zgrat | 42b3403fdb432bb35c9371b14f7ce6a5ea5d4728997381b349ab33b1b58f4aa1 | Triage

Submit
Reports

Overview

overview

Static

static

3

Dhl-02.exe

windows7-x64

Dhl-02.exe

windows10-2004-x64

Sharing

General

Target

Dhl-02.exe
Size

6.1MB
Sample

240509-g5g2yaha93
MD5

d9a34070f5445a2f4c1fa7dcb45e0ab4
SHA1

f6c56df6c755f1c0b45448690465a5e2e06275ce
SHA256

42b3403fdb432bb35c9371b14f7ce6a5ea5d4728997381b349ab33b1b58f4aa1
SHA512

5429daadd697fff888727238d725ff86f8d1ea3e7f29e7faa0a5bbb3f2966ff126d9f7c83b64ac63e3e9d93d69983d21032b64cd280215d28d15d818d55e516c
SSDEEP

24576:OudIAccuoodT1Exb/4rNYRxJ3//XAO81DnemJnwRS64uvRdT7dk9pagnJr8gMEyR:b

Score

10^/10

zgrat collection persistence rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Dhl-02.exe

Resource

win7-20240508-en

zgrat persistence rat

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

Dhl-02.exe

Resource

win10v2004-20240426-en

zgrat collection persistence rat spyware stealer

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  Dhl-02.exe
- Size
  
  6.1MB
- MD5
  
  d9a34070f5445a2f4c1fa7dcb45e0ab4
- SHA1
  
  f6c56df6c755f1c0b45448690465a5e2e06275ce
- SHA256
  
  42b3403fdb432bb35c9371b14f7ce6a5ea5d4728997381b349ab33b1b58f4aa1
- SHA512
  
  5429daadd697fff888727238d725ff86f8d1ea3e7f29e7faa0a5bbb3f2966ff126d9f7c83b64ac63e3e9d93d69983d21032b64cd280215d28d15d818d55e516c
- SSDEEP
  
  24576:OudIAccuoodT1Exb/4rNYRxJ3//XAO81DnemJnwRS64uvRdT7dk9pagnJr8gMEyR:b
Score

10^/10

zgrat persistence rat collection spyware stealer
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

zgratpersistencerat

behavioral2

zgratcollectionpersistenceratspywarestealer

© 2018-2025

Terms | Privacy