zgrat | 5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b

General

Target

5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe
Size

180KB
MD5

f333f0a16c7bb7129e6659e145525be6
SHA1

e6d057c501381d3604e24d73edc81254ddf7bbb1
SHA256

5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b
SHA512

34b31dffdbb53cf90efaf00847777ced46b888825bffc882ecf694def7203d7a3656cde1cb2279b84200afca42f1de2ab8b0c7c8c367c18fe796a146ddb61b33
SSDEEP

3072:ZJgCU1m6NcbkgbpA9QPqym0Mxqwg0QSNU6Ji3G8uNLt9N18Y+ECc:Zuz1pNc8WGQwgVSri3G8uP9N/+

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 35 IoCs

Processes:

resource	yara_rule
behavioral2/memory/908-3-0x00000230CBD10000-0x00000230CBFC8000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-4-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-5-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-7-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-9-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-11-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-13-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-15-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-17-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-19-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-21-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-23-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-25-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-27-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-29-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-31-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-33-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-35-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-37-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-39-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-41-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-43-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-45-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-47-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-49-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-51-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-53-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-55-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-57-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-59-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-61-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-63-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-65-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/908-67-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp	family_zgrat_v1
behavioral2/memory/4832-4897-0x000002AEB0E20000-0x000002AEB0F06000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 1 IoCs

Processes:

Type.exe

pid process

1420 Type.exe

pid	process
1420	Type.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe

description	pid	process	target process
PID 908 set thread context of 4832	908	5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe	5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

956 powershell.exe
956 powershell.exe

pid	process
956	powershell.exe
956	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exepowershell.exeType.exe

description	pid	process
Token: SeDebugPrivilege	908	5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe
Token: SeDebugPrivilege	908	5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe
Token: SeDebugPrivilege	4832	5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1420	Type.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe

description	pid	process	target process
PID 908 wrote to memory of 4832	908	5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe	5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe
PID 908 wrote to memory of 4832	908	5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe	5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe
PID 908 wrote to memory of 4832	908	5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe	5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe
PID 908 wrote to memory of 4832	908	5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe	5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe
PID 908 wrote to memory of 4832	908	5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe	5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe
PID 908 wrote to memory of 4832	908	5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe	5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe
"C:\Users\Admin\AppData\Local\Temp\5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe
"C:\Users\Admin\AppData\Local\Temp\5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVAB5AHAAZQAuAGUAeABlADsA
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Users\Admin\AppData\Local\BaseType\nilkgdzx\Type.exe
C:\Users\Admin\AppData\Local\BaseType\nilkgdzx\Type.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BaseType\nilkgdzx\Type.exe
Filesize
180KB

MD5
f333f0a16c7bb7129e6659e145525be6

SHA1
e6d057c501381d3604e24d73edc81254ddf7bbb1

SHA256
5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b

SHA512
34b31dffdbb53cf90efaf00847777ced46b888825bffc882ecf694def7203d7a3656cde1cb2279b84200afca42f1de2ab8b0c7c8c367c18fe796a146ddb61b33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\5bca86ec4ed35175dd33db2943f1fc7839ae3565229fc5fd9227bbd9f0aa637b.exe.log
Filesize
1KB

MD5
b78f0793c3ef1d417e56d34b656b40bb

SHA1
4a622f8022516098cb5aae35a5953bde039111a7

SHA256
67090a383e35cf075d5c0f0c1d78c4e4b805de6aa951b5d4dd01fd9ae8ccdcfb

SHA512
ab3fb91602bd6f070d9b060da4a26d01869e9b23e319db9164d2e251b2c47db690da0f832e69a45c03bc99919942ef516a0b157cfa0aaea84e64b1e90ae5b933

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sqwhxyze.m52.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/908-53-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-59-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-4-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-5-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-57-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-9-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-11-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-13-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-15-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-17-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-19-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-21-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-23-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-25-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-27-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-29-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-31-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-33-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-35-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-37-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-39-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-41-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-43-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-45-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-47-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-49-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-51-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-2-0x00000230B33C0000-0x00000230B33D0000-memory.dmp

Filesize
64KB

Download
memory/908-55-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-7-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-3-0x00000230CBD10000-0x00000230CBFC8000-memory.dmp

Filesize
2.7MB

Download
memory/908-61-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-63-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-65-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-67-0x00000230CBD10000-0x00000230CBFC2000-memory.dmp

Filesize
2.7MB

Download
memory/908-535-0x00007FF803360000-0x00007FF803E21000-memory.dmp

Filesize
10.8MB

Download
memory/908-1112-0x00000230B33C0000-0x00000230B33D0000-memory.dmp

Filesize
64KB

Download
memory/908-4886-0x00000230B1A20000-0x00000230B1A21000-memory.dmp

Filesize
4KB

Download
memory/908-4887-0x00000230CBFD0000-0x00000230CC0C4000-memory.dmp

Filesize
976KB

Download
memory/908-4888-0x00000230CC0C0000-0x00000230CC10C000-memory.dmp

Filesize
304KB

Download
memory/908-4889-0x00000230CC110000-0x00000230CC164000-memory.dmp

Filesize
336KB

Download
memory/908-4894-0x00007FF803360000-0x00007FF803E21000-memory.dmp

Filesize
10.8MB

Download
memory/908-0-0x00000230B1620000-0x00000230B164E000-memory.dmp

Filesize
184KB

Download
memory/908-1-0x00007FF803360000-0x00007FF803E21000-memory.dmp

Filesize
10.8MB

Download
memory/956-7133-0x00007FF803360000-0x00007FF803E21000-memory.dmp

Filesize
10.8MB

Download
memory/956-7118-0x00007FF803360000-0x00007FF803E21000-memory.dmp

Filesize
10.8MB

Download
memory/956-7119-0x000001CFDF4A0000-0x000001CFDF4B0000-memory.dmp

Filesize
64KB

Download
memory/956-7122-0x000001CFDF400000-0x000001CFDF422000-memory.dmp

Filesize
136KB

Download
memory/956-7120-0x000001CFDF4A0000-0x000001CFDF4B0000-memory.dmp

Filesize
64KB

Download
memory/1420-7139-0x000001F17B400000-0x000001F17B410000-memory.dmp

Filesize
64KB

Download
memory/1420-7136-0x00007FF8030A0000-0x00007FF803B61000-memory.dmp

Filesize
10.8MB

Download
memory/1420-7138-0x00007FF8030A0000-0x00007FF803B61000-memory.dmp

Filesize
10.8MB

Download
memory/1420-7137-0x000001F17B400000-0x000001F17B410000-memory.dmp

Filesize
64KB

Download
memory/4832-4895-0x00007FF803360000-0x00007FF803E21000-memory.dmp

Filesize
10.8MB

Download
memory/4832-4896-0x000002AEB0FC0000-0x000002AEB0FD0000-memory.dmp

Filesize
64KB

Download
memory/4832-4893-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4832-4897-0x000002AEB0E20000-0x000002AEB0F06000-memory.dmp

Filesize
920KB

Download
memory/4832-7114-0x000002AE986A0000-0x000002AE986A8000-memory.dmp

Filesize
32KB

Download
memory/4832-7115-0x000002AEB0F10000-0x000002AEB0F66000-memory.dmp

Filesize
344KB

Download
memory/4832-7117-0x00007FF803360000-0x00007FF803E21000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads