zgrat | 9d7d0bf89ec473e919eb4c8de51b48f90e5afdc94fd99c09f94863f78086c432 | Triage

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 13:34

Sharing

Report Analysis Logs

General

Target

file.exe
Size

3.7MB
MD5

e77976974a972c65cb25253540f47991
SHA1

186cc8aecf6d842617847664b7749cfa51a6670d
SHA256

9d7d0bf89ec473e919eb4c8de51b48f90e5afdc94fd99c09f94863f78086c432
SHA512

ee4e679e948e8d42a704df0e1dca106056da65c48e7ca97aec5c5c0720569be78027e72c57773f16b6bc1cbd1ba2cb0a04238c19e3116af7176f73bd8c9ecb17
SSDEEP

98304:QaSNSfTz9wabjIKXScmmZ6n205zg1FNd:QaSNSfTzCafV0Ay205E1F

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1904-1-0x0000000001340000-0x00000000016F8000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/1904-1-0x0000000001340000-0x00000000016F8000-memory.dmp	net_reactor

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2896 1904 WerFault.exe file.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

file.exe

description	pid	process	target process
PID 1904 wrote to memory of 2896	1904	file.exe	WerFault.exe
PID 1904 wrote to memory of 2896	1904	file.exe	WerFault.exe
PID 1904 wrote to memory of 2896	1904	file.exe	WerFault.exe
PID 1904 wrote to memory of 2896	1904	file.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 556
  2⤵
  - Program crash
  PID:2896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1904-0-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/1904-1-0x0000000001340000-0x00000000016F8000-memory.dmp

Filesize
3.7MB

Download