zgrat | a65dc9cbe71f0efde3fd50729cf5576bfb4c870329eed8f90dcd0fc1b9aa97ba | Triage

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 13:11

Sharing

Report Analysis Logs

General

Target

008d9913e8ce8bb934b93c559a2e32fa.bin.exe
Size

3.4MB
MD5

008d9913e8ce8bb934b93c559a2e32fa
SHA1

10e863115463502aaea5c18f71e02221c6cd02db
SHA256

a65dc9cbe71f0efde3fd50729cf5576bfb4c870329eed8f90dcd0fc1b9aa97ba
SHA512

bb2650f0d776cc479b71987b3a5ef6338eb74b70de04b3628bdf8a1d48199b33d8050b6378b46a75cfba744a8800aa374474197018052184631c5edba0066d55
SSDEEP

98304:h8P8hjuTg6NzRkqDGHiR27pb0WAOfraP1:hkoyTgAj6N1b0WAOfraP1

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2276-1-0x0000000000350000-0x00000000006C0000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2276-1-0x0000000000350000-0x00000000006C0000-memory.dmp	net_reactor

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2544	2276	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2544	2276	008d9913e8ce8bb934b93c559a2e32fa.bin.exe	28
PID 2276 wrote to memory of 2544	2276	008d9913e8ce8bb934b93c559a2e32fa.bin.exe	28
PID 2276 wrote to memory of 2544	2276	008d9913e8ce8bb934b93c559a2e32fa.bin.exe	28
PID 2276 wrote to memory of 2544	2276	008d9913e8ce8bb934b93c559a2e32fa.bin.exe	28

C:\Users\Admin\AppData\Local\Temp\008d9913e8ce8bb934b93c559a2e32fa.bin.exe
"C:\Users\Admin\AppData\Local\Temp\008d9913e8ce8bb934b93c559a2e32fa.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 556
  2⤵
  - Program crash
  PID:2544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2276-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

Filesize
4KB

Download
memory/2276-1-0x0000000000350000-0x00000000006C0000-memory.dmp

Filesize
3.4MB

Download