zgrat | d3fdc737b6c67b92e239b72492106972d4d599fb0b6aa83e0b5de1cba771c3ad | Triage

Submit
Reports

Overview

overview

Static

static

05488f673f...83.exe

windows7-x64

05488f673f...83.exe

windows10-2004-x64

Sharing

General

Target

05488f673ffd2063badad75aaa0f7d83.exe
Size

3.5MB
Sample

240420-d5xwlsgb7t
MD5

05488f673ffd2063badad75aaa0f7d83
SHA1

15d293a62da1a91cd85fa617c49ec37457ed5c2b
SHA256

d3fdc737b6c67b92e239b72492106972d4d599fb0b6aa83e0b5de1cba771c3ad
SHA512

37708b31c9228394b92478f5faded17cdf1f5f21e01cb7bacc4eb9120e125f9edd49a7c7bfa0599e796eabe3678049c1ecade6b3f2ed313df8ceb251fa0715ee
SSDEEP

49152:d1ulnlc/xDeUV383YfuoZpLuqBtk1EjPj4xyJ+JgM2wKwK4CiQvCyBQU00:d1ul2pSnYWoTyqI6E4AKuBKjJQUz

Score

10^/10

zgrat persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

05488f673ffd2063badad75aaa0f7d83.exe

Resource

win7-20231129-en

zgrat persistence rat

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

05488f673ffd2063badad75aaa0f7d83.exe

Resource

win10v2004-20240412-en

zgrat persistence rat

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  05488f673ffd2063badad75aaa0f7d83.exe
- Size
  
  3.5MB
- MD5
  
  05488f673ffd2063badad75aaa0f7d83
- SHA1
  
  15d293a62da1a91cd85fa617c49ec37457ed5c2b
- SHA256
  
  d3fdc737b6c67b92e239b72492106972d4d599fb0b6aa83e0b5de1cba771c3ad
- SHA512
  
  37708b31c9228394b92478f5faded17cdf1f5f21e01cb7bacc4eb9120e125f9edd49a7c7bfa0599e796eabe3678049c1ecade6b3f2ed313df8ceb251fa0715ee
- SSDEEP
  
  49152:d1ulnlc/xDeUV383YfuoZpLuqBtk1EjPj4xyJ+JgM2wKwK4CiQvCyBQU00:d1ul2pSnYWoTyqI6E4AKuBKjJQUz
Score

10^/10

zgrat persistence rat
- Detect ZGRat V1
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

zgratpersistencerat

behavioral2

zgratpersistencerat

© 2018-2024

Terms | Privacy