zgrat | 3bda326c6b1ad00646748e106436af9558ac862789e6d6756a6e99dc49d02a6d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adguardinstaller.exe
Size

108KB
MD5

d07b5064171e84847eee458e77e37f62
SHA1

55ff55e6fb2562bf5af94af8771a305adc18193b
SHA256

a0209ba6abe82695d24a32793252e9648c3596c071cc69d79d78e66184e59034
SHA512

a5aa3c61ad4208147af9dcf5e1815d25feb894d71b26d35c14600d9f93d82d35d0f72d6149a4a03f6285e85f4371d5e1d0959bcb1fd1a2076aec1c9aa7b9e38a
SSDEEP

1536:WRKgf7E5VID6GnP3uAT1ob7t1mKvKC+CO1+kworWx:Wg35m7nPeA8fmKvK9MkBrE

Score

10^/10

zgrat discovery rat

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral1/memory/2228-125-0x00000000062A0000-0x0000000006380000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0006000000016c64-123.dat	family_zgrat_v1
behavioral1/files/0x0006000000016adc-133.dat	family_zgrat_v1
behavioral1/memory/2228-135-0x0000000006980000-0x0000000006B44000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 2 IoCs

pid	Process
2588	setup.exe
2228	setup.exe

Loads dropped DLL 21 IoCs

pid	Process
2972	adguardinstaller.exe
2588	setup.exe
2228	setup.exe
2228	setup.exe
2228	setup.exe
2228	setup.exe
2228	setup.exe
2228	setup.exe
2228	setup.exe
2228	setup.exe
2228	setup.exe
2228	setup.exe
2228	setup.exe
2228	setup.exe
2228	setup.exe
2228	setup.exe
2228	setup.exe
2228	setup.exe
2228	setup.exe
2228	setup.exe
2228	setup.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	adguardinstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	adguardinstaller.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	setup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2588	2972	adguardinstaller.exe	29
PID 2972 wrote to memory of 2588	2972	adguardinstaller.exe	29
PID 2972 wrote to memory of 2588	2972	adguardinstaller.exe	29
PID 2972 wrote to memory of 2588	2972	adguardinstaller.exe	29
PID 2972 wrote to memory of 2588	2972	adguardinstaller.exe	29
PID 2972 wrote to memory of 2588	2972	adguardinstaller.exe	29
PID 2972 wrote to memory of 2588	2972	adguardinstaller.exe	29
PID 2588 wrote to memory of 2228	2588	setup.exe	30
PID 2588 wrote to memory of 2228	2588	setup.exe	30
PID 2588 wrote to memory of 2228	2588	setup.exe	30
PID 2588 wrote to memory of 2228	2588	setup.exe	30
PID 2588 wrote to memory of 2228	2588	setup.exe	30
PID 2588 wrote to memory of 2228	2588	setup.exe	30
PID 2588 wrote to memory of 2228	2588	setup.exe	30

C:\Users\Admin\AppData\Local\Temp\adguardinstaller.exe
"C:\Users\Admin\AppData\Local\Temp\adguardinstaller.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe
  C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe "AID=25774"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\Temp\{52EF1761-1000-4DDF-93C5-25B3F548547B}\.cr\setup.exe
    "C:\Windows\Temp\{52EF1761-1000-4DDF-93C5-25B3F548547B}\.cr\setup.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe" -burn.filehandle.attached=280 -burn.filehandle.self=288 "AID=25774"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{52EF1761-1000-4DDF-93C5-25B3F548547B}\.cr\setup.exe

Filesize
3.1MB

MD5
b25f06e4ed0166ac822e48068e334b00

SHA1
5f44162e567a979323a1b734e651b60affaad674

SHA256
a66066c6fbaabee2011956619a0bdf3606b40f4eddedecabb82bb321ceeb2f72

SHA512
03280db188f38387d7d11073f36caf9ed05fd266b3d155b4bf0ba4ac1bccce422d552ccc39465e2b5ff0996b0a24904304d6f5b269f3e38432cc73235fface50

Download Submit
C:\Windows\Temp\{E4D36B9F-1B6E-465C-B632-F88321F1C193}\.ba\BootstrapperCore.config

Filesize
1KB

MD5
898c2a320bea0580f37beeccda8f2378

SHA1
eccab214a148e6a7a9535bf1c83b714c756dabf2

SHA256
4440270efc95c694150a665b62ca89b8b93b1271dfb2757e8dd1a68ef2705498

SHA512
e4608aab984c6e97b00e80d2635a283392f1eb24bdb65f5fce92851eb63ad474e5050ac46e5cafe2dbd438dd026269253bd4ec427f08b2a09788d6b1d49bcc84

Download Submit
\Windows\Temp\{E4D36B9F-1B6E-465C-B632-F88321F1C193}\.ba\AdGuard.Utils.Base.dll

Filesize
879KB

MD5
39b2236a3c083292a14f65585ad73e28

SHA1
012a24cc5993cbc33ebace8cace1c1dae1e899c3

SHA256
4b930935f4a6ecf9908c9c50f969c5daea41c3de2bd6540cd6f220fd83bffe8d

SHA512
d3b2f971fc856e3927603334ed428658000b4228776039c4c1c0c9811551209073873aea7130ae46dde2971f694d7fedd2a37dafd5ba325a7d0db24a8451f889

Download Submit
\Windows\Temp\{E4D36B9F-1B6E-465C-B632-F88321F1C193}\.ba\AdGuard.Utils.Installer.dll

Filesize
55KB

MD5
abd2f4a5cfa8a9608fb14e3fbf44871f

SHA1
b5249f54a6a73c27bcbbdc07fb6c86d9745be35f

SHA256
06c54e61d243584be70b1b1cfaa412c99e7c5107df45be187a157422edf9eaa5

SHA512
7dcabb779787317c68a6eeb85841ca063fd9d9e3f0a90ff3afc1fd6fddc522913528d8e09e46e9430a4b7c1c1cc67347a5ce89f6adeb1ad262c6ced0c041c1b5

Download Submit
\Windows\Temp\{E4D36B9F-1B6E-465C-B632-F88321F1C193}\.ba\AdGuard.Utils.UI.dll

Filesize
621KB

MD5
ec3d9350a9a400fb3271c7327f5bf5a8

SHA1
0eea26f71e7d03579303b9ffc34549fa7ac843e9

SHA256
aa43b82246de237cc9898d6ec2b18bcafe3a1bafbada9fb7939359866d2909e4

SHA512
a789b3056303ee8680aca458c01c947dba6c33c14966a65ee27b338cab2c25fb6481435063814be81760bed25d385f4313149f5f4792620660cf6252a2e0c01e

Download Submit
\Windows\Temp\{E4D36B9F-1B6E-465C-B632-F88321F1C193}\.ba\AdGuard.Utils.dll

Filesize
1.8MB

MD5
1f79f405d3659eb62779f948a397967d

SHA1
c01403d8ae03c41726f9f5d72f1b79dc3e96191b

SHA256
b262d6ab962e2dfd034e63df34ad8aed15f1caf1ac1b1259facba9535fca71e4

SHA512
b5a397b6f62ee5c7c2dae0cebcd509127200deb5f651eb5d850a2e9182a5eea67925e96df0e3b1ba9cb0f17a4ad78e29833ed3baf22e5e9ec07ff06d47d64ced

Download Submit
\Windows\Temp\{E4D36B9F-1B6E-465C-B632-F88321F1C193}\.ba\Adguard.Burn.dll

Filesize
279KB

MD5
96010203c9ad85132c021ce2d86536f9

SHA1
6db1c233ae2e5ab52798a027a597601c43a02715

SHA256
8215daa9d609cf32d2b2344eb33d7cb612fa91fc2e1210929fd64b5eca6b1b85

SHA512
ee4132abc306e60c1c29707bace7747128cc8f8f71bb3dc86407817dfa71e624e173b597a8da35a5f908095219e8d184cf040a62995aff988a12ecfa14d302cd

Download Submit
\Windows\Temp\{E4D36B9F-1B6E-465C-B632-F88321F1C193}\.ba\BootstrapperCore.dll

Filesize
87KB

MD5
b0d10a2a622a322788780e7a3cbb85f3

SHA1
04d90b16fa7b47a545c1133d5c0ca9e490f54633

SHA256
f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426

SHA512
62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

Download Submit
\Windows\Temp\{E4D36B9F-1B6E-465C-B632-F88321F1C193}\.ba\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
\Windows\Temp\{E4D36B9F-1B6E-465C-B632-F88321F1C193}\.ba\SharpRaven.dll

Filesize
114KB

MD5
89a2762f19597b82d5c501366e5b2f29

SHA1
f5df7962015164e4bfed0ae361f988c1e581677e

SHA256
a236377db9ee299087c4f8fa6e345765ac4a25aa5d7fabfd8b724f1889324167

SHA512
bd2a4ab78835092abb0cf3cae0850c8b2aa344247f6479cfd59d52bba60c4b605ada4bf885e1ab0b86d4fab138a9084900b954e62e6384d794f2ce61c999cb13

Download Submit
\Windows\Temp\{E4D36B9F-1B6E-465C-B632-F88321F1C193}\.ba\mbahost.dll

Filesize
119KB

MD5
c59832217903ce88793a6c40888e3cae

SHA1
6d9facabf41dcf53281897764d467696780623b8

SHA256
9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db

SHA512
1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

Download Submit
memory/2228-117-0x0000000002DB0000-0x0000000002DFC000-memory.dmp

Filesize
304KB

Download
memory/2228-157-0x0000000005DE0000-0x0000000005DEA000-memory.dmp

Filesize
40KB

Download
memory/2228-121-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/2228-135-0x0000000006980000-0x0000000006B44000-memory.dmp

Filesize
1.8MB

Download
memory/2228-131-0x0000000006380000-0x000000000641E000-memory.dmp

Filesize
632KB

Download
memory/2228-141-0x00000000033D0000-0x00000000033EE000-memory.dmp

Filesize
120KB

Download
memory/2228-110-0x00000000026F0000-0x0000000002708000-memory.dmp

Filesize
96KB

Download
memory/2228-159-0x0000000005DE0000-0x0000000005DEA000-memory.dmp

Filesize
40KB

Download
memory/2228-125-0x00000000062A0000-0x0000000006380000-memory.dmp

Filesize
896KB

Download
memory/2228-147-0x0000000006B50000-0x0000000006BF8000-memory.dmp

Filesize
672KB

Download
memory/2228-158-0x0000000005DE0000-0x0000000005DEA000-memory.dmp

Filesize
40KB

Download
memory/2228-156-0x0000000005DE0000-0x0000000005DEA000-memory.dmp

Filesize
40KB

Download
memory/2972-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2972-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download