zgrat | 9c621294c689defc4b76da675ded71aa710ab5fa20498f1d4dfa6fc1d4bc2455

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
19-03-2024 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c621294c689defc4b76da675ded71aa710ab5fa20498f1d4dfa6fc1d4bc2455.exe
Size

2.5MB
MD5

af00c05a5029f7fd7dac013bb01d220c
SHA1

f862ca3da392e901baf29eff5daebf57466cd62f
SHA256

9c621294c689defc4b76da675ded71aa710ab5fa20498f1d4dfa6fc1d4bc2455
SHA512

6470ef81ecbde644d9ac0dd7a38ef89671d07065311cb07887257108195c4d646557136fd0c2f620cd65525044106524f5cd649146459a84e85184f0a643b572
SSDEEP

24576:W3TZV5M5F3tiPNMtPcp3MAtjkwbOo9JPWCcSodJKsUpOLrF6qiz+q/pGzELEVnQx:if5G3G+tUpjjzCo/rXgKfpOLNdcWY

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral2/memory/4856-6-0x0000000005090000-0x0000000005166000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-12-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-10-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-18-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-22-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-20-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-24-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-16-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-26-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-28-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-14-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-9-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-32-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-40-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-46-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-44-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-42-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-38-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-36-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-34-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-30-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-48-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-56-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-62-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-64-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-66-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-70-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-68-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-60-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-58-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-54-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-52-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1
behavioral2/memory/4856-50-0x0000000005090000-0x0000000005160000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2896 set thread context of 4856	2896	9c621294c689defc4b76da675ded71aa710ab5fa20498f1d4dfa6fc1d4bc2455.exe	82

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4856	jsc.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 4856	2896	9c621294c689defc4b76da675ded71aa710ab5fa20498f1d4dfa6fc1d4bc2455.exe	82
PID 2896 wrote to memory of 4856	2896	9c621294c689defc4b76da675ded71aa710ab5fa20498f1d4dfa6fc1d4bc2455.exe	82
PID 2896 wrote to memory of 4856	2896	9c621294c689defc4b76da675ded71aa710ab5fa20498f1d4dfa6fc1d4bc2455.exe	82
PID 2896 wrote to memory of 4856	2896	9c621294c689defc4b76da675ded71aa710ab5fa20498f1d4dfa6fc1d4bc2455.exe	82
PID 2896 wrote to memory of 4856	2896	9c621294c689defc4b76da675ded71aa710ab5fa20498f1d4dfa6fc1d4bc2455.exe	82

C:\Users\Admin\AppData\Local\Temp\9c621294c689defc4b76da675ded71aa710ab5fa20498f1d4dfa6fc1d4bc2455.exe
"C:\Users\Admin\AppData\Local\Temp\9c621294c689defc4b76da675ded71aa710ab5fa20498f1d4dfa6fc1d4bc2455.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2896-5-0x00007FF667D90000-0x00007FF668078000-memory.dmp

Filesize
2.9MB

Download
memory/4856-4-0x0000000000740000-0x00000000007B0000-memory.dmp

Filesize
448KB

Download
memory/4856-6-0x0000000005090000-0x0000000005166000-memory.dmp

Filesize
856KB

Download
memory/4856-8-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/4856-12-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-10-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-18-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-22-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-20-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-24-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-16-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-26-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-28-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-14-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-9-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-7-0x0000000074C40000-0x00000000753F1000-memory.dmp

Filesize
7.7MB

Download
memory/4856-32-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-40-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-46-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-44-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-42-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-38-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-36-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-34-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-30-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-48-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-56-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-62-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-64-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-66-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-70-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-68-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-60-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-58-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-54-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-52-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-50-0x0000000005090000-0x0000000005160000-memory.dmp

Filesize
832KB

Download
memory/4856-6093-0x0000000005260000-0x00000000052C6000-memory.dmp

Filesize
408KB

Download
memory/4856-6094-0x0000000074C40000-0x00000000753F1000-memory.dmp

Filesize
7.7MB

Download
memory/4856-6095-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads