zgrat | ad47993928727bd24355a2be4f3ab00709e89e2c0cf01c9e865265b26ea5880d | Triage

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 15:18

Sharing

Report Analysis Logs

General

Target

Software.exe
Size

1.2MB
MD5

4c61e48f683dd00cb21cfcdadf915ad5
SHA1

013413299ceb4692a075cfc12802034e091beeb8
SHA256

ad47993928727bd24355a2be4f3ab00709e89e2c0cf01c9e865265b26ea5880d
SHA512

032ae6ebe49cca8d397c19ab902557c3f75d57a9dfb6f605a582e004fc3492607b4b162961bc0aa8a30673b8f2487e7acb0499e4a3e6d5b3b1bf7a29d4157cdb
SSDEEP

24576:lB2ZHXSQdong2RZo8589viImLAxEyfIeXsV:Pcrong2RZo85803jA7sV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3000-0-0x0000000000AF0000-0x0000000000C19000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2352 3000 WerFault.exe Software.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Software.exe

description	pid	process	target process
PID 3000 wrote to memory of 2352	3000	Software.exe	WerFault.exe
PID 3000 wrote to memory of 2352	3000	Software.exe	WerFault.exe
PID 3000 wrote to memory of 2352	3000	Software.exe	WerFault.exe
PID 3000 wrote to memory of 2352	3000	Software.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Software.exe
"C:\Users\Admin\AppData\Local\Temp\Software.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 116
2⤵
- Program crash
PID:2352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3000-0-0x0000000000AF0000-0x0000000000C19000-memory.dmp

Filesize
1.2MB

Download