zgrat | 9a88596ac17ead66f77f50ff112c5a7d6def53fb92e218471ec41edaebf5b14b | Triage

Submit
Reports

Overview

overview

Static

static

1

SyncSpoof Updated.rar

windows7-x64

SyncSpoof Updated.rar

windows10-2004-x64

3

Sharing

General

Target

SyncSpoof Updated.rar
Size

2.3MB
Sample

240513-298exahf2w
MD5

bd5cd88a5053dda595098ce1f96d0288
SHA1

537c6b3476b2f9f29f325123c8f1a31daae561fc
SHA256

9a88596ac17ead66f77f50ff112c5a7d6def53fb92e218471ec41edaebf5b14b
SHA512

e4bb01d9e1298aef964caf369609951d3039f25f899fe69ce949917b85895b39f97497608f10d697188caed8041a6f098bd396cd4737cc61943e4dde81cf4e49
SSDEEP

49152:kNVfHPuWMR4aY6JnmGkbBX4A61bqLop/myP9KJhZA4FIJWhAjB7d1NgpdecPGN:kbf2WSYimhBIt9qLoBuU4cWhKdrgpdeJ

Score

10^/10

zgrat evasion execution persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

SyncSpoof Updated.rar

Resource

win7-20240221-en

zgrat evasion execution persistence rat

windows7-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

SyncSpoof Updated.rar

Resource

win10v2004-20240426-en

windows10-2004-x64

3 signatures

150 seconds

Malware Config

Targets

- Target
  
  SyncSpoof Updated.rar
- Size
  
  2.3MB
- MD5
  
  bd5cd88a5053dda595098ce1f96d0288
- SHA1
  
  537c6b3476b2f9f29f325123c8f1a31daae561fc
- SHA256
  
  9a88596ac17ead66f77f50ff112c5a7d6def53fb92e218471ec41edaebf5b14b
- SHA512
  
  e4bb01d9e1298aef964caf369609951d3039f25f899fe69ce949917b85895b39f97497608f10d697188caed8041a6f098bd396cd4737cc61943e4dde81cf4e49
- SSDEEP
  
  49152:kNVfHPuWMR4aY6JnmGkbBX4A61bqLop/myP9KJhZA4FIJWhAjB7d1NgpdecPGN:kbf2WSYimhBIt9qLoBuU4cWhKdrgpdeJ
Score

10^/10

zgrat evasion execution persistence rat
- Detect ZGRat V1
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Nirsoft
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

zgratevasionexecutionpersistencerat

behavioral2

© 2018-2024

Terms | Privacy