zgrat | 74d236fe36375d9089df6ecc439bf91f291c89e241e1158e4752dc1dca4b1f66

General

Target

0a0df93ba37270e35a35daaf3c1b1eab.exe
Size

1.6MB
MD5

0a0df93ba37270e35a35daaf3c1b1eab
SHA1

20dfdfae4e2caab0c7baf06769de0b5ab8f3bc8d
SHA256

74d236fe36375d9089df6ecc439bf91f291c89e241e1158e4752dc1dca4b1f66
SHA512

6c1dcba5b35ae2da76bb4b9b77cfdafce9f6a2255165f30f53927f5aac1dc4647d2d96becd930a6d9ac6c3fb205b48baf48b6e80feb7f29b4806c28f559b2ec8
SSDEEP

24576:1tHAOAiXfNN3gP1PLIaf+z21zQsr1z+JC+fBb1y9VAuhz43U:/gOpN41zXZ1N8JCIb09VAuV4

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/1312-0-0x00000000001B0000-0x000000000034A000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0006000000018b73-12.dat	family_zgrat_v1
behavioral1/memory/2420-22-0x0000000000900000-0x0000000000A9A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
2420	explorer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Logs\wininit.exe	0a0df93ba37270e35a35daaf3c1b1eab.exe
File opened for modification	C:\Windows\Logs\wininit.exe	0a0df93ba37270e35a35daaf3c1b1eab.exe
File created	C:\Windows\Logs\56085415360792	0a0df93ba37270e35a35daaf3c1b1eab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1312	0a0df93ba37270e35a35daaf3c1b1eab.exe
1312	0a0df93ba37270e35a35daaf3c1b1eab.exe
1312	0a0df93ba37270e35a35daaf3c1b1eab.exe
1312	0a0df93ba37270e35a35daaf3c1b1eab.exe
1312	0a0df93ba37270e35a35daaf3c1b1eab.exe
1312	0a0df93ba37270e35a35daaf3c1b1eab.exe
1312	0a0df93ba37270e35a35daaf3c1b1eab.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	0a0df93ba37270e35a35daaf3c1b1eab.exe
Token: SeDebugPrivilege	2420	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2628	1312	0a0df93ba37270e35a35daaf3c1b1eab.exe	28
PID 1312 wrote to memory of 2628	1312	0a0df93ba37270e35a35daaf3c1b1eab.exe	28
PID 1312 wrote to memory of 2628	1312	0a0df93ba37270e35a35daaf3c1b1eab.exe	28
PID 2628 wrote to memory of 2540	2628	cmd.exe	30
PID 2628 wrote to memory of 2540	2628	cmd.exe	30
PID 2628 wrote to memory of 2540	2628	cmd.exe	30
PID 2628 wrote to memory of 2528	2628	cmd.exe	31
PID 2628 wrote to memory of 2528	2628	cmd.exe	31
PID 2628 wrote to memory of 2528	2628	cmd.exe	31
PID 2628 wrote to memory of 2420	2628	cmd.exe	32
PID 2628 wrote to memory of 2420	2628	cmd.exe	32
PID 2628 wrote to memory of 2420	2628	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\0a0df93ba37270e35a35daaf3c1b1eab.exe
"C:\Users\Admin\AppData\Local\Temp\0a0df93ba37270e35a35daaf3c1b1eab.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fgtTePpmGm.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2540
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2528
- - C:\Recovery\52b0f462-d10e-11ee-9e98-caf795fd2ae4\explorer.exe
    "C:\Recovery\52b0f462-d10e-11ee-9e98-caf795fd2ae4\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\52b0f462-d10e-11ee-9e98-caf795fd2ae4\explorer.exe

Filesize
1.6MB

MD5
0a0df93ba37270e35a35daaf3c1b1eab

SHA1
20dfdfae4e2caab0c7baf06769de0b5ab8f3bc8d

SHA256
74d236fe36375d9089df6ecc439bf91f291c89e241e1158e4752dc1dca4b1f66

SHA512
6c1dcba5b35ae2da76bb4b9b77cfdafce9f6a2255165f30f53927f5aac1dc4647d2d96becd930a6d9ac6c3fb205b48baf48b6e80feb7f29b4806c28f559b2ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgtTePpmGm.bat

Filesize
237B

MD5
9ae699751a22ad968d8f8df2e48a0b80

SHA1
131685cf68fcbe3e59e0e707da6ad9e5fe5588c1

SHA256
9819cec1d27b33011ad6e29c752dfd8f3a1ab24b326b9202bee604fc88381335

SHA512
b77c9e276e769d583b4c0aeef24bec986e2b9e0772b7dc51e1626c571ef6a473a1376af3495d035f64431090be594c0b5101a80543e283bd4f2954773c326ad5

Download Submit
memory/1312-0-0x00000000001B0000-0x000000000034A000-memory.dmp

Filesize
1.6MB

Download
memory/1312-1-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

Filesize
9.9MB

Download
memory/1312-2-0x000000001B130000-0x000000001B1B0000-memory.dmp

Filesize
512KB

Download
memory/1312-3-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/1312-19-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

Filesize
9.9MB

Download
memory/2420-24-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2420-22-0x0000000000900000-0x0000000000A9A000-memory.dmp

Filesize
1.6MB

Download
memory/2420-23-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp

Filesize
9.9MB

Download
memory/2420-25-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/2420-26-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/2420-27-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/2420-28-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp

Filesize
9.9MB

Download
memory/2420-29-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/2420-30-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/2420-31-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing