zgrat | d5898de95b6043b5b8297cc70ab57b8c5f9108522427613d72ae6a535fdce603

Analysis

max time kernel
14s
max time network
6s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250313-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250313-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
26/03/2025, 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

16.1MB
MD5

c22a5f16e633b070f821498f180ab0cc
SHA1

c1c9ede5381a453c1407c2054fc6257add2ac0d3
SHA256

57a1106223ddd9f1cd1668e1ceb67d909859fd024c1cd97d3a67cef203313341
SHA512

ff8cd898824da7026220eaf8e89ddeff6477087679fc7c97778a34b612ab917013c00ccc487efc07801cb8ccd359389a2170a323586ed69f896b2e3c267a893a
SSDEEP

196608:3rmOg8g5aoZnyFd36mwSv4Z0ZX+3NFaAMROyGoi:aOg8zcs37wQ4zvaAMROyi

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V2 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000280ee-51.dat	family_zgrat_v2

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Zgrat family
zgrat

Loads dropped DLL 9 IoCs

pid	Process
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe
4996	Loader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	Loader.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4996	Loader.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\FontAwesome.WPF.dll

Filesize
226KB

MD5
66501f5dbed9b40e14a5c0b0b03ae78b

SHA1
8c9875a3483e65c58a1541207a82daa45bf8307f

SHA256
f20aaff3d82e364e977318ee240c89dd07a8141355121eb5e97b9b8f7b020c1a

SHA512
e5a78931152ad0e3134d67b15ba5737aedfb61feff0057b0ef3194de9c88db2a4af7193967e9243669b95993fe94d6655516c8fd97edc4601c5a7afb8703047b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\FontAwesome5.dll

Filesize
2.6MB

MD5
bdd708f3a7753195c220651941dbe4d0

SHA1
7f71963682b857e1e8ff0298912c76b31b38d9f7

SHA256
9dff7a9f454a25344082517ffce07683e30d7c1fa86547f8d42c21018f04996b

SHA512
c30b564a5f6994856c96fb78cce94dd5eb02cb5054be1b8cb27f51a3d745e762990dfa8c2f60e95da65159f2c04cd387668b22b516a09b8b8e69c44795344f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\Loader.dll

Filesize
1.1MB

MD5
60393a6d8b4e1bfc4ed104eb894dc35f

SHA1
87f4263b4691dec34e67f6b3c937c63ae235192a

SHA256
2ba8a24385b3bb4d8f7220d26f5b91f18877211e32ed09a62fe5233dd4fb2b99

SHA512
de3cbbeccc48246a10d46a6bf3ad81065e44376c3391a306ef0968c33918650fa2c1c74c299b66694fcf7c34bc851b50125b60b43dbad46cc95a8ddb77eb84a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\Newtonsoft.Json.dll

Filesize
1.8MB

MD5
934c9419682f91ce2f5f4b2526cecd1a

SHA1
3ece312bf538640a76b72d2bc7d54b66f72e954e

SHA256
c4565d69cbf8931ff6f136d073cf6d6bbaae54cbe2e82f37bff3b9a221fb624f

SHA512
55256ed0143d60d2910643a25e529a92842e040c549d78a967e8ba66ae3651c5b0d6d1287fa0f2beb892e8b24653df78eb2d272bb91e6e942e27c4be7da17948

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\Notification.Wpf.dll

Filesize
281KB

MD5
596e13bd62a5d6ef2cd1ae6ed3d584d5

SHA1
093587ee7f71226de2c1920f65422ac5c64d49d5

SHA256
e8918f570138bc5bc014035f8e3ab11111c198c4ecfb1922a35c0b5fa3d1092a

SHA512
7d3ccf738147da6d5add1a179319d10359796ea0dae419ba37fc9dcdb563fafba5a86b575920db44f5fd665f0821ca22e8dd237608f3b7c0d36a837e127276b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\SharpVectors.Converters.Wpf.dll

Filesize
435KB

MD5
04d978188a0c5dea787a8d35a4a28b46

SHA1
060164442866c31681a5881c22732f815d250bee

SHA256
c90a1c5bfcba33c2854c7b6cc33fb0f2787f3f60409d84225b63c097db58afed

SHA512
50dd5fe3cc8031a0bb2989eb2721eb0e6fe7e6594dba876e3f4c450113dd1de6e8e67cf8520e2fe1f033add916180c31190ea67808832852808aa7988f2f50b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\SharpVectors.Core.dll

Filesize
228KB

MD5
24e4a82b8b76f93cde484c27679a7b61

SHA1
d4aba9925ce9e24ff966b995ed80811781a939a0

SHA256
f500b4d5330481a5f429bd1842da767235faca34e9da482ce4d2e547424a638d

SHA512
61196a0c29a65e1aa41207d928626e8e881b58de96f478a6987d048a5cededf52734f1b454d56ea9cbb3e67fa0e5a8cdd4d0c91b079bbba9d5eb0ace45ea7f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\SharpVectors.Runtime.Wpf.dll

Filesize
161KB

MD5
8f7c2a6a38ac5fcb40f3d704bdcd9d11

SHA1
d9ffbe302ad1e80c9587f173a6539b70a498fc1f

SHA256
64aa06b9b343d9ef7400945435af3ea90fdce7a9a799f41cddea88076e9f5a6e

SHA512
11995277bb4c730f749547748a9f38782d2ce99694b3cd27701714042655142eafd5fbdbdd70f9516ec06b31ac78a6804a2b158347c86aabd2cbb4cd24b72d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\WpfPageTransitions.dll

Filesize
24KB

MD5
81be18f1e16fd28d7c51b3aadad55356

SHA1
393845c5638dd8d47d38d3a11f87dd0779c55f1c

SHA256
52390c772c746ed61a771d61c2a4eec19086f8616bb66c75130319282fad842c

SHA512
68e7fcef087947078a42e9387f860ce4003dbf4f55e270aa9010e002baf0780ca9e566d015a5c9fb9a2aeec8f06ccedbd0fb0aff964b02c378cfbe372c7fbafd

Download Submit
memory/4996-50-0x00007FFFEAF7B000-0x00007FFFEAF7C000-memory.dmp

Filesize
4KB

Download