zgrat | 432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

General

Target

tmp.exe
Size

5.3MB
MD5

de08b70c1b36bce2c90a34b9e5e61f09
SHA1

1628635f073c61ad744d406a16d46dfac871c9c2
SHA256

432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67
SHA512

18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5
SSDEEP

98304:/+p+LLypykV4RJGIfsv7RynHr/x1leOzcv0nbzKIKFStIJ:/+pMLCYJ/svlUr/x1vzcvib+Ir

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2328-2-0x0000000004FE0000-0x0000000005490000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-3-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-4-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-10-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-8-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-6-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-12-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-14-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-16-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-18-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-20-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-22-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-24-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-26-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-28-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-30-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-32-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-34-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-36-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-38-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-40-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-42-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-44-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-46-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-48-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-50-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-52-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-54-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-58-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-56-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-60-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-62-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-64-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-66-0x0000000004FE0000-0x000000000548B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3068-4898-0x0000000004FB0000-0x0000000005268000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 1 IoCs

Processes:

BLHisbnd.exe

pid process

3068 BLHisbnd.exe
Loads dropped DLL 1 IoCs

Processes:

tmp.exe

pid process

2328 tmp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 2328 set thread context of 540 2328 tmp.exe tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1648 540 WerFault.exe tmp.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tmp.exeBLHisbnd.exe

description pid process

Token: SeDebugPrivilege 2328 tmp.exe
Token: SeDebugPrivilege 2328 tmp.exe
Token: SeDebugPrivilege 3068 BLHisbnd.exe

pid	process
3068	BLHisbnd.exe

pid	process
2328	tmp.exe

description	pid	process	target process
PID 2328 set thread context of 540	2328	tmp.exe	tmp.exe

pid	pid_target	process	target process
1648	540	WerFault.exe	tmp.exe

description	pid	process
Token: SeDebugPrivilege	2328	tmp.exe
Token: SeDebugPrivilege	2328	tmp.exe
Token: SeDebugPrivilege	3068	BLHisbnd.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

tmp.exetmp.exe

description	pid	process	target process
PID 2328 wrote to memory of 3068	2328	tmp.exe	BLHisbnd.exe
PID 2328 wrote to memory of 3068	2328	tmp.exe	BLHisbnd.exe
PID 2328 wrote to memory of 3068	2328	tmp.exe	BLHisbnd.exe
PID 2328 wrote to memory of 3068	2328	tmp.exe	BLHisbnd.exe
PID 2328 wrote to memory of 540	2328	tmp.exe	tmp.exe
PID 2328 wrote to memory of 540	2328	tmp.exe	tmp.exe
PID 2328 wrote to memory of 540	2328	tmp.exe	tmp.exe
PID 2328 wrote to memory of 540	2328	tmp.exe	tmp.exe
PID 2328 wrote to memory of 540	2328	tmp.exe	tmp.exe
PID 2328 wrote to memory of 540	2328	tmp.exe	tmp.exe
PID 2328 wrote to memory of 540	2328	tmp.exe	tmp.exe
PID 2328 wrote to memory of 540	2328	tmp.exe	tmp.exe
PID 2328 wrote to memory of 540	2328	tmp.exe	tmp.exe
PID 2328 wrote to memory of 540	2328	tmp.exe	tmp.exe
PID 2328 wrote to memory of 540	2328	tmp.exe	tmp.exe
PID 540 wrote to memory of 1648	540	tmp.exe	WerFault.exe
PID 540 wrote to memory of 1648	540	tmp.exe	WerFault.exe
PID 540 wrote to memory of 1648	540	tmp.exe	WerFault.exe
PID 540 wrote to memory of 1648	540	tmp.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328

C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
"C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 124
3⤵
- Program crash
PID:1648

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
Filesize
3.4MB

MD5
e13e6f7986b9d1eff55fe30133592c40

SHA1
8299d50b76990e9dc7e0a8cc67e2f4d44cb810f5

SHA256
407e9094206a37707a368f4cd0103269c50b8c0c03edba87b4f20664d259f207

SHA512
bb41209d410ff38c01279d119f646658e363a3055a4f152b6a2c76b9cdb1fb42441b243fa8f7fb7a353a1b0e78c619e499274185f40d8592e43551da46bd97a6

Download Submit
memory/2328-40-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-4929-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2328-3-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-4-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-10-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-8-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-6-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-12-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-14-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-16-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-18-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-20-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-22-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-24-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-26-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-28-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-42-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-32-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-34-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-36-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-38-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-1-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2328-46-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-2-0x0000000004FE0000-0x0000000005490000-memory.dmp

Filesize
4.7MB

Download
memory/2328-30-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-48-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-50-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-52-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-54-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-58-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-56-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-60-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-62-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-64-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-66-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/2328-4883-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/2328-4884-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2328-4885-0x0000000007040000-0x000000000732C000-memory.dmp

Filesize
2.9MB

Download
memory/2328-4886-0x00000000023E0000-0x000000000242C000-memory.dmp

Filesize
304KB

Download
memory/2328-0-0x0000000000850000-0x0000000000DAA000-memory.dmp

Filesize
5.4MB

Download
memory/2328-4895-0x0000000004850000-0x00000000048A4000-memory.dmp

Filesize
336KB

Download
memory/2328-44-0x0000000004FE0000-0x000000000548B000-memory.dmp

Filesize
4.7MB

Download
memory/3068-4894-0x0000000000C40000-0x0000000000FA0000-memory.dmp

Filesize
3.4MB

Download
memory/3068-4898-0x0000000004FB0000-0x0000000005268000-memory.dmp

Filesize
2.7MB

Download
memory/3068-4896-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/3068-4932-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing