zgrat | b37366aca9ab7a613177c8f3d645d82118eecbe400d740a9cb6607c0988ca2ee

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/02/2025, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b37366aca9ab7a613177c8f3d645d82118eecbe400d740a9cb6607c0988ca2ee.exe
Size

1.2MB
MD5

e07f60f17877835bbb17988791d7ce0b
SHA1

f66a444933ee913449c3e6bb1b3574d6f431fce6
SHA256

b37366aca9ab7a613177c8f3d645d82118eecbe400d740a9cb6607c0988ca2ee
SHA512

8a4fb23fb78d26703cfb719ebe7d556633b054ffe9fb327f60d7c0c8083afa2d2216460659c7cc23d5372d8611974344a46bc50b88bb3aa54b987f9d134b69f1
SSDEEP

24576:LaJd9N11Fk1VM+q2fv3BrUIQxgcEQXwBNtr+:WzkPMYv3Br6ZDStC

Score

10^/10

zgrat discovery rat

Malware Config

Signatures

Detect ZGRat V2 1 IoCs

resource	yara_rule
behavioral1/memory/1668-5-0x0000000004A00000-0x0000000004AE0000-memory.dmp	family_zgrat_v2

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Zgrat family
zgrat

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2628	1668	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b37366aca9ab7a613177c8f3d645d82118eecbe400d740a9cb6607c0988ca2ee.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2628	1668	b37366aca9ab7a613177c8f3d645d82118eecbe400d740a9cb6607c0988ca2ee.exe	31
PID 1668 wrote to memory of 2628	1668	b37366aca9ab7a613177c8f3d645d82118eecbe400d740a9cb6607c0988ca2ee.exe	31
PID 1668 wrote to memory of 2628	1668	b37366aca9ab7a613177c8f3d645d82118eecbe400d740a9cb6607c0988ca2ee.exe	31
PID 1668 wrote to memory of 2628	1668	b37366aca9ab7a613177c8f3d645d82118eecbe400d740a9cb6607c0988ca2ee.exe	31

C:\Users\Admin\AppData\Local\Temp\b37366aca9ab7a613177c8f3d645d82118eecbe400d740a9cb6607c0988ca2ee.exe
"C:\Users\Admin\AppData\Local\Temp\b37366aca9ab7a613177c8f3d645d82118eecbe400d740a9cb6607c0988ca2ee.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 852
  2⤵
  - Program crash
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-0-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download
memory/1668-1-0x0000000001120000-0x0000000001256000-memory.dmp

Filesize
1.2MB

Download
memory/1668-2-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-4-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/1668-3-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/1668-5-0x0000000004A00000-0x0000000004AE0000-memory.dmp

Filesize
896KB

Download
memory/1668-6-0x0000000004B30000-0x0000000004BDA000-memory.dmp

Filesize
680KB

Download
memory/1668-7-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download