zgrat | 8a464dc6c1c036ff976af16c85f712538e324c307ccacb0d3fb219f2c5663a47

General

Target

GTA 6 Builder-Install.exe
Size

13.1MB
MD5

95f7a7d1658b372cbcbd6cc1ef91bef9
SHA1

180182eef4ac2baaa0d773aeb59aec022a3d34cc
SHA256

841d63d65e18b16579ff539e49ea437ef27c488d52d463b0105cdd4b19d2ea37
SHA512

26bc67b7665bb2423e765249caf7ab7a0634af699335568d5b19732a149560d9b77bc586477c12bacc66cf382a1e80b9846e6fe05d9e9315e66f88e438d4c095
SSDEEP

196608:Ya4hESrp12vabgVvjce8pPZHjSOZlrMUjJi2QSdI/K2RZPvn3J+sL378BZnybgbo:Ya+HoRHe5V/rDjJfNqvZXn3J+DZyBd

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ms_updater.exe	family_zgrat_v1
behavioral2/memory/4852-17-0x00000000002B0000-0x00000000004B6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3516-19-0x0000000001010000-0x000000000256A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops startup file 2 IoCs

Processes:

ms_tool.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe	ms_tool.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe	ms_tool.exe

Executes dropped EXE 2 IoCs

Processes:

ms_tool.exems_updater.exe

pid process

312 ms_tool.exe
4852 ms_updater.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

ms_updater.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings ms_updater.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4664 PING.EXE

pid	process
312	ms_tool.exe
4852	ms_updater.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	ms_updater.exe

pid	process
4664	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

GTA 6 Builder-Install.exems_updater.exe

pid	process
3516	GTA 6 Builder-Install.exe
3516	GTA 6 Builder-Install.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe
4852	ms_updater.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ms_updater.exe

description pid process

Token: SeDebugPrivilege 4852 ms_updater.exe

description	pid	process
Token: SeDebugPrivilege	4852	ms_updater.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

GTA 6 Builder-Install.exems_updater.execmd.exe

description	pid	process	target process
PID 3516 wrote to memory of 312	3516	GTA 6 Builder-Install.exe	ms_tool.exe
PID 3516 wrote to memory of 312	3516	GTA 6 Builder-Install.exe	ms_tool.exe
PID 3516 wrote to memory of 4852	3516	GTA 6 Builder-Install.exe	ms_updater.exe
PID 3516 wrote to memory of 4852	3516	GTA 6 Builder-Install.exe	ms_updater.exe
PID 4852 wrote to memory of 4976	4852	ms_updater.exe	cmd.exe
PID 4852 wrote to memory of 4976	4852	ms_updater.exe	cmd.exe
PID 4976 wrote to memory of 1056	4976	cmd.exe	chcp.com
PID 4976 wrote to memory of 1056	4976	cmd.exe	chcp.com
PID 4976 wrote to memory of 4664	4976	cmd.exe	PING.EXE
PID 4976 wrote to memory of 4664	4976	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\GTA 6 Builder-Install.exe
"C:\Users\Admin\AppData\Local\Temp\GTA 6 Builder-Install.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3516

C:\Users\Admin\AppData\Roaming\ms_tool.exe
"C:\Users\Admin\AppData\Roaming\ms_tool.exe"
2⤵
- Drops startup file
- Executes dropped EXE
PID:312

C:\Users\Admin\AppData\Roaming\ms_updater.exe
"C:\Users\Admin\AppData\Roaming\ms_updater.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:1056

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:4664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat
Filesize
177B

MD5
8611dc4d28dab0485024fdddd11bd17e

SHA1
df05fcb1e755420cdb7ff926b870afed35e5de6e

SHA256
8c4a03420f585bc07971c18f9169960ae12f72c7a23ab1f9c4dba59be23f4664

SHA512
b8c2023f36e6855719f83f0a4b614e697c53ea52350992f4bb77a7b9ae8ba9c18561864025f7ff54c166fdfd93d851cdcb350cd42fe601aeb3816ccbf7f38f39

Download Submit
C:\Users\Admin\AppData\Roaming\ms_tool.exe
Filesize
11KB

MD5
f8701952b62a7e52652271a20b824128

SHA1
82292b1cd54afa277116b42f4b1c43c8933478f0

SHA256
5b0b886143ffe9f5c5750c9b171656783668b655e559ea95d002a265586e3413

SHA512
5acde46db767cf11ea5183007542fd67e1512ccfbcc37efdec685e2db369840a767981b0996dbace0f40602ada0a5c0aed39019ce06590151cd59f0dfa5d68e5

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe
Filesize
2.0MB

MD5
31e5e3ac5a03d60d67188b6b0c3d152b

SHA1
41e831bc8b0c314a46d17492ded7b6b587d66db2

SHA256
dc73ce51066fdcd5f0c7c88fd6fdfb9a4a3722ebe3d2def1dc593fbc1af9e467

SHA512
64837c66af3f63c214ff8f466266f3dea1cf135d54ccaaf5c06fa13763045d79220f88d09ca49a36668d7e1f506bc74c9a2b8de0ec77aac272b0e1466aa168c2

Download Submit
memory/312-12-0x000002BE8D580000-0x000002BE8D588000-memory.dmp

Filesize
32KB

Download
memory/312-18-0x00007FFE93AF0000-0x00007FFE944DC000-memory.dmp

Filesize
9.9MB

Download
memory/312-40-0x00007FFE93AF0000-0x00007FFE944DC000-memory.dmp

Filesize
9.9MB

Download
memory/3516-0-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/3516-4-0x0000000001010000-0x000000000256A000-memory.dmp

Filesize
21.4MB

Download
memory/3516-1-0x0000000001010000-0x000000000256A000-memory.dmp

Filesize
21.4MB

Download
memory/3516-19-0x0000000001010000-0x000000000256A000-memory.dmp

Filesize
21.4MB

Download
memory/4852-22-0x000000001B130000-0x000000001B180000-memory.dmp

Filesize
320KB

Download
memory/4852-24-0x00000000026F0000-0x0000000002708000-memory.dmp

Filesize
96KB

Download
memory/4852-26-0x0000000002570000-0x000000000257E000-memory.dmp

Filesize
56KB

Download
memory/4852-28-0x0000000002710000-0x000000000271E000-memory.dmp

Filesize
56KB

Download
memory/4852-30-0x000000001B180000-0x000000001B192000-memory.dmp

Filesize
72KB

Download
memory/4852-32-0x0000000002720000-0x000000000272C000-memory.dmp

Filesize
48KB

Download
memory/4852-34-0x0000000002730000-0x000000000273E000-memory.dmp

Filesize
56KB

Download
memory/4852-36-0x0000000002740000-0x000000000274C000-memory.dmp

Filesize
48KB

Download
memory/4852-37-0x000000001B6D0000-0x000000001B7D2000-memory.dmp

Filesize
1.0MB

Download
memory/4852-38-0x000000001B7E0000-0x000000001B87E000-memory.dmp

Filesize
632KB

Download
memory/4852-21-0x0000000002580000-0x000000000259C000-memory.dmp

Filesize
112KB

Download
memory/4852-71-0x000000001B7E0000-0x000000001B87E000-memory.dmp

Filesize
632KB

Download
memory/4852-17-0x00000000002B0000-0x00000000004B6000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads