zgrat | da628a12427eaf7ade463bf0fa497a3153deed4aded462f3a58e93ba2288f35c | Triage

Submit
Reports

Overview

overview

Static

static

1

8bp line cheto.rar

windows7-x64

8bp line cheto.rar

windows10-2004-x64

3

Sharing

General

Target

8bp line cheto.rar
Size

2.4MB
Sample

240514-lqk79sba94
MD5

b56819fd25d445b1496395660c706dc0
SHA1

787c59e095cb10589a8f6480a1f8ffee30c5cb8f
SHA256

da628a12427eaf7ade463bf0fa497a3153deed4aded462f3a58e93ba2288f35c
SHA512

c9b6f26fa00c314660341e43a1df32d2a67faff6fc3e00976a5231cb82afded4a88b4ee9dab9771ee3bbab27beb0b545caf2f2c2462ca928047b55a9c2df371a
SSDEEP

49152:xUSIhr4gqAqn0Jj3GOdcdp7XTFbE3Y8QaToR/22rzlS4HLlH0JMYtm6b8l:xRIF4Sqn0blyjjF4PQ/2GzlfqJD78l

Score

10^/10

zgrat evasion execution persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

8bp line cheto.rar

Resource

win7-20240220-en

zgrat evasion execution persistence rat spyware stealer

windows7-x64

27 signatures

150 seconds

Behavioral task

behavioral2

Sample

8bp line cheto.rar

Resource

win10v2004-20240508-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Targets

- Target
  
  8bp line cheto.rar
- Size
  
  2.4MB
- MD5
  
  b56819fd25d445b1496395660c706dc0
- SHA1
  
  787c59e095cb10589a8f6480a1f8ffee30c5cb8f
- SHA256
  
  da628a12427eaf7ade463bf0fa497a3153deed4aded462f3a58e93ba2288f35c
- SHA512
  
  c9b6f26fa00c314660341e43a1df32d2a67faff6fc3e00976a5231cb82afded4a88b4ee9dab9771ee3bbab27beb0b545caf2f2c2462ca928047b55a9c2df371a
- SSDEEP
  
  49152:xUSIhr4gqAqn0Jj3GOdcdp7XTFbE3Y8QaToR/22rzlS4HLlH0JMYtm6b8l:xRIF4Sqn0blyjjF4PQ/2GzlfqJD78l
Score

10^/10

zgrat evasion execution persistence rat spyware stealer
- Detect ZGRat V1
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Remote System Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Service Stop

Resource Development

Reconnaissance

Tasks

static1

behavioral1

zgratevasionexecutionpersistenceratspywarestealer

behavioral2

© 2018-2024

Terms | Privacy