zgrat | f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06-05-2024 17:40

Target

f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad.exe
Size

551KB
MD5

a507ce96d65b8ded1a32998e65c65cc5
SHA1

db43868ad7aa5517998c7c486d4b564d3a683621
SHA256

f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad
SHA512

15baaef10520d9898aed0e5ceed4bb98f4122c07da69585d4843105f0d79e77aa75c098fcc29db52a14cb80b5a17a5a927288676ab3fe9d1ffec815f36803976
SSDEEP

12288:tX0+hk6HUIzCjgY9xaYZRykP8/fK+F7U+yMC3anu:90WKGC/9xZkkxEmM5u

Score

10^/10

zgrat rat

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2172-7-0x0000000005500000-0x0000000005570000-memory.dmp	family_zgrat_v1

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 2084	2172	f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2084	f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2084	2172	f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad.exe	28
PID 2172 wrote to memory of 2084	2172	f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad.exe	28
PID 2172 wrote to memory of 2084	2172	f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad.exe	28
PID 2172 wrote to memory of 2084	2172	f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad.exe	28
PID 2172 wrote to memory of 2084	2172	f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad.exe	28
PID 2172 wrote to memory of 2084	2172	f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad.exe	28
PID 2172 wrote to memory of 2084	2172	f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad.exe	28

C:\Users\Admin\AppData\Local\Temp\f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad.exe
"C:\Users\Admin\AppData\Local\Temp\f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad.exe
  "C:\Users\Admin\AppData\Local\Temp\f5a8212add9f9bfbc85f6337d2194ca9aa66bd3c12830c8ebe7d7ff60934d5ad.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2084

memory/2084-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-18-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download
memory/2084-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2172-4-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/2172-7-0x0000000005500000-0x0000000005570000-memory.dmp

Filesize
448KB

Download
memory/2172-8-0x0000000000760000-0x0000000000798000-memory.dmp

Filesize
224KB

Download
memory/2172-6-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2172-5-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/2172-3-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download
memory/2172-2-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-17-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-1-0x0000000000800000-0x000000000088E000-memory.dmp

Filesize
568KB

Download