zgrat | 747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9 | Triage

Submit
Reports

Overview

overview

Static

static

747abbc9dd...a9.exe

windows7-x64

747abbc9dd...a9.exe

windows10-2004-x64

Sharing

General

Target

747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Size

1.6MB
Sample

240512-kplxqsgg4z
MD5

0d6496f71fd24be93348c354faf7dfa6
SHA1

47f195a3996d4e3bd051d54e879d1ae68d2ed9a0
SHA256

747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9
SHA512

0d755fb0bea2edf4a92a013a06ce3274f05f1d8fc01a25de320a2f566ec8055922e8fa0f34196c1263292ab45455e4b612f467757a0e211ba2edc066090b6a7c
SSDEEP

49152:TGJ95iN4KodXZCQRBHt268KDDljKrTrv:iJ9Z3dXLrHt2nYDKX

Score

10^/10

zgrat execution persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe

Resource

win7-20240215-en

zgrat execution persistence rat

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe

Resource

win10v2004-20240508-en

zgrat execution persistence rat

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
- Size
  
  1.6MB
- MD5
  
  0d6496f71fd24be93348c354faf7dfa6
- SHA1
  
  47f195a3996d4e3bd051d54e879d1ae68d2ed9a0
- SHA256
  
  747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9
- SHA512
  
  0d755fb0bea2edf4a92a013a06ce3274f05f1d8fc01a25de320a2f566ec8055922e8fa0f34196c1263292ab45455e4b612f467757a0e211ba2edc066090b6a7c
- SSDEEP
  
  49152:TGJ95iN4KodXZCQRBHt268KDDljKrTrv:iJ9Z3dXLrHt2nYDKX
Score

10^/10

zgrat execution persistence rat
- Detect ZGRat V1
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

zgratexecutionpersistencerat

behavioral2

zgratexecutionpersistencerat

© 2018-2024

Terms | Privacy