zgrat | fb2e3a0d29ae08e964de8bcc1cf986b3a6b928d13e14368cc31535236afd024e

General

Target

1925339cab9e6a65f43c5f04321156e2.exe
Size

1.7MB
MD5

1925339cab9e6a65f43c5f04321156e2
SHA1

16fc99e39d5dd91b915da5ffb969f56597d54c06
SHA256

fb2e3a0d29ae08e964de8bcc1cf986b3a6b928d13e14368cc31535236afd024e
SHA512

36e3a20e9024183ee87a2885d883da5f8ded3f9d5b78aa3ce3fb6b21a86b8ff3af88229e77a15ee68f3df6c5e140f6e83e9558a00fc0d9dc49bd36c77b997816
SSDEEP

49152:IBJ+5XdfyLwy6z4OTWtr4dOJ6taJlZHnfi0pu:yA7iXg4aWF4wko1Hfi04

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
\portintosvc\driverInto.exe	family_zgrat_v1
behavioral1/memory/2840-13-0x0000000000170000-0x000000000034E000-memory.dmp	family_zgrat_v1
behavioral1/memory/2080-72-0x0000000000D80000-0x0000000000F5E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 2 IoCs

Processes:

driverInto.exedriverInto.exe

pid process

2840 driverInto.exe
2080 driverInto.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2644 cmd.exe
2644 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ipinfo.io
5 ipinfo.io
12 ipinfo.io

pid	process
2644	cmd.exe
2644	cmd.exe

flow	ioc
4	ipinfo.io
5	ipinfo.io
12	ipinfo.io

Drops file in Program Files directory 4 IoCs

Processes:

driverInto.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\11aaa3d75384f9	driverInto.exe
File created	C:\Program Files\Mozilla Firefox\services.exe	driverInto.exe
File created	C:\Program Files\Mozilla Firefox\c5b4cb5e9653cc	driverInto.exe
File created	C:\Program Files\Windows Sidebar\driverInto.exe	driverInto.exe

Drops file in Windows directory 2 IoCs

Processes:

driverInto.exe

description ioc process

File created C:\Windows\ehome\ja-JP\csrss.exe driverInto.exe
File created C:\Windows\ehome\ja-JP\886983d96e3d3e driverInto.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\ehome\ja-JP\csrss.exe	driverInto.exe
File created	C:\Windows\ehome\ja-JP\886983d96e3d3e	driverInto.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

driverInto.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	driverInto.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	driverInto.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

driverInto.exe

pid	process
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe
2840	driverInto.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

driverInto.exe

pid process

2080 driverInto.exe

pid	process
2080	driverInto.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

driverInto.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedriverInto.exe

description	pid	process
Token: SeDebugPrivilege	2840	driverInto.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2080	driverInto.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

1925339cab9e6a65f43c5f04321156e2.exeWScript.execmd.exedriverInto.execmd.exe

description	pid	process	target process
PID 2936 wrote to memory of 2172	2936	1925339cab9e6a65f43c5f04321156e2.exe	WScript.exe
PID 2936 wrote to memory of 2172	2936	1925339cab9e6a65f43c5f04321156e2.exe	WScript.exe
PID 2936 wrote to memory of 2172	2936	1925339cab9e6a65f43c5f04321156e2.exe	WScript.exe
PID 2936 wrote to memory of 2172	2936	1925339cab9e6a65f43c5f04321156e2.exe	WScript.exe
PID 2172 wrote to memory of 2644	2172	WScript.exe	cmd.exe
PID 2172 wrote to memory of 2644	2172	WScript.exe	cmd.exe
PID 2172 wrote to memory of 2644	2172	WScript.exe	cmd.exe
PID 2172 wrote to memory of 2644	2172	WScript.exe	cmd.exe
PID 2644 wrote to memory of 2840	2644	cmd.exe	driverInto.exe
PID 2644 wrote to memory of 2840	2644	cmd.exe	driverInto.exe
PID 2644 wrote to memory of 2840	2644	cmd.exe	driverInto.exe
PID 2644 wrote to memory of 2840	2644	cmd.exe	driverInto.exe
PID 2840 wrote to memory of 2568	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2568	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2568	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2380	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2380	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2380	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2908	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2908	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2908	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2904	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2904	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2904	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2152	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2152	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2152	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2196	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2196	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2196	2840	driverInto.exe	powershell.exe
PID 2840 wrote to memory of 2760	2840	driverInto.exe	cmd.exe
PID 2840 wrote to memory of 2760	2840	driverInto.exe	cmd.exe
PID 2840 wrote to memory of 2760	2840	driverInto.exe	cmd.exe
PID 2760 wrote to memory of 2164	2760	cmd.exe	chcp.com
PID 2760 wrote to memory of 2164	2760	cmd.exe	chcp.com
PID 2760 wrote to memory of 2164	2760	cmd.exe	chcp.com
PID 2760 wrote to memory of 1056	2760	cmd.exe	w32tm.exe
PID 2760 wrote to memory of 1056	2760	cmd.exe	w32tm.exe
PID 2760 wrote to memory of 1056	2760	cmd.exe	w32tm.exe
PID 2760 wrote to memory of 2080	2760	cmd.exe	driverInto.exe
PID 2760 wrote to memory of 2080	2760	cmd.exe	driverInto.exe
PID 2760 wrote to memory of 2080	2760	cmd.exe	driverInto.exe

C:\Users\Admin\AppData\Local\Temp\1925339cab9e6a65f43c5f04321156e2.exe
"C:\Users\Admin\AppData\Local\Temp\1925339cab9e6a65f43c5f04321156e2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\portintosvc\X5ZTZfC.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\portintosvc\6iyrEfS0qZMUeKUvqyCENK8F6bD2a9LOXf0Mm.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644

C:\portintosvc\driverInto.exe
"C:\portintosvc/driverInto.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\ja-JP\csrss.exe'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\services.exe'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\taskhost.exe'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\driverInto.exe'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\portintosvc\driverInto.exe'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7qA0KuqU4f.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2164

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:1056

C:\portintosvc\driverInto.exe
"C:\portintosvc\driverInto.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7qA0KuqU4f.bat

Filesize
205B

MD5
1e7b8439c7e3d2754a9fd2b1407415e0

SHA1
6de0a3f7bd9667ae0b230f2543bf6ea80699aa24

SHA256
ff2f2448218edb744b39a5cbd102e11959df1cf78fea5d3afb8d0a12f659488b

SHA512
54ca100c0ec30f2475afde17e43758407106bf9efa576c25a56cf8acca64559682f2291a344b6aa96b694ffb003fbc89055b158267edf05bf771629a6185f8a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2671a006c5420cfeb9758f7b80a7ae0c

SHA1
fc79df4db0f5f47ce3e8a2a87ea231b0a4c9f3bf

SHA256
2eb38c0aea32173019b50421fe1cfc7861539ab478e8f690a670871aa4e95e83

SHA512
548208ebb3477af9c9ab35e7e782f33d83855d6c2ca77eb24f5f1ca3a771c7af68bf17207fffabb12e5480ce6014ac600ac90b5b65a96bf3588bd2a86db9676c

Download Submit
C:\portintosvc\6iyrEfS0qZMUeKUvqyCENK8F6bD2a9LOXf0Mm.bat

Filesize
93B

MD5
0be982804b016289cb81417601b9eb58

SHA1
afe7c33411a4287b61a9a44ea5c385a37dd9da3c

SHA256
bac34dff1783ef418218d2ea5eb4a26f90ac684aa170f0ce4ed53a4fcc670e86

SHA512
bbc734d9608859dda9719d2416b1a25c777caa94bc91214a5130c032ebb82fd08e41109b153ce03e71969043bb0de184c28974820575fe94261448436d34cd77

Download Submit
C:\portintosvc\X5ZTZfC.vbe

Filesize
227B

MD5
808f7be1b688dfe0b79177049d1e221c

SHA1
7a5230e286a0e1cf1bbffc00d835d020ccb3962f

SHA256
3c418f6b30335a6dc3b70240951db4156ab448316cc75fa07ef593e16d9c2da0

SHA512
a6d8e8c559f53dede4609b96c99e124605e7c5c20bfd715785d6e9399dab6ba0ffaf360f0922e3641521a17d18fc2e33e99ee90e0e28976b831bdffe112385d2

Download Submit
\portintosvc\driverInto.exe

Filesize
1.8MB

MD5
31594886c067c61c60a04365c0e2a58c

SHA1
c2e398b5570da49b08050ccd48381f96e8368f28

SHA256
7309289e7d27aaecdfa582bdbd748db3ec445b317022b4b842c1cfb91c0b5d84

SHA512
56ae556094784b60a2b15ee21af06e5e34fc60f921bef406c2ad5254bae36f6736cf4cf7e589b144e5bb36edb9863d51f1c65447b7ce35a5f519a67cbaacec33

Download Submit
memory/2080-72-0x0000000000D80000-0x0000000000F5E000-memory.dmp

Filesize
1.9MB

Download
memory/2152-54-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2568-53-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2840-13-0x0000000000170000-0x000000000034E000-memory.dmp

Filesize
1.9MB

Download
memory/2840-23-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2840-21-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/2840-19-0x0000000002010000-0x0000000002028000-memory.dmp

Filesize
96KB

Download
memory/2840-17-0x0000000000510000-0x000000000052C000-memory.dmp

Filesize
112KB

Download
memory/2840-15-0x00000000004E0000-0x00000000004EE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads