zgrat | 30202655ac09c4e87af419d8b461a2195fcc353f6ee7a6816b8075726e3e750b

Resubmissions

19/04/2024, 14:52

240419-r82wmafb32 10

19/04/2024, 14:48

240419-r6mnxsfa59 10

Analysis

max time kernel
30s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dotNET_Reactor/dotNET_Reactor.exe
Size

13.3MB
MD5

bd73df4cf427511993075f7a16e037a5
SHA1

63f116641b0655f53e93d62ae559d510ed5af134
SHA256

fa0a32d408a8df70ec44f3d2374b058f57b86ff49b8068b8c68f8505d3463970
SHA512

49ad63e65e1f6a454778c904727c948969145eb09457105093af463d933413a7d30437051c7ddb8ded0b46d38b2018a1a78c83af582ab6775bef870057a9dfc3
SSDEEP

393216:xfuP82nPJiP63TKZqkoPrSz4rkZD1K1fU:xqPIPgTxkqrV6YN

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral1/memory/4148-2-0x0000000000EE0000-0x000000000218A000-memory.dmp	family_zgrat_v1
behavioral1/memory/4148-47-0x0000000000EE0000-0x000000000218A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/4148-2-0x0000000000EE0000-0x000000000218A000-memory.dmp	net_reactor
behavioral1/memory/4148-47-0x0000000000EE0000-0x000000000218A000-memory.dmp	net_reactor

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4148	dotNET_Reactor.exe
4148	dotNET_Reactor.exe
4148	dotNET_Reactor.exe
4148	dotNET_Reactor.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4148	dotNET_Reactor.exe

C:\Users\Admin\AppData\Local\Temp\dotNET_Reactor\dotNET_Reactor.exe
"C:\Users\Admin\AppData\Local\Temp\dotNET_Reactor\dotNET_Reactor.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Eziriz\.NET Reactor\reactor.nrcfg

Filesize
130B

MD5
f6f470ab378c9af0cd72ee4d8f36f7a3

SHA1
095cefaa8a7d119fd0a28fe2b7dcbec5379d337b

SHA256
ac3608a4ba2947ef197bc12f6a6dda90e2351a6918524b0cf7b4926d47dcb36c

SHA512
f0d5841b6aa7cba57107432dde1fafb31e1bca327a0a6c57c6ab8a2d606f25019c8edf2a77fbbe435ccc3f61cf72cfd9bd438f82a7f66e381fdf6c9627f5c516

Download Submit
memory/4148-23-0x000000000B8F0000-0x000000000B928000-memory.dmp

Filesize
224KB

Download
memory/4148-24-0x000000000B8B0000-0x000000000B8BE000-memory.dmp

Filesize
56KB

Download
memory/4148-3-0x0000000006980000-0x0000000006990000-memory.dmp

Filesize
64KB

Download
memory/4148-0-0x0000000000EE0000-0x000000000218A000-memory.dmp

Filesize
18.7MB

Download
memory/4148-7-0x0000000006B70000-0x0000000006BD6000-memory.dmp

Filesize
408KB

Download
memory/4148-8-0x00000000079D0000-0x0000000007A62000-memory.dmp

Filesize
584KB

Download
memory/4148-20-0x0000000008330000-0x0000000008338000-memory.dmp

Filesize
32KB

Download
memory/4148-21-0x0000000006980000-0x0000000006990000-memory.dmp

Filesize
64KB

Download
memory/4148-2-0x0000000000EE0000-0x000000000218A000-memory.dmp

Filesize
18.7MB

Download
memory/4148-22-0x0000000006980000-0x0000000006990000-memory.dmp

Filesize
64KB

Download
memory/4148-4-0x0000000007040000-0x00000000075E4000-memory.dmp

Filesize
5.6MB

Download
memory/4148-25-0x000000000C9A0000-0x000000000C9E0000-memory.dmp

Filesize
256KB

Download
memory/4148-1-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download
memory/4148-34-0x0000000000EE0000-0x000000000218A000-memory.dmp

Filesize
18.7MB

Download
memory/4148-37-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download
memory/4148-41-0x0000000006980000-0x0000000006990000-memory.dmp

Filesize
64KB

Download
memory/4148-42-0x0000000006980000-0x0000000006990000-memory.dmp

Filesize
64KB

Download
memory/4148-47-0x0000000000EE0000-0x000000000218A000-memory.dmp

Filesize
18.7MB

Download
memory/4148-48-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download