zgrat | 6badfc713ecea281aecb89bdcddafea95465e94098557bc679cdb85a70d67555

General

Target

dacdc4204974035b495698e1e6de02e0_NEIKI.exe
Size

5.9MB
MD5

dacdc4204974035b495698e1e6de02e0
SHA1

ee3f46e8f9e7539cbee614faaf15af6ec3180f07
SHA256

6badfc713ecea281aecb89bdcddafea95465e94098557bc679cdb85a70d67555
SHA512

cb967f8049017233e24cd5397454593d256c716534fb820cc9e9e9be581807af5993c15711dc91cf611a0cf4759e5c7b07a4e29daf2e67d433ce6e480bcc46e9
SSDEEP

98304:t/TX7JvnzWR4DNnbx5SoesNLWE4iMgFWEWqFGIBGKKDO9uAqB/Ob1R/CHpS2q:tr5niaDVbx5p1Rqi+FqkkrUAqw

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000002343b-80.dat	family_zgrat_v1
behavioral2/memory/1760-81-0x00000000071C0000-0x000000000725E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/1760-1-0x0000000000B60000-0x000000000114A000-memory.dmp	net_reactor
behavioral2/files/0x000800000002343b-80.dat	net_reactor
behavioral2/memory/1760-81-0x00000000071C0000-0x000000000725E000-memory.dmp	net_reactor

Loads dropped DLL 4 IoCs

pid	Process
1760	dacdc4204974035b495698e1e6de02e0_NEIKI.exe
1760	dacdc4204974035b495698e1e6de02e0_NEIKI.exe
1760	dacdc4204974035b495698e1e6de02e0_NEIKI.exe
1760	dacdc4204974035b495698e1e6de02e0_NEIKI.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\58F6A68D38867D61B346F3BB298BCB0FCDD30A99\Blob = 03000000010000001400000058f6a68d38867d61b346f3bb298bcb0fcdd30a99140000000100000014000000bd05b7f38a933c73cb79fa0f8512a177961891740400000001000000100000004c63082d06a1d58d998f46a381fa8ca10f0000000100000020000000e561fec47c5a1dcdc2e9b27ce54416bcddc73206f5b67a565da735f269ae8a791900000001000000100000002527850217b0428fdbf1e5e25e980c175c000000010000000400000000080000180000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd2000000001000000900500003082058c30820374a00302010202107f1f2c902e83d0e3b6fb3bee478b5e80300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3233303731393033343332355a170d3236303731393030303030305a3055310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d7361312b302906035504031322476c6f62616c5369676e2047434320523620416c70686153534c204341203230323330820122300d06092a864886f70d01010105000382010f003082010a0282010100d3426f939003a693b4ae00e78f5335e1721bd37d806ace34f4924501bf1c5238a914eb61ef248b75a58b7b7b3ade84ace71dde5b0cd3a57e01164cd96f14f57a82521df4f6334c19e5038f702223b2bf9807c4c0bd5db2252caaf9e991acdfc5b600924da597489e638a95bc489fd502e5cf333b803f6c98a6e3dc8e34391b2aecb035e0bbe161b58c6ac853fb052bf1f63421879415e7384bc9cb9a9fc9fe274530d3d59140ae89190e47cc36508a790d7a5f9f6593511b5804f507a1fad1c1a65ae46a507583ce6a2643ce27b4a812f2ac98391a8e0824fec4aaecd3f2cc569afd50466624511be164c420678860f9eb5f0f438b6b7301f23288d214e6ce1d0203010001a382015f3082015b300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100301d0603551d0e04160414bd05b7f38a933c73cb79fa0f8512a17796189174301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0307b06082b06010505070101046f306d302e06082b060105050730018622687474703a2f2f6f637370322e676c6f62616c7369676e2e636f6d2f726f6f747236303b06082b06010505073002862f687474703a2f2f7365637572652e676c6f62616c7369676e2e636f6d2f6361636572742f726f6f742d72362e63727430360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e636f6d2f726f6f742d72362e63726c30210603551d20041a30183008060667810c010201300c060a2b06010401a0320a0103300d06092a864886f70d01010b050003820201007cc924328e60e269f57ede1de31476907cd8a43ba4842d5760fc1f49937703d9c405a76374a64c1fb8ae4b5bc5f2e49c836ebfdf40d13de9f67c546cafaeb6102c94091e0e7de8a218d76842f71eb0cf57a5ec371cb40fe2a1e0facefbe2134bbc6443e1a2922b016a2ccadca82c3ab4401f5fdf6d156b03e23cdb0ba93cb6348bcc49747d35257e425a5a9bcb564a60f5eb7cb43f1de756f298283927a27ac1c5e99ac4869e4b01a1b69cd7e9d79a007b8d00bd79d53c678d45168f3b055de40adad65ac76441abce6ccb1750f97f00ef32fe33ae016cf4c32bcf9caa26fa8e96e2f28363affa5cfca935d79b389ea68f26882e9d2aba842f863c7cec1cc4361e6ce7b0083b2206a52d2c0c40a15433f32c47d1b07d8527cfd6e70a05d27bec053a9f6120aa6e541b1de0c3b428fb3257fc25fa9a32ea9c6c4e2b312c9f787c827594309dcfebf6e8e7b61ebdd40261c7261e08cd3899eb4921eedc07a7787459be3dde5eaef638c77dabd2e435434b29cb556336a5098eeb2c62e5cdc8c9851d2b8b410e8fade3e61f995c48c42960accfa03fd188d543fcf2b43b7bee3b9be1de8ee829bd457f3a1a9c3b05153af0d1a2ce7515bfb662cf5953559406fc69df81f34609b0be075d89d01bcc180056fc2e1c120f24fdbfe0b50b595c20713b9c4d00029f49487c4362c99af698b88343e18370603a6d9eb93473c3b4744b35	dacdc4204974035b495698e1e6de02e0_NEIKI.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\58F6A68D38867D61B346F3BB298BCB0FCDD30A99	dacdc4204974035b495698e1e6de02e0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1760	dacdc4204974035b495698e1e6de02e0_NEIKI.exe
1760	dacdc4204974035b495698e1e6de02e0_NEIKI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	dacdc4204974035b495698e1e6de02e0_NEIKI.exe

C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AvCmMsg.ini

Filesize
1KB

MD5
1f4b8e7405456dc2f2250d5fbbad7486

SHA1
efea299772b2f82610af2fb4aaf0afb05b3ac00d

SHA256
96015f0063145199f15f084e31e79ff77493591bd340a29895edb0783fb132b4

SHA512
69867da84b22249373f675c8cc84bf19968c6dc4bee23d505a52447dd27563ea39330804cb17e5967cfd0ee57c845f704a8f98912d9c5d082eca192fb521905e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AvCryptSvc.exe

Filesize
611KB

MD5
79758f40946119b9dbdfe1d3f0d013ab

SHA1
cf80ca05cf992bc875defa1f301adf8240bd9cf3

SHA256
cc541615455783965444ec82aff7bda49262123d165f8c8c3ceb7110339c9f33

SHA512
d505e796af2a061284c234afcc7cc7243e8553cab487d467c8c752ab35298422cfbac8ced565a9c7fe48c8663d8dc3e1909dcba9f67f66fe2390a6646ba32b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\AvCryptSvc.ini

Filesize
2KB

MD5
0677d433a47449d66395bc690c20ef68

SHA1
80feca271ddebad5b10cb8c8714c6c2aa386fa32

SHA256
e07b900ffa34af1c388ce75b3820f6f3d3d247ee72a9961eecd1425b66f6f1f3

SHA512
2c013b88bcb314a26e1e297a038a7b91e28135d2ff4b8b4aa170f035d70c69cb96d04c43331cbc9b6868d4279b30f49d7c8af8afdb8ca1469ee174797811c435

Download Submit
memory/1760-4-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/1760-2-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/1760-5-0x0000000005BB0000-0x0000000005C42000-memory.dmp

Filesize
584KB

Download
memory/1760-6-0x0000000005C50000-0x0000000005C5A000-memory.dmp

Filesize
40KB

Download
memory/1760-7-0x000000000B4B0000-0x000000000BAA2000-memory.dmp

Filesize
5.9MB

Download
memory/1760-3-0x0000000006280000-0x0000000006824000-memory.dmp

Filesize
5.6MB

Download
memory/1760-74-0x0000000006220000-0x0000000006242000-memory.dmp

Filesize
136KB

Download
memory/1760-0-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/1760-81-0x00000000071C0000-0x000000000725E000-memory.dmp

Filesize
632KB

Download
memory/1760-92-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/1760-1-0x0000000000B60000-0x000000000114A000-memory.dmp

Filesize
5.9MB

Download
memory/1760-104-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/1760-105-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/1760-106-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing