zgrat | 6b78c62c1c53510e8d64d9ac0cd8735082b47df581de598c17fe4380af5cab0e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

katana-without-pins.exe
Size

5.4MB
MD5

d9fea5b1727c4c4c213b49fcd361ea45
SHA1

ac7e6c624d6bf41d8f858c9f55f12d8f62846839
SHA256

6b78c62c1c53510e8d64d9ac0cd8735082b47df581de598c17fe4380af5cab0e
SHA512

15e7ba378545f9e03f0ab8997c37f00ec4412f9221d0b4e632e97d9ece36c35a812b3c69468ff530167bfa8c52a6f77644f2ea9ee11335d5a642cb2f7aa82c7c
SSDEEP

49152:2cvR8Vj06p0/XhR/UlUz5o2sS7oDK+HWwOa+1EbKG7BhdGaGDYqsuocCo:BMWwkEbKG7BhYvDY2oT

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4728-0-0x000001F0F4DA0000-0x000001F0F5302000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

katana-without-pins.exe

pid	process
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe
4728	katana-without-pins.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

katana-without-pins.exe

description pid process

Token: SeDebugPrivilege 4728 katana-without-pins.exe

description	pid	process
Token: SeDebugPrivilege	4728	katana-without-pins.exe

C:\Users\Admin\AppData\Local\Temp\katana-without-pins.exe
"C:\Users\Admin\AppData\Local\Temp\katana-without-pins.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4728-0-0x000001F0F4DA0000-0x000001F0F5302000-memory.dmp

Filesize
5.4MB

Download
memory/4728-1-0x00007FFECBF80000-0x00007FFECCA41000-memory.dmp

Filesize
10.8MB

Download
memory/4728-2-0x000001F0F56B0000-0x000001F0F56C2000-memory.dmp

Filesize
72KB

Download
memory/4728-3-0x000001F0F5790000-0x000001F0F57A0000-memory.dmp

Filesize
64KB

Download
memory/4728-4-0x000001F099030000-0x000001F099190000-memory.dmp

Filesize
1.4MB

Download
memory/4728-5-0x000001F0F5790000-0x000001F0F57A0000-memory.dmp

Filesize
64KB

Download
memory/4728-6-0x000001F0F5790000-0x000001F0F57A0000-memory.dmp

Filesize
64KB

Download
memory/4728-7-0x00007FFECBF80000-0x00007FFECCA41000-memory.dmp

Filesize
10.8MB

Download
memory/4728-8-0x000001F0F5790000-0x000001F0F57A0000-memory.dmp

Filesize
64KB

Download
memory/4728-9-0x000001F0F5790000-0x000001F0F57A0000-memory.dmp

Filesize
64KB

Download
memory/4728-10-0x000001F0F5790000-0x000001F0F57A0000-memory.dmp

Filesize
64KB

Download
memory/4728-11-0x000001F0F5790000-0x000001F0F57A0000-memory.dmp

Filesize
64KB

Download
memory/4728-12-0x000001F0F5790000-0x000001F0F57A0000-memory.dmp

Filesize
64KB

Download