zgrat | 6badfc713ecea281aecb89bdcddafea95465e94098557bc679cdb85a70d67555

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dacdc4204974035b495698e1e6de02e0_NEIKI.exe
Size

5.9MB
MD5

dacdc4204974035b495698e1e6de02e0
SHA1

ee3f46e8f9e7539cbee614faaf15af6ec3180f07
SHA256

6badfc713ecea281aecb89bdcddafea95465e94098557bc679cdb85a70d67555
SHA512

cb967f8049017233e24cd5397454593d256c716534fb820cc9e9e9be581807af5993c15711dc91cf611a0cf4759e5c7b07a4e29daf2e67d433ce6e480bcc46e9
SSDEEP

98304:t/TX7JvnzWR4DNnbx5SoesNLWE4iMgFWEWqFGIBGKKDO9uAqB/Ob1R/CHpS2q:tr5niaDVbx5p1Rqi+FqkkrUAqw

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015364-76.dat	family_zgrat_v1
behavioral1/memory/2892-82-0x00000000056D0000-0x000000000576E000-memory.dmp	family_zgrat_v1
behavioral1/memory/2892-77-0x00000000056D0000-0x000000000576E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2892-1-0x0000000000C00000-0x00000000011EA000-memory.dmp	net_reactor
behavioral1/files/0x0008000000015364-76.dat	net_reactor
behavioral1/memory/2892-82-0x00000000056D0000-0x000000000576E000-memory.dmp	net_reactor
behavioral1/memory/2892-77-0x00000000056D0000-0x000000000576E000-memory.dmp	net_reactor

Loads dropped DLL 4 IoCs

pid	Process
2892	dacdc4204974035b495698e1e6de02e0_NEIKI.exe
2892	dacdc4204974035b495698e1e6de02e0_NEIKI.exe
2892	dacdc4204974035b495698e1e6de02e0_NEIKI.exe
2892	dacdc4204974035b495698e1e6de02e0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2892	dacdc4204974035b495698e1e6de02e0_NEIKI.exe
2892	dacdc4204974035b495698e1e6de02e0_NEIKI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	dacdc4204974035b495698e1e6de02e0_NEIKI.exe

C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AvCmMsg.ini

Filesize
1KB

MD5
1f4b8e7405456dc2f2250d5fbbad7486

SHA1
efea299772b2f82610af2fb4aaf0afb05b3ac00d

SHA256
96015f0063145199f15f084e31e79ff77493591bd340a29895edb0783fb132b4

SHA512
69867da84b22249373f675c8cc84bf19968c6dc4bee23d505a52447dd27563ea39330804cb17e5967cfd0ee57c845f704a8f98912d9c5d082eca192fb521905e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AvCryptSvc.exe

Filesize
611KB

MD5
79758f40946119b9dbdfe1d3f0d013ab

SHA1
cf80ca05cf992bc875defa1f301adf8240bd9cf3

SHA256
cc541615455783965444ec82aff7bda49262123d165f8c8c3ceb7110339c9f33

SHA512
d505e796af2a061284c234afcc7cc7243e8553cab487d467c8c752ab35298422cfbac8ced565a9c7fe48c8663d8dc3e1909dcba9f67f66fe2390a6646ba32b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\AvCryptSvc.ini

Filesize
2KB

MD5
0677d433a47449d66395bc690c20ef68

SHA1
80feca271ddebad5b10cb8c8714c6c2aa386fa32

SHA256
e07b900ffa34af1c388ce75b3820f6f3d3d247ee72a9961eecd1425b66f6f1f3

SHA512
2c013b88bcb314a26e1e297a038a7b91e28135d2ff4b8b4aa170f035d70c69cb96d04c43331cbc9b6868d4279b30f49d7c8af8afdb8ca1469ee174797811c435

Download Submit
memory/2892-2-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-3-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-4-0x000000000A800000-0x000000000ADF2000-memory.dmp

Filesize
5.9MB

Download
memory/2892-0-0x000000007434E000-0x000000007434F000-memory.dmp

Filesize
4KB

Download
memory/2892-82-0x00000000056D0000-0x000000000576E000-memory.dmp

Filesize
632KB

Download
memory/2892-77-0x00000000056D0000-0x000000000576E000-memory.dmp

Filesize
632KB

Download
memory/2892-1-0x0000000000C00000-0x00000000011EA000-memory.dmp

Filesize
5.9MB

Download
memory/2892-93-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-95-0x000000007434E000-0x000000007434F000-memory.dmp

Filesize
4KB

Download
memory/2892-96-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-97-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download