zgrat | 967be8ca2638ec1b58a6785524cac32aade09281a5ad67e6315bd2090d81969a | Triage

Submit
Reports

Overview

overview

Static

static

3

Dhl-02.exe

windows7-x64

Dhl-02.exe

windows10-2004-x64

Sharing

General

Target

0d24dafcbb977d2f3e0f1f92dd51eff4.bin
Size

2.7MB
Sample

240512-bdlyxsha4s
MD5

1101c26257010230c845c78c4434aee1
SHA1

21734e32663a34c6620b6868054544735d4ccced
SHA256

967be8ca2638ec1b58a6785524cac32aade09281a5ad67e6315bd2090d81969a
SHA512

45d0c0e1e0f4893b65eac433d56ad35de7096b5896417eb5705582a40efa8e956f8e69ae0042364b5a54628de1cd5f8b316070fa34d21af1f8fa708c8041408e
SSDEEP

49152:hNGlv3TTsIYas5/XA01q8P+XHh6QUV23Y5DjnMxYyBAXDArWM2nD0wYYBKHLwuR5:hevDTsIYas5/Q05P6BvY5DL0YyBIA6Bg

Score

10^/10

zgrat collection persistence rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Dhl-02.exe

Resource

win7-20240508-en

zgrat persistence rat

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

Dhl-02.exe

Resource

win10v2004-20240426-en

zgrat collection persistence rat spyware stealer

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  Dhl-02.exe
- Size
  
  6.1MB
- MD5
  
  d9a34070f5445a2f4c1fa7dcb45e0ab4
- SHA1
  
  f6c56df6c755f1c0b45448690465a5e2e06275ce
- SHA256
  
  42b3403fdb432bb35c9371b14f7ce6a5ea5d4728997381b349ab33b1b58f4aa1
- SHA512
  
  5429daadd697fff888727238d725ff86f8d1ea3e7f29e7faa0a5bbb3f2966ff126d9f7c83b64ac63e3e9d93d69983d21032b64cd280215d28d15d818d55e516c
- SSDEEP
  
  24576:OudIAccuoodT1Exb/4rNYRxJ3//XAO81DnemJnwRS64uvRdT7dk9pagnJr8gMEyR:b
Score

10^/10

zgrat persistence rat collection spyware stealer
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

zgratpersistencerat

behavioral2

zgratcollectionpersistenceratspywarestealer

© 2018-2025

Terms | Privacy