Malware Analysis Report

2024-11-15 05:58

Sample ID 240404-t3tzyace81
Target Launcher4.exe
SHA256 43302fd5ef74a7c1e9c4e2c899b3828851502b64917d77be603243c741a42043
Tags
zgrat rhadamanthys rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43302fd5ef74a7c1e9c4e2c899b3828851502b64917d77be603243c741a42043

Threat Level: Known bad

The file Launcher4.exe was found to be: Known bad.

Malicious Activity Summary

zgrat rhadamanthys rat stealer

Rhadamanthys

Detect ZGRat V1

Zgrat family

Suspicious use of NtCreateUserProcessOtherParentProcess

ZGRat

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-04 16:39

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Zgrat family

zgrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 16:35

Reported

2024-04-04 16:43

Platform

win7-20231129-en

Max time kernel

120s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2252 created 1336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Explorer.EXE

ZGRat

rat zgrat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2240 set thread context of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2240 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2240 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2240 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2240 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2240 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2240 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2240 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2240 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2240 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2240 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2240 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2240 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2240 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2252 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2252 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2252 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2252 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2252 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2252 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2252 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2252 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2252 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Launcher4.exe

"C:\Users\Admin\AppData\Local\Temp\Launcher4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

Network

N/A

Files

memory/2240-0-0x0000000001320000-0x00000000013A8000-memory.dmp

memory/2240-1-0x0000000073F40000-0x000000007462E000-memory.dmp

memory/2240-2-0x0000000004D60000-0x0000000004DA0000-memory.dmp

memory/2240-6-0x00000000027B0000-0x00000000047B0000-memory.dmp

memory/2252-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2252-11-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2252-10-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2252-9-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2240-17-0x0000000073F40000-0x000000007462E000-memory.dmp

memory/2252-14-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2252-8-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2252-7-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2252-5-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2252-18-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2252-19-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2252-20-0x0000000003620000-0x0000000003A20000-memory.dmp

memory/2252-21-0x0000000003620000-0x0000000003A20000-memory.dmp

memory/2252-22-0x0000000003620000-0x0000000003A20000-memory.dmp

memory/2252-23-0x0000000076E90000-0x0000000077039000-memory.dmp

memory/2252-25-0x0000000003620000-0x0000000003A20000-memory.dmp

memory/2252-26-0x0000000075F30000-0x0000000075F77000-memory.dmp

memory/2736-27-0x00000000000D0000-0x00000000000D9000-memory.dmp

memory/2252-28-0x0000000003620000-0x0000000003A20000-memory.dmp

memory/2736-31-0x0000000001D70000-0x0000000002170000-memory.dmp

memory/2736-30-0x0000000076E90000-0x0000000077039000-memory.dmp

memory/2736-33-0x0000000001D70000-0x0000000002170000-memory.dmp

memory/2736-36-0x0000000076E90000-0x0000000077039000-memory.dmp

memory/2736-35-0x0000000075F30000-0x0000000075F77000-memory.dmp

memory/2736-37-0x0000000001D70000-0x0000000002170000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 16:35

Reported

2024-04-04 16:43

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

sihost.exe

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4940 created 2552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\sihost.exe

ZGRat

rat zgrat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4252 set thread context of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4252 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4252 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Launcher4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4940 wrote to memory of 720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 4940 wrote to memory of 720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 4940 wrote to memory of 720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 4940 wrote to memory of 720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 4940 wrote to memory of 720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\Launcher4.exe

"C:\Users\Admin\AppData\Local\Temp\Launcher4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 660

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/4252-0-0x0000000000120000-0x00000000001A8000-memory.dmp

memory/4252-1-0x0000000074FC0000-0x0000000075770000-memory.dmp

memory/4252-2-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/4940-5-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4252-9-0x00000000025B0000-0x00000000045B0000-memory.dmp

memory/4940-8-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4940-11-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4252-12-0x0000000074FC0000-0x0000000075770000-memory.dmp

memory/4940-13-0x0000000003790000-0x0000000003B90000-memory.dmp

memory/4940-15-0x0000000003790000-0x0000000003B90000-memory.dmp

memory/4940-14-0x0000000003790000-0x0000000003B90000-memory.dmp

memory/4940-16-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

memory/4940-18-0x0000000003790000-0x0000000003B90000-memory.dmp

memory/4940-19-0x00000000767B0000-0x00000000769C5000-memory.dmp

memory/720-20-0x0000000000510000-0x0000000000519000-memory.dmp

memory/720-23-0x00000000023F0000-0x00000000027F0000-memory.dmp

memory/720-22-0x00000000023F0000-0x00000000027F0000-memory.dmp

memory/720-24-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp

memory/720-25-0x00000000023F0000-0x00000000027F0000-memory.dmp

memory/720-27-0x00000000767B0000-0x00000000769C5000-memory.dmp

memory/720-28-0x00000000023F0000-0x00000000027F0000-memory.dmp

memory/4940-29-0x0000000003790000-0x0000000003B90000-memory.dmp