zgrat

General

Target

https://cdn.discordapp.com/attachments/1234488074650517647/1239037173655797860/Solara_Updater.exe?ex=664419ca&is=6642c84a&hm=92b335a2c826cb9e50e90c4fa1d356a618e67acd8c9d421409f4f51996b5030d&
Sample

240514-qq1eeahc99

Score

10^/10

Malware Config

Targets

- Target
  
  https://cdn.discordapp.com/attachments/1234488074650517647/1239037173655797860/Solara_Updater.exe?ex=664419ca&is=6642c84a&hm=92b335a2c826cb9e50e90c4fa1d356a618e67acd8c9d421409f4f51996b5030d&
Score

10^/10

zgrat adware discovery evasion persistence rat spyware stealer trojan
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Downloads MZ/PE file
- Modifies Installed Components in the registry
  persistence
- Sets file execution options in registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Legitimate hosting services abused for malware hosting/C2
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1