zgrat

Sharing

Copy URL Twitter E-mail

General

Target

RO-exec free remake v2.0.rar
Size

2.3MB
Sample

240328-ls4sdshg51
MD5

6c9773de202cfd6bcafdbb2fc8f081b8
SHA1

d2a470f21d6e50499179ce5ee711db8b2ab3ce34
SHA256

1d5550a21ad07ce2b2916954ed7951a80907aec0a0600a7566f9af51d0ee05ea
SHA512

7904791097af7f413ef957ec226fd9561b0da50d2b67e2da27b487e423c35cf4bf975dae300a13e016ffde166eba47805fffb411370147916769ba3208e69c65
SSDEEP

49152:IzPBa6jIVq9I02Wwv5mxGOqfadevtu3k2WLrwLyZMkdi43rr7s:2B49HWcYdwade1ek2WeyZMQiojs

Score

10^/10

Malware Config

Targets

- Target
  
  RO-exec free remake v2.0.rar
- Size
  
  2.3MB
- MD5
  
  6c9773de202cfd6bcafdbb2fc8f081b8
- SHA1
  
  d2a470f21d6e50499179ce5ee711db8b2ab3ce34
- SHA256
  
  1d5550a21ad07ce2b2916954ed7951a80907aec0a0600a7566f9af51d0ee05ea
- SHA512
  
  7904791097af7f413ef957ec226fd9561b0da50d2b67e2da27b487e423c35cf4bf975dae300a13e016ffde166eba47805fffb411370147916769ba3208e69c65
- SSDEEP
  
  49152:IzPBa6jIVq9I02Wwv5mxGOqfadevtu3k2WLrwLyZMkdi43rr7s:2B49HWcYdwade1ek2WeyZMQiojs
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2
- Target
  
  RO-exec v2.0/RO-exec_Launcher.exe
- Size
  
  2.3MB
- MD5
  
  ee091b0aff43b9506fbc384642f44275
- SHA1
  
  1f0328c27b1dcbc3bc726ab5a2fa7cafc89c0ac5
- SHA256
  
  b1b4c0259825fa79fe6176502cd6900ec7411687981f8e5d9738edbd83fd9dca
- SHA512
  
  06ca311ea0db212ffeb834bd703a5e545ff69e196f7973f108248361f253d91342b431fa895b516bf54fd15c91eebcd2a4a4132560bfd2ec05310cd8217c2e00
- SSDEEP
  
  49152:uIYdMYohOojDmYf2r3klp0S++a3t99BDwlrFevdd39BRIbD8M:u2POo72b1SBw9crF6n3ZI
Score

10^/10

zgrat evasion persistence rat
- Detect ZGRat V1
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Blocklisted process makes network request
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  RO-exec v2.0/auto_load.txt
- Size
  
  12B
- MD5
  
  d40890f1324388d8295afca5d41b407f
- SHA1
  
  08684923c0e4bb6f2a44983ff6fa5bf7b517d13b
- SHA256
  
  022a7c959ab7753af62091e2849806b0e5e879075188baf9d5ac918cd51535fa
- SHA512
  
  b4e0d273bb8375ea7a8f291456d76637bddb5bd36e1ba47408ddc55fa6115d24a67399592a102adc140b7f638731e5b0f9f6e7e20a7c1cdd1783ec56f2904446
Score

1^/10
behavioral5 behavioral6
- Target
  
  RO-exec v2.0/configs/arsenal.cfg
- Size
  
  972B
- MD5
  
  27b81d9d18eb32c2fd491c3076ec0aea
- SHA1
  
  402b5f985eeb30eef90bc9f4f6cb62c627a62cf6
- SHA256
  
  0869c5b04f31ade390ab2746c32766ecdca8e43c15d066cf0102ed1e7cbf5dbd
- SHA512
  
  ab8caf2fde6161b550e6cdcee5c82fb7b4045462facaa48ce338e359ac0f13b85927d6d2353e32a16a8d31671c7e8f990fc2954e3f3a0827bfb13560f790675d
Score

3^/10
behavioral7 behavioral8
- Target
  
  RO-exec v2.0/configs/autosave.cfg
- Size
  
  971B
- MD5
  
  3386ac6b55f3addf304f6e1cce51e7ca
- SHA1
  
  a7b4690e696a4d3721f6593a69cc1803ab5cd55a
- SHA256
  
  c90eef14c30d70d78bcf5a6fb1ede83befa1a7a6259f72d2134a63fdd65550c6
- SHA512
  
  794a276919ccb64733ca4a2568cb8befcea6e14f1e6e4af3100b668c87e45080860a3caa9000a28f9950a8d25d22ef67e79b26b642824e0f2192d7e6ab5cada9
Score

3^/10
behavioral10 behavioral9
- Target
  
  RO-exec v2.0/configs/counterblox.cfg
- Size
  
  978B
- MD5
  
  bc7b801b843fb2f5fd19af34b4b88d6a
- SHA1
  
  6492afe7620d1b48550fc8bec64882e01e38c438
- SHA256
  
  5d2381911347f5e870966330371ee127775e18673fb6e4c42eda237007654707
- SHA512
  
  875137975d9a9080cfa00322d0a1a8dfc095c8c7e805a3bd34987eed44ff430fadfa6ca865071acf037e89a849f02599dca6a445a9b395b13c03c77f54bf30e2
Score

3^/10
behavioral11 behavioral12
- Target
  
  RO-exec v2.0/configs/dahood.cfg
- Size
  
  996B
- MD5
  
  9489291979d19765ca4ba990df16b917
- SHA1
  
  dde51d149d847557cfb783500f3d630bf18cb7ca
- SHA256
  
  6a25e77b4c712d7ab36c5f3e50f5e65a313d699942081bc89079200824166e16
- SHA512
  
  be5c4cf4d60ad05de15458cb3fae24466640d97d47bd13be50e871b9e0e48135a63e938142370af30714b34e3ae37a03b9d8ef42162329b590b5e07d7e23191a
Score

3^/10
behavioral13 behavioral14
- Target
  
  RO-exec v2.0/configs/jailbird.cfg
- Size
  
  995B
- MD5
  
  2ea9fe525de145a918ac1b461f536145
- SHA1
  
  656881eac2aea4b4f4e045afcab7d7338eb7e72b
- SHA256
  
  7cd075c3b2abdfe1dc36769d06eb3b734e1f4dc19122402e54d1b4b2e62b7c00
- SHA512
  
  506d5bc75e9cb14028109dd0366b5ba5585afdecac03620dbb401b967d0bbec5721b63d1f4e209b89b7001654bce25e359f93d67fd430a225ebec4e3ceaeffa3
Score

3^/10
behavioral15 behavioral16
- Target
  
  RO-exec v2.0/configs/universal.cfg
- Size
  
  971B
- MD5
  
  3386ac6b55f3addf304f6e1cce51e7ca
- SHA1
  
  a7b4690e696a4d3721f6593a69cc1803ab5cd55a
- SHA256
  
  c90eef14c30d70d78bcf5a6fb1ede83befa1a7a6259f72d2134a63fdd65550c6
- SHA512
  
  794a276919ccb64733ca4a2568cb8befcea6e14f1e6e4af3100b668c87e45080860a3caa9000a28f9950a8d25d22ef67e79b26b642824e0f2192d7e6ab5cada9
Score

3^/10
behavioral17 behavioral18
- Target
  
  RO-exec v2.0/configs/weaponry.cfg
- Size
  
  970B
- MD5
  
  579fb59d2c6b985dfd4566b8a7fe3326
- SHA1
  
  6252532e06b999d05d457bd914f6a1044fcbed8f
- SHA256
  
  1390e251b4fc804f56e440cdf8245e32e9146183cc0712d4cb7fdc0e81c5c045
- SHA512
  
  a10844f9dd62627951ea9fc56fe6920e3689b01116c1405c6a5ddf331d7bc25016b1cb62179c40c00b00aa19fecf5562351a1f2ecd4b8f5ad851eb4d7fbab31e
Score

3^/10
behavioral19 behavioral20