zgrat | 6f7189376b953fd0a6e37f23d7f4bf6be70ff4d5cb39214a8d766bf9f6044511 | Triage

Submit
Reports

Overview

overview

Static

static

3

Fluxus Cracked.exe

windows7-x64

Fluxus Cracked.exe

windows10-2004-x64

Sharing

General

Target

Fluxus Cracked.exe
Size

4.9MB
Sample

240511-ppdnksah66
MD5

7a182d7bd6c9304ea5e2fa27e007becc
SHA1

2ff3ccdad179d5ad23a59fedab2cb7b284f51af3
SHA256

6f7189376b953fd0a6e37f23d7f4bf6be70ff4d5cb39214a8d766bf9f6044511
SHA512

cdb5e2bcbbe16619ec008069ac5350743e965b6b89d335b85f36b055baa54f7006c0313093cf435ffc0c84854bfc1600992e2be8512d6436161ae4c3192bb8b6
SSDEEP

98304:BFVqfd/eLhdGYhfl0CcnVNB5G6X4RutZhjltPY5tnJTJmjPduN7umo1YU:IeL9Ncn93X8Yhl8nxJpumo1d

Score

10^/10

zgrat execution rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Fluxus Cracked.exe

Resource

win7-20240220-en

zgrat execution rat

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

Fluxus Cracked.exe

Resource

win10v2004-20240508-en

zgrat execution rat

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  Fluxus Cracked.exe
- Size
  
  4.9MB
- MD5
  
  7a182d7bd6c9304ea5e2fa27e007becc
- SHA1
  
  2ff3ccdad179d5ad23a59fedab2cb7b284f51af3
- SHA256
  
  6f7189376b953fd0a6e37f23d7f4bf6be70ff4d5cb39214a8d766bf9f6044511
- SHA512
  
  cdb5e2bcbbe16619ec008069ac5350743e965b6b89d335b85f36b055baa54f7006c0313093cf435ffc0c84854bfc1600992e2be8512d6436161ae4c3192bb8b6
- SSDEEP
  
  98304:BFVqfd/eLhdGYhfl0CcnVNB5G6X4RutZhjltPY5tnJTJmjPduN7umo1YU:IeL9Ncn93X8Yhl8nxJpumo1d
Score

10^/10

zgrat execution rat
- Detect ZGRat V1
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

zgratexecutionrat

behavioral2

zgratexecutionrat

© 2018-2024

Terms | Privacy