zgrat | 87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2024 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Size

243KB
MD5

760695e2db67b720fbac75a0b2bfcb9d
SHA1

abd8b62688eae430ed7009d0c81fc1d1f8f67f50
SHA256

87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0
SHA512

d08a7106f0c585bea8eeac93e03d589f5848966401443bf0c8d2d099080ea4f9c53d2c39dab1b8d1b56db08c1a13866dbabcfab8d956bc5e49655c0301d19640
SSDEEP

6144:KFt8upDh/WuA50JPZHSWlzXxC73oOQscXybxEiS7DTeop:3upDh/pPZRC73zhc4LkTeop

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/3032-2-0x0000000000400000-0x000000000045E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with ConfuserEx Mod 1 IoCs

resource	yara_rule
behavioral2/memory/5116-1-0x00000000006B0000-0x00000000006F4000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5116 set thread context of 3032	5116	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe	84

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	5116	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeDebugPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeBackupPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeBackupPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeBackupPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeBackupPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeBackupPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeBackupPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeBackupPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
Token: SeSecurityPrivilege	3032	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 3032	5116	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe	84
PID 5116 wrote to memory of 3032	5116	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe	84
PID 5116 wrote to memory of 3032	5116	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe	84
PID 5116 wrote to memory of 3032	5116	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe	84
PID 5116 wrote to memory of 3032	5116	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe	84
PID 5116 wrote to memory of 3032	5116	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe	84
PID 5116 wrote to memory of 3032	5116	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe	84
PID 5116 wrote to memory of 3032	5116	87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe	84

C:\Users\Admin\AppData\Local\Temp\87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
"C:\Users\Admin\AppData\Local\Temp\87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\AppData\Local\Temp\87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
  C:\Users\Admin\AppData\Local\Temp\87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\87716b4afc5781bd9b1108f2620a3f74b2f1a52a08ac4794e7c381f412d3cff0.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
memory/3032-7-0x0000000005800000-0x0000000005892000-memory.dmp

Filesize
584KB

Download
memory/3032-9-0x00000000057B0000-0x00000000057BA000-memory.dmp

Filesize
40KB

Download
memory/3032-15-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/3032-5-0x0000000005D10000-0x00000000062B4000-memory.dmp

Filesize
5.6MB

Download
memory/3032-6-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/3032-14-0x0000000008B20000-0x0000000008B6C000-memory.dmp

Filesize
304KB

Download
memory/3032-8-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/3032-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3032-10-0x0000000008EC0000-0x00000000094D8000-memory.dmp

Filesize
6.1MB

Download
memory/3032-11-0x0000000008A10000-0x0000000008B1A000-memory.dmp

Filesize
1.0MB

Download
memory/3032-12-0x0000000008940000-0x0000000008952000-memory.dmp

Filesize
72KB

Download
memory/3032-13-0x00000000089A0000-0x00000000089DC000-memory.dmp

Filesize
240KB

Download
memory/5116-0-0x000000007504E000-0x000000007504F000-memory.dmp

Filesize
4KB

Download
memory/5116-1-0x00000000006B0000-0x00000000006F4000-memory.dmp

Filesize
272KB

Download