zgrat | 6e61d2a623aae93014a16735e2baadc7c69abbff4330292bc5b957148f0eb995

General

Target

fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe
Size

9.8MB
MD5

946f9875958c6ff0a4ccbcc8717068a0
SHA1

229484accad0a2f744b0f7c857b12de1c2896f38
SHA256

fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a
SHA512

5171ade7f004baf4c59da167eb9357e97744eb34e012bf6a2baa5c411488f56a011019cf53b994e26f18c92ebfbf66184779d9908e7bd35afd44132188466ada
SSDEEP

196608:VFg/KSH4rynHHiJrWnfossDb9NfwSdcvTP5AUewGUeF1w:VK/ZH4OniJrcOfwSdcv1A02w

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2228-1-0x0000000000D20000-0x00000000016EE000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat	fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	SysInitVal.exe

Loads dropped DLL 9 IoCs

pid	Process
2600	cmd.exe
2680	SysInitVal.exe
2680	SysInitVal.exe
2680	SysInitVal.exe
2680	SysInitVal.exe
2680	SysInitVal.exe
2680	SysInitVal.exe
2680	SysInitVal.exe
2680	SysInitVal.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	SysInitVal.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2600	2228	fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe	28
PID 2228 wrote to memory of 2600	2228	fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe	28
PID 2228 wrote to memory of 2600	2228	fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe	28
PID 2228 wrote to memory of 2600	2228	fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe	28
PID 2600 wrote to memory of 2680	2600	cmd.exe	30
PID 2600 wrote to memory of 2680	2600	cmd.exe	30
PID 2600 wrote to memory of 2680	2600	cmd.exe	30
PID 2600 wrote to memory of 2680	2600	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe
"C:\Users\Admin\AppData\Local\Temp\fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C start C:\Users\Public\Release\SysInitVal.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Public\Release\SysInitVal.exe
    C:\Users\Public\Release\SysInitVal.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Release\MySql.Data.dll

Filesize
1.4MB

MD5
a74256b68260055729cdd9f6d433b415

SHA1
701496a7079b97b0c83dfaf507192ff0667a2a9b

SHA256
d9e7ab5caf93bd457cda27ed1d80286f3f3608a9cbf9268d2fb6e140fdf12f34

SHA512
a31ae75f5c260b8a6c09c532ba4d03dbfc23bd3be1ec1b4ac786b73dbfb2096a9b566d06312e41a38727ed24a9233d0de24fae7016180cae32acd01fc8d8c4ea

Download Submit
C:\Users\Public\Release\SysInitVal.exe

Filesize
28KB

MD5
fa4c682cbc8333cc045650b307e2cd63

SHA1
5431ee0769349e94534121afca8d0e58c6450631

SHA256
a244e538ea0b6e2a2bfc01cf8991e4a1e5a55b3cda7c48d309ee15c026c1fc24

SHA512
8819b61a86f0603fb82860618d58594bc607093c550d4bc5ab02d3b1d30e5b116a31307f53175731058f1b8ed583f0df1a34a07c123c2f9049e617d076167b6a

Download Submit
C:\Users\Public\Release\SysInitVal.exe.config

Filesize
2KB

MD5
cb2b2c25a6efc8c10164aaa77148efda

SHA1
cc4284f4d485cc0f40b787125ae131447d82d2fc

SHA256
6e759f77ebb07aa3646743769c49f91572441ee6e9c6e26514a664feaf0fe00e

SHA512
9ee774ed948d02976242bbc839daba30a3719cbeb4fd7fa284f3769ca9b549c8ed1c19d7126b0f47739da14b8931e298a4ee59684c4cdc948a65887817084af9

Download Submit
C:\Users\Public\Release\SysInitVal.pdb

Filesize
51KB

MD5
9f087c3757ea5c64e0a30fe07d7f3edc

SHA1
3326279f827a99d93ccc8dc3db573adb10a05612

SHA256
00e1686201e50ccaf8c42cb0879fbd00a43aa94306589406f2ad5a508c8b4e6d

SHA512
5ce566a1101fb5cae5870dfd93f566a29810b4aa96d189aaa86c09cfdf84af378d138b7e9fb64b0222c06aa5815d04ccfe9b10871a0c8cfaeab9583dbd7f691c

Download Submit
C:\Users\Public\Release\WebDriver.dll

Filesize
8.5MB

MD5
7271f7ec23174fd688b8f5afd183ce18

SHA1
4e8ababdf1f7d423fa93597811abea2eb763f836

SHA256
f7291844c409b4622f324072353497120a6b12ec7c9c2d82edfa3c5048f8fc8e

SHA512
3d66cb0e04d7d5c53fc414302bded0f6505f052f625722f4f735b9ae3b9b556fadf18318117bc2ca4cb0f2d783ca4308be2c5df503811ce0bc066c91d6b53d23

Download Submit
memory/2228-65-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2228-0-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2228-3-0x0000000008910000-0x00000000092B2000-memory.dmp

Filesize
9.6MB

Download
memory/2228-2-0x0000000000A30000-0x0000000000A70000-memory.dmp

Filesize
256KB

Download
memory/2228-1-0x0000000000D20000-0x00000000016EE000-memory.dmp

Filesize
9.8MB

Download
memory/2680-71-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-70-0x0000000000C80000-0x0000000000C8E000-memory.dmp

Filesize
56KB

Download
memory/2680-72-0x0000000000B60000-0x0000000000BA0000-memory.dmp

Filesize
256KB

Download
memory/2680-76-0x00000000051F0000-0x0000000005A7A000-memory.dmp

Filesize
8.5MB

Download
memory/2680-80-0x0000000005D20000-0x0000000005E86000-memory.dmp

Filesize
1.4MB

Download
memory/2680-86-0x0000000000B60000-0x0000000000BA0000-memory.dmp

Filesize
256KB

Download
memory/2680-87-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing