zgrat | a1eccc8de0be213f1027b291b8161bd9735906ca17c7835b2dba2f6a3cd40b44

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 02:21

Target

file.exe
Size

5.5MB
MD5

a4605dee5e0886edb6ca82bfa5e9778b
SHA1

f9ab8df29e7821be78df8c63d18c45221dba758e
SHA256

a1eccc8de0be213f1027b291b8161bd9735906ca17c7835b2dba2f6a3cd40b44
SHA512

a1673f9ef1129c7112561984483524b6db2b3aef2490219f59c6f0a60cd132493f37a11a0895c9d76b2c2f6c69a9523ca6ff6d0f4bd98c338597a886703bb2a0
SSDEEP

49152:W86Sy06W/cCFdRmF1Ge4uuOzGhKEZAVX0LdcNcw7pAJ4UcTGLgMy1LES98Q4Gc3I:jLzIz+1ISfi1F8QmadgfJAYiYY

Score

10^/10

zgrat rat

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2012-1-0x0000000000300000-0x000000000087E000-memory.dmp	family_zgrat_v1

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2380	2012	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2380	2012	file.exe	28
PID 2012 wrote to memory of 2380	2012	file.exe	28
PID 2012 wrote to memory of 2380	2012	file.exe	28
PID 2012 wrote to memory of 2380	2012	file.exe	28

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 556
  2⤵
  - Program crash
  PID:2380

memory/2012-0-0x00000000740BE000-0x00000000740BF000-memory.dmp

Filesize
4KB

Download
memory/2012-1-0x0000000000300000-0x000000000087E000-memory.dmp

Filesize
5.5MB

Download
memory/2012-2-0x00000000740BE000-0x00000000740BF000-memory.dmp

Filesize
4KB

Download