zgrat | f307af4877d45dc41d3a23298b34fc4d19e2f312fa802810709b52161687b1a0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

16.0MB
MD5

764dff2ef44e85434f51b3b0a979ae5a
SHA1

abe572b6cfeebf7733348115cf9c829736e2d4bc
SHA256

f307af4877d45dc41d3a23298b34fc4d19e2f312fa802810709b52161687b1a0
SHA512

417b99de4812062729895ef289b398d2371d5b560d2c8b35f96ac5c9dc2bad7f819d1163c48c10ce27cc42758d047c599629a4b9e8c65ee71399dd226ceb7668
SSDEEP

196608:3JmOg8g5aoZnyFd36mwSv4Z0ZX+3NFaAMROyOIX:AOg8zcs37wQ4zvaAMROyRX

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V2 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c94-51.dat	family_zgrat_v2

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Zgrat family
zgrat

Loads dropped DLL 9 IoCs

pid	Process
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe
1504	Loader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	Loader.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.net\Loader\zTTKw+2y0oofk48BZT2pPrcIJNJq1mc=\FontAwesome.WPF.dll

Filesize
226KB

MD5
66501f5dbed9b40e14a5c0b0b03ae78b

SHA1
8c9875a3483e65c58a1541207a82daa45bf8307f

SHA256
f20aaff3d82e364e977318ee240c89dd07a8141355121eb5e97b9b8f7b020c1a

SHA512
e5a78931152ad0e3134d67b15ba5737aedfb61feff0057b0ef3194de9c88db2a4af7193967e9243669b95993fe94d6655516c8fd97edc4601c5a7afb8703047b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\zTTKw+2y0oofk48BZT2pPrcIJNJq1mc=\FontAwesome5.dll

Filesize
2.6MB

MD5
bdd708f3a7753195c220651941dbe4d0

SHA1
7f71963682b857e1e8ff0298912c76b31b38d9f7

SHA256
9dff7a9f454a25344082517ffce07683e30d7c1fa86547f8d42c21018f04996b

SHA512
c30b564a5f6994856c96fb78cce94dd5eb02cb5054be1b8cb27f51a3d745e762990dfa8c2f60e95da65159f2c04cd387668b22b516a09b8b8e69c44795344f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\zTTKw+2y0oofk48BZT2pPrcIJNJq1mc=\Loader.dll

Filesize
1.1MB

MD5
a12d2d5260e77b82060c1c71b9dbb288

SHA1
86f46345885dffe3b2deb885fe7509931138e545

SHA256
fbfbc4d48bff25918dbaf3c7120aedd31fb50999cb7b40064e197af042bf0ac1

SHA512
ffd77054bf5839b9b7272b7f50a2a378d02cd7670f3933cd9f95c985b474ac662c28efa344bc610be4acee9c520897101ab3b4861dc5406304b0ba74aa062776

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\zTTKw+2y0oofk48BZT2pPrcIJNJq1mc=\Newtonsoft.Json.dll

Filesize
1.8MB

MD5
934c9419682f91ce2f5f4b2526cecd1a

SHA1
3ece312bf538640a76b72d2bc7d54b66f72e954e

SHA256
c4565d69cbf8931ff6f136d073cf6d6bbaae54cbe2e82f37bff3b9a221fb624f

SHA512
55256ed0143d60d2910643a25e529a92842e040c549d78a967e8ba66ae3651c5b0d6d1287fa0f2beb892e8b24653df78eb2d272bb91e6e942e27c4be7da17948

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\zTTKw+2y0oofk48BZT2pPrcIJNJq1mc=\Notification.Wpf.dll

Filesize
281KB

MD5
596e13bd62a5d6ef2cd1ae6ed3d584d5

SHA1
093587ee7f71226de2c1920f65422ac5c64d49d5

SHA256
e8918f570138bc5bc014035f8e3ab11111c198c4ecfb1922a35c0b5fa3d1092a

SHA512
7d3ccf738147da6d5add1a179319d10359796ea0dae419ba37fc9dcdb563fafba5a86b575920db44f5fd665f0821ca22e8dd237608f3b7c0d36a837e127276b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\zTTKw+2y0oofk48BZT2pPrcIJNJq1mc=\SharpVectors.Converters.Wpf.dll

Filesize
435KB

MD5
04d978188a0c5dea787a8d35a4a28b46

SHA1
060164442866c31681a5881c22732f815d250bee

SHA256
c90a1c5bfcba33c2854c7b6cc33fb0f2787f3f60409d84225b63c097db58afed

SHA512
50dd5fe3cc8031a0bb2989eb2721eb0e6fe7e6594dba876e3f4c450113dd1de6e8e67cf8520e2fe1f033add916180c31190ea67808832852808aa7988f2f50b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\zTTKw+2y0oofk48BZT2pPrcIJNJq1mc=\SharpVectors.Core.dll

Filesize
228KB

MD5
24e4a82b8b76f93cde484c27679a7b61

SHA1
d4aba9925ce9e24ff966b995ed80811781a939a0

SHA256
f500b4d5330481a5f429bd1842da767235faca34e9da482ce4d2e547424a638d

SHA512
61196a0c29a65e1aa41207d928626e8e881b58de96f478a6987d048a5cededf52734f1b454d56ea9cbb3e67fa0e5a8cdd4d0c91b079bbba9d5eb0ace45ea7f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\zTTKw+2y0oofk48BZT2pPrcIJNJq1mc=\SharpVectors.Runtime.Wpf.dll

Filesize
161KB

MD5
8f7c2a6a38ac5fcb40f3d704bdcd9d11

SHA1
d9ffbe302ad1e80c9587f173a6539b70a498fc1f

SHA256
64aa06b9b343d9ef7400945435af3ea90fdce7a9a799f41cddea88076e9f5a6e

SHA512
11995277bb4c730f749547748a9f38782d2ce99694b3cd27701714042655142eafd5fbdbdd70f9516ec06b31ac78a6804a2b158347c86aabd2cbb4cd24b72d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\zTTKw+2y0oofk48BZT2pPrcIJNJq1mc=\WpfPageTransitions.dll

Filesize
24KB

MD5
81be18f1e16fd28d7c51b3aadad55356

SHA1
393845c5638dd8d47d38d3a11f87dd0779c55f1c

SHA256
52390c772c746ed61a771d61c2a4eec19086f8616bb66c75130319282fad842c

SHA512
68e7fcef087947078a42e9387f860ce4003dbf4f55e270aa9010e002baf0780ca9e566d015a5c9fb9a2aeec8f06ccedbd0fb0aff964b02c378cfbe372c7fbafd

Download Submit
memory/1504-50-0x00007FFF065CB000-0x00007FFF065CC000-memory.dmp

Filesize
4KB

Download
memory/1504-69-0x00007FFF065CB000-0x00007FFF065CC000-memory.dmp

Filesize
4KB

Download