x0000000000CC4000-memory.dmp

Filesize
2.8MB

Download
memory/1280-42-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-23-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/1280-84-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-80-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-82-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-74-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-86-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-88-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-92-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-90-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-78-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-76-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-72-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-66-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-56-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-54-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-50-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1280-46-0x0000000006F20000-0x0000000007126000-memory.dmp

Filesize
2.0MB

Download
memory/1516-14-0x000000001B610000-0x000000001B620000-memory.dmp

Filesize
64KB

Download
memory/1516-13-0x00007FF8051E0000-0x00007FF805CA1000-memory.dmp

Filesize
10.8MB

Download
memory/1516-12-0x000000001B580000-0x000000001B5A2000-memory.dmp

Filesize
136KB

Download
memory/1516-2-0x000000001B610000-0x000000001B620000-memory.dmp

Filesize
64KB

Download
memory/1516-1-0x00007FF8051E0000-0x00007FF805CA1000-memory.dmp

Filesize
10.8MB

Download
memory/1516-0-0x0000000000750000-0x00000000007F2000-memory.dmp

Filesize
648KB

Download
memory/1516-21-0x00007FF8051E0000-0x00007FF805CA1000-memory.dmp

Filesize
10.8MB

Download