zgrat | 4195dfa9caf444d8989a704eb6fac07dc7caff143ef054597652e1886eeebede

Analysis

max time kernel
95s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae3d900e61024edd1664373cfecbbbf3.exe
Size

3.0MB
MD5

ae3d900e61024edd1664373cfecbbbf3
SHA1

59ad6451b70817e53c43d5b5647339b4fec152db
SHA256

4195dfa9caf444d8989a704eb6fac07dc7caff143ef054597652e1886eeebede
SHA512

8cf15761068498c2135f684f45383edab082927aa83cfc8b979ad70412cc80be0b5ac4ee20b86a234b77f6b6f86aea22472dfc7daa3c5deab1ad528a6bc26fde
SSDEEP

49152:rDbJcqrhOIqdoRpj8+tlw+3klfvT4FVYAmIpUtm8eW:rDzhhqoPtlwIkh2VY3IpVVW

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 35 IoCs

resource	yara_rule
behavioral2/memory/4860-2-0x0000000005140000-0x0000000005392000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-8-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-4-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-10-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-50-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-52-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-60-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-58-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-56-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-54-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-46-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-38-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-34-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-32-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-29-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-24-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-48-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-44-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-42-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-40-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-36-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-30-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-26-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-22-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-20-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-16-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-14-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-12-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-6-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-18-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-3-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-62-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-66-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4860-64-0x0000000005140000-0x000000000538C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4968-4790-0x0000000005640000-0x000000000571A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Irzsp = "C:\\Users\\Admin\\AppData\\Roaming\\Irzsp.exe"	ae3d900e61024edd1664373cfecbbbf3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ae3d900e61024edd1664373cfecbbbf3 = "C:\\Users\\Admin\\AppData\\Roaming\\ae3d900e61024edd1664373cfecbbbf3.exe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4860 set thread context of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5504	powershell.exe
5504	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4860	ae3d900e61024edd1664373cfecbbbf3.exe
Token: SeDebugPrivilege	4968	ae3d900e61024edd1664373cfecbbbf3.exe
Token: SeDebugPrivilege	5504	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	85
PID 4860 wrote to memory of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	85
PID 4860 wrote to memory of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	85
PID 4860 wrote to memory of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	85
PID 4860 wrote to memory of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	85
PID 4860 wrote to memory of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	85
PID 4860 wrote to memory of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	85
PID 4860 wrote to memory of 4968	4860	ae3d900e61024edd1664373cfecbbbf3.exe	85
PID 4968 wrote to memory of 5504	4968	ae3d900e61024edd1664373cfecbbbf3.exe	91
PID 4968 wrote to memory of 5504	4968	ae3d900e61024edd1664373cfecbbbf3.exe	91
PID 4968 wrote to memory of 5504	4968	ae3d900e61024edd1664373cfecbbbf3.exe	91

C:\Users\Admin\AppData\Local\Temp\ae3d900e61024edd1664373cfecbbbf3.exe
"C:\Users\Admin\AppData\Local\Temp\ae3d900e61024edd1664373cfecbbbf3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Users\Admin\AppData\Local\Temp\ae3d900e61024edd1664373cfecbbbf3.exe
  C:\Users\Admin\AppData\Local\Temp\ae3d900e61024edd1664373cfecbbbf3.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'ae3d900e61024edd1664373cfecbbbf3';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'ae3d900e61024edd1664373cfecbbbf3' -Value '"C:\Users\Admin\AppData\Roaming\ae3d900e61024edd1664373cfecbbbf3.exe"' -PropertyType 'String'
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ae3d900e61024edd1664373cfecbbbf3.exe.log

Filesize
927B

MD5
ef1b4e3bfd6facbbb8d6a12f5f5e32de

SHA1
8f3ef66bf86f1697c520303c78b11d58165d146f

SHA256
c652040e1a2f251b1b9e69419d6a53a91e850ea48491b3c54c2ff4a4a2907cd1

SHA512
b6329c2a18217008c5e3544313cd1c7135468c5fb45e5104b9fa2f55a1f14804e66b6b9afcaa8e813cb522f536c06dba32f3afd469c4958a7c57d7df4c0e7315

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_idne4j5u.jpf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4860-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

Filesize
4KB

Download
memory/4860-1-0x0000000000320000-0x0000000000624000-memory.dmp

Filesize
3.0MB

Download
memory/4860-2-0x0000000005140000-0x0000000005392000-memory.dmp

Filesize
2.3MB

Download
memory/4860-8-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-4-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-10-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-50-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-52-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-60-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-58-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-56-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-54-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-46-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-38-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-34-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-32-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-29-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-24-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-48-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-44-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-42-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-40-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-36-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-30-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-26-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-22-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-20-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-16-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-14-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-12-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-6-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-18-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-3-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-62-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-66-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-64-0x0000000005140000-0x000000000538C000-memory.dmp

Filesize
2.3MB

Download
memory/4860-4780-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/4860-4779-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/4860-4781-0x00000000055E0000-0x000000000567A000-memory.dmp

Filesize
616KB

Download
memory/4860-4782-0x00000000053E0000-0x000000000542C000-memory.dmp

Filesize
304KB

Download
memory/4860-4783-0x0000000005DF0000-0x0000000006394000-memory.dmp

Filesize
5.6MB

Download
memory/4860-4789-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/4968-4788-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4968-4790-0x0000000005640000-0x000000000571A000-memory.dmp

Filesize
872KB

Download
memory/4968-5042-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/4968-4890-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/4968-10935-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/4968-10962-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/5504-10937-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/5504-10938-0x0000000005710000-0x0000000005D38000-memory.dmp

Filesize
6.2MB

Download
memory/5504-10936-0x0000000002C00000-0x0000000002C36000-memory.dmp

Filesize
216KB

Download
memory/5504-10939-0x0000000005570000-0x0000000005592000-memory.dmp

Filesize
136KB

Download
memory/5504-10940-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/5504-10951-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/5504-10950-0x0000000006050000-0x00000000063A4000-memory.dmp

Filesize
3.3MB

Download
memory/5504-10952-0x0000000006520000-0x000000000653E000-memory.dmp

Filesize
120KB

Download
memory/5504-10954-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/5504-10953-0x0000000006570000-0x00000000065BC000-memory.dmp

Filesize
304KB

Download
memory/5504-10956-0x00000000074E0000-0x0000000007576000-memory.dmp

Filesize
600KB

Download
memory/5504-10957-0x00000000069F0000-0x0000000006A0A000-memory.dmp

Filesize
104KB

Download
memory/5504-10958-0x0000000006A40000-0x0000000006A62000-memory.dmp

Filesize
136KB

Download
memory/5504-10961-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download