zgrat | spoolsv[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

spoolsv.exe
Size

2.6MB
MD5

64ca989319a2e3a3d8219e10626256e0
SHA1

1fff7fade4cf20ac775286bf8f2e478234d31e79
SHA256

d4c4921290d426362eba1674cf73a631c32440d0d89f239ccbd43c8279476fb2
SHA512

26de519f583c5efe63c58e571909b78d3f86de6dc8ffe9096d636c83e0686a1e02a8da6e5398569b38adfa3e3a698fe61bf4fe61d010b503d0a0d492c08f5ed0
SSDEEP

49152:xQ27l6UIODXGllXt45pz2qzRkL27pqBPj7L:xQ/ObG56zXKi1+P

Score

10^/10

zgrat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
sample	family_zgrat_v1

Zgrat family
zgrat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
spoolsv.exe

Files

spoolsv.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 880B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ