zgrat | 3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21

General

Target

3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
Size

1.6MB
MD5

8ea200d639611b48b5eec7973c69ed3c
SHA1

a1013b8ee4115f2cba29787eded20e5e6079b3c0
SHA256

3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21
SHA512

53b24b0f2a0e9047e7f672f8c7dada1ac1f6ab15aa6976515dcca8cfc03afa1bd3fbf788475c9b7d5f8617ad70b32a7974f8f2bd77c9f6c79bcd3b30cdd6763e
SSDEEP

24576:PD9R6DRIuUt0HfUXl+L83+uNhK5ewp6Y9Ly2KUVvqBML1dSk/uyEklP8/0:PDilCH3RNhqewp/92zUMBMOSIkl

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/640-0-0x0000000000DA0000-0x0000000000F38000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0006000000016cf0-13.dat	family_zgrat_v1
behavioral1/memory/2616-21-0x0000000000ED0000-0x0000000001068000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\taskhost.exe	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\taskhost.exe	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
File created	C:\Program Files (x86)\Windows Portable Devices\b75386f1303e64	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\csrss.exe	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\886983d96e3d3e	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\886983d96e3d3e	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
File created	C:\Windows\Downloaded Program Files\csrss.exe	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
2616	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
2616	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
2616	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
2616	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
2616	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
2616	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
2616	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
2616	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
2616	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
2616	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
2616	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
2616	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
Token: SeDebugPrivilege	2616	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2504	640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe	28
PID 640 wrote to memory of 2504	640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe	28
PID 640 wrote to memory of 2504	640	3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe	28
PID 2504 wrote to memory of 2508	2504	cmd.exe	30
PID 2504 wrote to memory of 2508	2504	cmd.exe	30
PID 2504 wrote to memory of 2508	2504	cmd.exe	30
PID 2504 wrote to memory of 2480	2504	cmd.exe	31
PID 2504 wrote to memory of 2480	2504	cmd.exe	31
PID 2504 wrote to memory of 2480	2504	cmd.exe	31
PID 2504 wrote to memory of 2616	2504	cmd.exe	32
PID 2504 wrote to memory of 2616	2504	cmd.exe	32
PID 2504 wrote to memory of 2616	2504	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
"C:\Users\Admin\AppData\Local\Temp\3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rFDRf34iLV.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2508
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2480
- - C:\Users\Admin\AppData\Local\Temp\3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe
    "C:\Users\Admin\AppData\Local\Temp\3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe

Filesize
1.6MB

MD5
8ea200d639611b48b5eec7973c69ed3c

SHA1
a1013b8ee4115f2cba29787eded20e5e6079b3c0

SHA256
3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21

SHA512
53b24b0f2a0e9047e7f672f8c7dada1ac1f6ab15aa6976515dcca8cfc03afa1bd3fbf788475c9b7d5f8617ad70b32a7974f8f2bd77c9f6c79bcd3b30cdd6763e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rFDRf34iLV.bat

Filesize
278B

MD5
9cb5c9f43a45e0aa7bf04ad56e554161

SHA1
8e6ccee41c892ec63f1db7845ebd3acfe19c73d4

SHA256
91f80a00c88262638039091e28810813e9405cdcf83b6c58c38123bed6faf538

SHA512
f7bbb3969743099141afc00fc9ea356b8145ff9aa8348b4042f16136f279d846db3959612cd88ed47b86660d29749e7c261437f7d98eb69aeb7ff37452e67cba

Download Submit
memory/640-0-0x0000000000DA0000-0x0000000000F38000-memory.dmp

Filesize
1.6MB

Download
memory/640-1-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/640-2-0x000000001AA30000-0x000000001AAB0000-memory.dmp

Filesize
512KB

Download
memory/640-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/640-20-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2616-22-0x000007FEF51B0000-0x000007FEF5B9C000-memory.dmp

Filesize
9.9MB

Download
memory/2616-21-0x0000000000ED0000-0x0000000001068000-memory.dmp

Filesize
1.6MB

Download
memory/2616-24-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2616-23-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/2616-26-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/2616-25-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/2616-27-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/2616-29-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/2616-28-0x000007FEF51B0000-0x000007FEF5B9C000-memory.dmp

Filesize
9.9MB

Download
memory/2616-30-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/2616-31-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing