Malware Analysis Report

2024-11-30 20:11

Sample ID 240509-llgdhsea34
Target file
SHA256 e84cad4f234445a47bf803591ac168031558e9215ba714c2197fe75b5188aa1c
Tags
zgrat rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e84cad4f234445a47bf803591ac168031558e9215ba714c2197fe75b5188aa1c

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

zgrat rat spyware

Zgrat family

Detect ZGRat V1

ZGRat

.NET Reactor proctector

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 09:37

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Zgrat family

zgrat

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 09:37

Reported

2024-05-09 09:39

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\file.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WerFault.exe
PID 1660 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WerFault.exe
PID 1660 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WerFault.exe
PID 1660 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 556

Network

N/A

Files

memory/1660-0-0x0000000074A2E000-0x0000000074A2F000-memory.dmp

memory/1660-1-0x0000000000080000-0x00000000004FA000-memory.dmp

memory/1660-2-0x0000000074A2E000-0x0000000074A2F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 09:37

Reported

2024-05-09 09:39

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3432 set thread context of 3436 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.235:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 235.83.221.88.in-addr.arpa udp
BE 88.221.83.235:443 www.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 5.42.65.67:48396 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 67.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3432-0-0x000000007441E000-0x000000007441F000-memory.dmp

memory/3432-1-0x0000000000AD0000-0x0000000000F4A000-memory.dmp

memory/3432-2-0x00000000059A0000-0x0000000005A3C000-memory.dmp

memory/3432-3-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/3432-4-0x0000000005B70000-0x0000000005D02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/3432-10-0x0000000005980000-0x0000000005990000-memory.dmp

memory/3432-11-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/3432-12-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/3432-14-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/3436-15-0x0000000000400000-0x000000000046E000-memory.dmp

memory/3432-16-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/3432-13-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/3432-18-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/3436-19-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/3436-20-0x0000000005DE0000-0x0000000006384000-memory.dmp

memory/3436-21-0x00000000058D0000-0x0000000005962000-memory.dmp

memory/3436-23-0x0000000074410000-0x0000000074BC0000-memory.dmp

memory/3436-22-0x0000000005A80000-0x0000000005A8A000-memory.dmp

memory/3436-24-0x0000000008FD0000-0x00000000095E8000-memory.dmp

memory/3436-25-0x0000000008B30000-0x0000000008C3A000-memory.dmp

memory/3436-26-0x0000000008A70000-0x0000000008A82000-memory.dmp

memory/3436-27-0x0000000008AD0000-0x0000000008B0C000-memory.dmp

memory/3436-28-0x0000000008C40000-0x0000000008C8C000-memory.dmp

memory/3436-29-0x0000000008DC0000-0x0000000008E26000-memory.dmp

memory/3436-30-0x00000000096F0000-0x0000000009766000-memory.dmp

memory/3436-31-0x0000000008FA0000-0x0000000008FBE000-memory.dmp

memory/3436-32-0x000000000A1D0000-0x000000000A392000-memory.dmp

memory/3436-33-0x000000000A8D0000-0x000000000ADFC000-memory.dmp

memory/3436-35-0x0000000074410000-0x0000000074BC0000-memory.dmp