zgrat | 93e92273784deb9659b37c211cef5366463753a90abbf1e9b9846d82ff7aaadb | Triage

Submit
Reports

Overview

overview

Static

static

1

adguardInstaller.exe

windows10-2004-x64

adguardInstaller.exe

windows11-21h2-x64

Sharing

General

Target

adguardInstaller.exe
Size

142KB
Sample

240506-vebn5aaf51
MD5

2778418f6e0d048617221386ed96109c
SHA1

bdff4500e90506ec9944691e0f449dc2d7a9454b
SHA256

93e92273784deb9659b37c211cef5366463753a90abbf1e9b9846d82ff7aaadb
SHA512

c7547344992511b53241426b2bb8c2fa55bddf6358300a2bc60a73b42bf7a493822b57a285c718e4b3cc6ed0bbbc22069fb0d908ff8e77c4e92337fd0d7cb6f0
SSDEEP

3072:r4qZHnMyBV3vChLFvGyfmKvK9MkBry8wpspx:r4qZHdV3vevK9MkhkpYx

Score

10^/10

zgrat discovery persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

adguardInstaller.exe

Resource

win10v2004-20240419-en

zgrat discovery persistence rat

windows10-2004-x64

33 signatures

120 seconds

Behavioral task

behavioral2

Sample

adguardInstaller.exe

Resource

win11-20240419-en

zgrat discovery persistence rat

windows11-21h2-x64

30 signatures

120 seconds

Malware Config

Targets

- Target
  
  adguardInstaller.exe
- Size
  
  142KB
- MD5
  
  2778418f6e0d048617221386ed96109c
- SHA1
  
  bdff4500e90506ec9944691e0f449dc2d7a9454b
- SHA256
  
  93e92273784deb9659b37c211cef5366463753a90abbf1e9b9846d82ff7aaadb
- SHA512
  
  c7547344992511b53241426b2bb8c2fa55bddf6358300a2bc60a73b42bf7a493822b57a285c718e4b3cc6ed0bbbc22069fb0d908ff8e77c4e92337fd0d7cb6f0
- SSDEEP
  
  3072:r4qZHnMyBV3vChLFvGyfmKvK9MkBry8wpspx:r4qZHdV3vevK9MkhkpYx
Score

10^/10

zgrat discovery persistence rat
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Drops file in Drivers directory
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

SIP and Trust Provider Hijacking

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

zgratdiscoverypersistencerat

behavioral2

zgratdiscoverypersistencerat

© 2018-2025

Terms | Privacy