zgrat | d5898de95b6043b5b8297cc70ab57b8c5f9108522427613d72ae6a535fdce603

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

16.1MB
MD5

c22a5f16e633b070f821498f180ab0cc
SHA1

c1c9ede5381a453c1407c2054fc6257add2ac0d3
SHA256

57a1106223ddd9f1cd1668e1ceb67d909859fd024c1cd97d3a67cef203313341
SHA512

ff8cd898824da7026220eaf8e89ddeff6477087679fc7c97778a34b612ab917013c00ccc487efc07801cb8ccd359389a2170a323586ed69f896b2e3c267a893a
SSDEEP

196608:3rmOg8g5aoZnyFd36mwSv4Z0ZX+3NFaAMROyGoi:aOg8zcs37wQ4zvaAMROyi

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V2 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000024283-51.dat	family_zgrat_v2

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Zgrat family
zgrat

Loads dropped DLL 9 IoCs

pid	Process
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe
3076	Loader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3076	Loader.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\FontAwesome.WPF.dll

Filesize
226KB

MD5
66501f5dbed9b40e14a5c0b0b03ae78b

SHA1
8c9875a3483e65c58a1541207a82daa45bf8307f

SHA256
f20aaff3d82e364e977318ee240c89dd07a8141355121eb5e97b9b8f7b020c1a

SHA512
e5a78931152ad0e3134d67b15ba5737aedfb61feff0057b0ef3194de9c88db2a4af7193967e9243669b95993fe94d6655516c8fd97edc4601c5a7afb8703047b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\FontAwesome5.dll

Filesize
2.6MB

MD5
bdd708f3a7753195c220651941dbe4d0

SHA1
7f71963682b857e1e8ff0298912c76b31b38d9f7

SHA256
9dff7a9f454a25344082517ffce07683e30d7c1fa86547f8d42c21018f04996b

SHA512
c30b564a5f6994856c96fb78cce94dd5eb02cb5054be1b8cb27f51a3d745e762990dfa8c2f60e95da65159f2c04cd387668b22b516a09b8b8e69c44795344f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\Loader.dll

Filesize
1.1MB

MD5
60393a6d8b4e1bfc4ed104eb894dc35f

SHA1
87f4263b4691dec34e67f6b3c937c63ae235192a

SHA256
2ba8a24385b3bb4d8f7220d26f5b91f18877211e32ed09a62fe5233dd4fb2b99

SHA512
de3cbbeccc48246a10d46a6bf3ad81065e44376c3391a306ef0968c33918650fa2c1c74c299b66694fcf7c34bc851b50125b60b43dbad46cc95a8ddb77eb84a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\Newtonsoft.Json.dll

Filesize
1.8MB

MD5
934c9419682f91ce2f5f4b2526cecd1a

SHA1
3ece312bf538640a76b72d2bc7d54b66f72e954e

SHA256
c4565d69cbf8931ff6f136d073cf6d6bbaae54cbe2e82f37bff3b9a221fb624f

SHA512
55256ed0143d60d2910643a25e529a92842e040c549d78a967e8ba66ae3651c5b0d6d1287fa0f2beb892e8b24653df78eb2d272bb91e6e942e27c4be7da17948

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\Notification.Wpf.dll

Filesize
281KB

MD5
596e13bd62a5d6ef2cd1ae6ed3d584d5

SHA1
093587ee7f71226de2c1920f65422ac5c64d49d5

SHA256
e8918f570138bc5bc014035f8e3ab11111c198c4ecfb1922a35c0b5fa3d1092a

SHA512
7d3ccf738147da6d5add1a179319d10359796ea0dae419ba37fc9dcdb563fafba5a86b575920db44f5fd665f0821ca22e8dd237608f3b7c0d36a837e127276b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\SharpVectors.Converters.Wpf.dll

Filesize
435KB

MD5
04d978188a0c5dea787a8d35a4a28b46

SHA1
060164442866c31681a5881c22732f815d250bee

SHA256
c90a1c5bfcba33c2854c7b6cc33fb0f2787f3f60409d84225b63c097db58afed

SHA512
50dd5fe3cc8031a0bb2989eb2721eb0e6fe7e6594dba876e3f4c450113dd1de6e8e67cf8520e2fe1f033add916180c31190ea67808832852808aa7988f2f50b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\SharpVectors.Core.dll

Filesize
228KB

MD5
24e4a82b8b76f93cde484c27679a7b61

SHA1
d4aba9925ce9e24ff966b995ed80811781a939a0

SHA256
f500b4d5330481a5f429bd1842da767235faca34e9da482ce4d2e547424a638d

SHA512
61196a0c29a65e1aa41207d928626e8e881b58de96f478a6987d048a5cededf52734f1b454d56ea9cbb3e67fa0e5a8cdd4d0c91b079bbba9d5eb0ace45ea7f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\SharpVectors.Runtime.Wpf.dll

Filesize
161KB

MD5
8f7c2a6a38ac5fcb40f3d704bdcd9d11

SHA1
d9ffbe302ad1e80c9587f173a6539b70a498fc1f

SHA256
64aa06b9b343d9ef7400945435af3ea90fdce7a9a799f41cddea88076e9f5a6e

SHA512
11995277bb4c730f749547748a9f38782d2ce99694b3cd27701714042655142eafd5fbdbdd70f9516ec06b31ac78a6804a2b158347c86aabd2cbb4cd24b72d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Loader\_igkU61YKILm7m79SieABGltGhxkNq8=\WpfPageTransitions.dll

Filesize
24KB

MD5
81be18f1e16fd28d7c51b3aadad55356

SHA1
393845c5638dd8d47d38d3a11f87dd0779c55f1c

SHA256
52390c772c746ed61a771d61c2a4eec19086f8616bb66c75130319282fad842c

SHA512
68e7fcef087947078a42e9387f860ce4003dbf4f55e270aa9010e002baf0780ca9e566d015a5c9fb9a2aeec8f06ccedbd0fb0aff964b02c378cfbe372c7fbafd

Download Submit
memory/3076-50-0x00007FFDE5DFB000-0x00007FFDE5DFC000-memory.dmp

Filesize
4KB

Download
memory/3076-69-0x00007FFDE5DFB000-0x00007FFDE5DFC000-memory.dmp

Filesize
4KB

Download