zgrat | 37d22bf567962bb14412f2034d9e9338feb599fe214a59d73cb47929e0de9957

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1.exe
Size

451KB
MD5

b2b60c50903a73efffcb4e33ce49238f
SHA1

9b6f27fc410748ae1570978d7a6aba95a1041eea
SHA256

29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1
SHA512

2c66a1615de77157f57c662de2e3ec97deb8cb6aadc0a03ff0acc3b269affd5ae0d50dfef85939ca9c1a8c6d47ff915061157e7da92dc286cb6ddd9b06a88126
SSDEEP

6144:dI6go9vB3SD75MlCe8KihsZC2uLrfA1v6OvNMpP/Ao+gK:dtgKdSv5M41KkK4LzgyoNMpP/Ao+

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral1/memory/1708-0-0x0000000000BD0000-0x0000000000C48000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-2-0x0000000004A90000-0x0000000004AD0000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 1948	1708	29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2004	1948	WerFault.exe	29

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1948	1708	29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1.exe	29
PID 1708 wrote to memory of 1948	1708	29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1.exe	29
PID 1708 wrote to memory of 1948	1708	29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1.exe	29
PID 1708 wrote to memory of 1948	1708	29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1.exe	29
PID 1708 wrote to memory of 1948	1708	29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1.exe	29
PID 1708 wrote to memory of 1948	1708	29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1.exe	29
PID 1708 wrote to memory of 1948	1708	29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1.exe	29
PID 1708 wrote to memory of 1948	1708	29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1.exe	29
PID 1708 wrote to memory of 1948	1708	29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1.exe	29
PID 1708 wrote to memory of 1948	1708	29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1.exe	29
PID 1708 wrote to memory of 1948	1708	29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1.exe	29
PID 1708 wrote to memory of 1948	1708	29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1.exe	29
PID 1708 wrote to memory of 1948	1708	29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1.exe	29
PID 1948 wrote to memory of 2004	1948	RegAsm.exe	30
PID 1948 wrote to memory of 2004	1948	RegAsm.exe	30
PID 1948 wrote to memory of 2004	1948	RegAsm.exe	30
PID 1948 wrote to memory of 2004	1948	RegAsm.exe	30

C:\Users\Admin\AppData\Local\Temp\29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1.exe
"C:\Users\Admin\AppData\Local\Temp\29d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 256
    3⤵
    - Program crash
    PID:2004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-0-0x0000000000BD0000-0x0000000000C48000-memory.dmp

Filesize
480KB

Download
memory/1708-1-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/1708-2-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download
memory/1708-6-0x0000000002260000-0x0000000004260000-memory.dmp

Filesize
32.0MB

Download
memory/1708-19-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/1948-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1948-12-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1948-11-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1948-18-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1948-10-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1948-8-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1948-5-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1948-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1948-20-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads