zgrat | 4a299f5b0de81d51e75d45e9b49e830e4230346329d9ed15197ddf1ac2853644

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15052024_1252_windows.exe
Size

4.5MB
MD5

ef0124f238734460752a0de9e85501bc
SHA1

8dcbd7b8c753329ffc4a68a4bac8c3ab5ba62dfb
SHA256

4a299f5b0de81d51e75d45e9b49e830e4230346329d9ed15197ddf1ac2853644
SHA512

6aa0476b378bf34eb274ef2b62d8cb12f2c5014cae0e02a6ffea55e4c0fd009e07f8816b23bb6ad2ed57a0a8173668ae3c24f94bcecd131348c5347510fcac3c
SSDEEP

24576:Qlrjm7Kt49nF49dqHsuCF04Q/qqO4NcAU3AFje+4VF9KfhtvI71TQcJWIK6u:v

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1848-2-0x000000001C530000-0x000000001C76E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-6-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-3-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-8-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-14-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-16-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-20-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-22-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-24-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-28-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-34-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-38-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-40-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-36-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-32-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-30-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-26-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-18-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-12-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-10-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-4-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-42-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-44-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-46-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-54-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-62-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-56-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-66-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-64-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-60-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-58-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-52-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-50-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1
behavioral1/memory/1848-48-0x000000001C530000-0x000000001C767000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Suspicious use of SetThreadContext 1 IoCs

Processes:

15052024_1252_windows.exe

description pid process target process

PID 1848 set thread context of 1716 1848 15052024_1252_windows.exe 15052024_1252_windows.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

15052024_1252_windows.exe

description pid process

Token: SeDebugPrivilege 1848 15052024_1252_windows.exe
Token: SeDebugPrivilege 1848 15052024_1252_windows.exe

description	pid	process	target process
PID 1848 set thread context of 1716	1848	15052024_1252_windows.exe	15052024_1252_windows.exe

description	pid	process
Token: SeDebugPrivilege	1848	15052024_1252_windows.exe
Token: SeDebugPrivilege	1848	15052024_1252_windows.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

15052024_1252_windows.exe

description	pid	process	target process
PID 1848 wrote to memory of 1716	1848	15052024_1252_windows.exe	15052024_1252_windows.exe
PID 1848 wrote to memory of 1716	1848	15052024_1252_windows.exe	15052024_1252_windows.exe
PID 1848 wrote to memory of 1716	1848	15052024_1252_windows.exe	15052024_1252_windows.exe
PID 1848 wrote to memory of 1716	1848	15052024_1252_windows.exe	15052024_1252_windows.exe
PID 1848 wrote to memory of 1716	1848	15052024_1252_windows.exe	15052024_1252_windows.exe
PID 1848 wrote to memory of 1716	1848	15052024_1252_windows.exe	15052024_1252_windows.exe
PID 1848 wrote to memory of 1716	1848	15052024_1252_windows.exe	15052024_1252_windows.exe
PID 1848 wrote to memory of 1716	1848	15052024_1252_windows.exe	15052024_1252_windows.exe
PID 1848 wrote to memory of 1716	1848	15052024_1252_windows.exe	15052024_1252_windows.exe
PID 1848 wrote to memory of 1716	1848	15052024_1252_windows.exe	15052024_1252_windows.exe
PID 1848 wrote to memory of 1716	1848	15052024_1252_windows.exe	15052024_1252_windows.exe

C:\Users\Admin\AppData\Local\Temp\15052024_1252_windows.exe
"C:\Users\Admin\AppData\Local\Temp\15052024_1252_windows.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\15052024_1252_windows.exe
  "C:\Users\Admin\AppData\Local\Temp\15052024_1252_windows.exe"
  2⤵
  PID:1716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1716-4901-0x0000000140000000-0x000000014006B000-memory.dmp

Filesize
428KB

Download
memory/1716-4902-0x0000000140000000-0x000000014006B000-memory.dmp

Filesize
428KB

Download
memory/1848-4-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-8-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-3-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-42-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-14-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-16-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-20-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-22-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-24-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-28-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-0-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

Filesize
4KB

Download
memory/1848-38-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-44-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-36-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-32-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-30-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-26-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-18-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-12-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-10-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-34-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-6-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-40-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-46-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-54-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-62-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-56-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-66-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-64-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-60-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-58-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-52-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-50-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-48-0x000000001C530000-0x000000001C767000-memory.dmp

Filesize
2.2MB

Download
memory/1848-4883-0x0000000000CC0000-0x0000000000D3A000-memory.dmp

Filesize
488KB

Download
memory/1848-4884-0x0000000000D60000-0x0000000000DAC000-memory.dmp

Filesize
304KB

Download
memory/1848-4885-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/1848-4886-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/1848-4887-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

Filesize
4KB

Download
memory/1848-4888-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/1848-4889-0x0000000000DB0000-0x0000000000E04000-memory.dmp

Filesize
336KB

Download
memory/1848-2-0x000000001C530000-0x000000001C76E000-memory.dmp

Filesize
2.2MB

Download
memory/1848-4903-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/1848-1-0x0000000000110000-0x0000000000590000-memory.dmp

Filesize
4.5MB

Download