zgrat | 4195dfa9caf444d8989a704eb6fac07dc7caff143ef054597652e1886eeebede

General

Target

ae3d900e61024edd1664373cfecbbbf3.exe
Size

3.0MB
MD5

ae3d900e61024edd1664373cfecbbbf3
SHA1

59ad6451b70817e53c43d5b5647339b4fec152db
SHA256

4195dfa9caf444d8989a704eb6fac07dc7caff143ef054597652e1886eeebede
SHA512

8cf15761068498c2135f684f45383edab082927aa83cfc8b979ad70412cc80be0b5ac4ee20b86a234b77f6b6f86aea22472dfc7daa3c5deab1ad528a6bc26fde
SSDEEP

49152:rDbJcqrhOIqdoRpj8+tlw+3klfvT4FVYAmIpUtm8eW:rDzhhqoPtlwIkh2VY3IpVVW

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 35 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4860-2-0x0000000005140000-0x0000000005392000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-8-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-4-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-10-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-50-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-52-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-60-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-58-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-56-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-54-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-46-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-38-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-34-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-32-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-29-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-24-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-48-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-44-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-42-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-40-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-36-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-30-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-26-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-22-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-20-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-16-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-14-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-12-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-6-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-18-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-3-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-62-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-66-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-64-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4968-4790-0x0000000005640000-0x000000000571A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ae3d900e61024edd1664373cfecbbbf3.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Irzsp = "C:\\Users\\Admin\\AppData\\Roaming\\Irzsp.exe"	ae3d900e61024edd1664373cfecbbbf3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ae3d900e61024edd1664373cfecbbbf3 = "C:\\Users\\Admin\\AppData\\Roaming\\ae3d900e61024edd1664373cfecbbbf3.exe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ae3d900e61024edd1664373cfecbbbf3.exe

description pid process target process

PID 4860 set thread context of 4968 4860 ae3d900e61024edd1664373cfecbbbf3.exe ae3d900e61024edd1664373cfecbbbf3.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

5504 powershell.exe
5504 powershell.exe

description	pid	process	target process
PID 4860 set thread context of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	ae3d900e61024edd1664373cfecbbbf3.exe

pid	process
5504	powershell.exe
5504	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ae3d900e61024edd1664373cfecbbbf3.exeae3d900e61024edd1664373cfecbbbf3.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4860	ae3d900e61024edd1664373cfecbbbf3.exe
Token: SeDebugPrivilege	4968	ae3d900e61024edd1664373cfecbbbf3.exe
Token: SeDebugPrivilege	5504	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ae3d900e61024edd1664373cfecbbbf3.exeae3d900e61024edd1664373cfecbbbf3.exe

description	pid	process	target process
PID 4860 wrote to memory of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	ae3d900e61024edd1664373cfecbbbf3.exe
PID 4860 wrote to memory of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	ae3d900e61024edd1664373cfecbbbf3.exe
PID 4860 wrote to memory of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	ae3d900e61024edd1664373cfecbbbf3.exe
PID 4860 wrote to memory of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	ae3d900e61024edd1664373cfecbbbf3.exe
PID 4860 wrote to memory of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	ae3d900e61024edd1664373cfecbbbf3.exe
PID 4860 wrote to memory of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	ae3d900e61024edd1664373cfecbbbf3.exe
PID 4860 wrote to memory of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	ae3d900e61024edd1664373cfecbbbf3.exe
PID 4860 wrote to memory of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	ae3d900e61024edd1664373cfecbbbf3.exe
PID 4968 wrote to memory of 5504	4968	ae3d900e61024edd1664373cfecbbbf3.exe	powershell.exe
PID 4968 wrote to memory of 5504	4968	ae3d900e61024edd1664373cfecbbbf3.exe	powershell.exe
PID 4968 wrote to memory of 5504	4968	ae3d900e61024edd1664373cfecbbbf3.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\ae3d900e61024edd1664373cfecbbbf3.exe
"C:\Users\Admin\AppData\Local\Temp\ae3d900e61024edd1664373cfecbbbf3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860

C:\Users\Admin\AppData\Local\Temp\ae3d900e61024edd1664373cfecbbbf3.exe
C:\Users\Admin\AppData\Local\Temp\ae3d900e61024edd1664373cfecbbbf3.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'ae3d900e61024edd1664373cfecbbbf3';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'ae3d900e61024edd1664373cfecbbbf3' -Value '"C:\Users\Admin\AppData\Roaming\ae3d900e61024edd1664373cfecbbbf3.exe"' -PropertyType 'String'
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ae3d900e61024edd1664373cfecbbbf3.exe.log
Filesize
927B

MD5
ef1b4e3bfd6facbbb8d6a12f5f5e32de

SHA1
8f3ef66bf86f1697c520303c78b11d58165d146f

SHA256
c652040e1a2f251b1b9e69419d6a53a91e850ea48491b3c54c2ff4a4a2907cd1

SHA512
b6329c2a18217008c5e3544313cd1c7135468c5fb45e5104b9fa2f55a1f14804e66b6b9afcaa8e813cb522f536c06dba32f3afd469c4958a7c57d7df4c0e7315

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_idne4j5u.jpf.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4860-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

Filesize
4KB

Download
memory/4860-1-0x0000000000320000-0x0000000000624000-memory.dmp

Filesize
3.0MB

Download
memory/4860-2-0x0000000005140000-0x0000000005392000-memory.dmp

Filesize
2.3MB

Download
memory/4860-8-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-4-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-10-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-50-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-52-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-60-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-58-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-56-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-54-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-46-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-38-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-34-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-32-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-29-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-24-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-48-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-44-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-42-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-40-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-36-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-30-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-26-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-22-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-20-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-16-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-14-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-12-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-6-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-18-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-3-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-62-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-66-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-64-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-4780-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/4860-4779-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/4860-4781-0x00000000055E0000-0x000000000567A000-memory.dmp

Filesize
616KB

Download
memory/4860-4782-0x00000000053E0000-0x000000000542C000-memory.dmp

Filesize
304KB

Download
memory/4860-4783-0x0000000005DF0000-0x0000000006394000-memory.dmp

Filesize
5.6MB

Download
memory/4860-4789-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/4968-4788-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4968-4790-0x0000000005640000-0x000000000571A000-memory.dmp

Filesize
872KB

Download
memory/4968-5042-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/4968-4890-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/4968-10935-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/4968-10962-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/5504-10937-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/5504-10938-0x0000000005710000-0x0000000005D38000-memory.dmp

Filesize
6.2MB

Download
memory/5504-10936-0x0000000002C00000-0x0000000002C36000-memory.dmp

Filesize
216KB

Download
memory/5504-10939-0x0000000005570000-0x0000000005592000-memory.dmp

Filesize
136KB

Download
memory/5504-10940-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/5504-10951-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/5504-10950-0x0000000006050000-0x00000000063A4000-memory.dmp

Filesize
3.3MB

Download
memory/5504-10952-0x0000000006520000-0x000000000653E000-memory.dmp

Filesize
120KB

Download
memory/5504-10954-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/5504-10953-0x0000000006570000-0x00000000065BC000-memory.dmp

Filesize
304KB

Download
memory/5504-10956-0x00000000074E0000-0x0000000007576000-memory.dmp

Filesize
600KB

Download
memory/5504-10957-0x00000000069F0000-0x0000000006A0A000-memory.dmp

Filesize
104KB

Download
memory/5504-10958-0x0000000006A40000-0x0000000006A62000-memory.dmp

Filesize
136KB

Download
memory/5504-10961-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads