zgrat | b8f169a3942e6419bffa75c35a98cd371f3d3cf850ef164100b63da88adb7a7c | Triage

Submit
Reports

Overview

overview

Static

static

1

utorrent_i...1).exe

windows10-2004-x64

7

utorrent_i...1).exe

windows11-21h2-x64

Sharing

General

Target

utorrent_installer(1).zip
Size

1.2MB
Sample

240506-vhrjraah2z
MD5

261378844b98b31884ce78733f6affe4
SHA1

b837b1033da9b0ac1796d4bd37a6e254a7ee004d
SHA256

b8f169a3942e6419bffa75c35a98cd371f3d3cf850ef164100b63da88adb7a7c
SHA512

17c67b5ed7a6c36574539fda3d03450c74d69d50e28506b2171a25f25f4030458065f179ba385903a61de5c9f7f3383371546219c8e4314b3a1afe15de5aca5e
SSDEEP

24576:Mdy6kV6JeSUTQT3CYRbv4m8dhdZhDbeTROT33gA0fgyGMjxOZx2JpXMYgdw:MdfkV8eBTQT3PLp8drZhDt3gA0opMVOO

Score

10^/10

zgrat discovery evasion persistence rat spyware stealer upx

Static task

static1

Behavioral task

behavioral1

Sample

utorrent_installer(1).exe

Resource

win10v2004-20240419-en

discovery evasion persistence spyware stealer upx

windows10-2004-x64

21 signatures

120 seconds

Behavioral task

behavioral2

Sample

utorrent_installer(1).exe

Resource

win11-20240419-en

zgrat discovery evasion persistence rat spyware stealer upx

windows11-21h2-x64

33 signatures

120 seconds

Malware Config

Targets

- Target
  
  utorrent_installer(1).exe
- Size
  
  1.7MB
- MD5
  
  241ce365f228ee5f74d81b3fea14e09a
- SHA1
  
  700b05506dd3eebb4b87ff545f6d2bb6af6a3ae3
- SHA256
  
  bf4ee47d0df1870104f4fada8a68c2fb29e94fea9284c7bb6a6b385a718d8a18
- SHA512
  
  bf3756fb2b037a10592498f08e6eb3bad8f50da4ff9e96703e646a69ea1481e6801023abb3b1aae923fb2c68bb21ae5bb50f8e675b57ff90504c8e7ee8f81593
- SSDEEP
  
  49152:9BuZrEUT97LZxMPrlDZFBmS06nIJOZobMP:LkLp/ZSr97Bmb6naO6bs
Score

10^/10

discovery evasion persistence spyware stealer upx zgrat rat
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Drops file in Drivers directory
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Downloads MZ/PE file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

Software Discovery

Security Software Discovery

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistencespywarestealerupx

behavioral2

zgratdiscoveryevasionpersistenceratspywarestealerupx

© 2018-2025

Terms | Privacy