zgrat | 355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4 | Triage

Submit
Reports

Overview

overview

Static

static

1

355851dbcd...c4.hta

windows7-x64

3

355851dbcd...c4.hta

windows10-2004-x64

Sharing

General

Target

355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4.hta
Size

9KB
Sample

240514-bjkcaadf38
MD5

344020eda12e49be499998ace856ed47
SHA1

f0a7431a73e7cb0be73fbc588bd91cf173f672d3
SHA256

355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4
SHA512

c3a949de4b8d79b84be37d4b4695a7ccde2b2da583ef998442cb0d9a7191756bcf3d67cf5c2da476f3590823177d07355a9151df32c10d259a32bc4f1fea3b90
SSDEEP

192:w1YCCf214wpenCk59zcntnonzcE6LChVg+D0SDs/:w/Cf214UenCkncntnonzcE6kVgmRs/

Score

10^/10

zgrat agilenet execution rat

Static task

static1

Behavioral task

behavioral1

Sample

355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4.hta

Resource

win7-20240221-en

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4.hta

Resource

win10v2004-20240508-en

zgrat agilenet execution rat

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4.hta
- Size
  
  9KB
- MD5
  
  344020eda12e49be499998ace856ed47
- SHA1
  
  f0a7431a73e7cb0be73fbc588bd91cf173f672d3
- SHA256
  
  355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4
- SHA512
  
  c3a949de4b8d79b84be37d4b4695a7ccde2b2da583ef998442cb0d9a7191756bcf3d67cf5c2da476f3590823177d07355a9151df32c10d259a32bc4f1fea3b90
- SSDEEP
  
  192:w1YCCf214wpenCk59zcntnonzcE6LChVg+D0SDs/:w/Cf214UenCkncntnonzcE6kVgmRs/
Score

10^/10

execution zgrat agilenet rat
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Detects executables packed with Agile.NET / CliSecure
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

zgratagilenetexecutionrat

© 2018-2024

Terms | Privacy