zgrat | 94c8fb631f919bd52d1d4341311325510d33aee6e976a75c940a38d88a4b7757

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 15:07

Target

1.exe
Size

725KB
MD5

a52ce5b525413f39401a3416dd8e2de2
SHA1

148e4b6b2b2904d736fc9442ff1f6309edc40023
SHA256

94c8fb631f919bd52d1d4341311325510d33aee6e976a75c940a38d88a4b7757
SHA512

52616053550e5f26a62d1260a850e8bfbf10e9484ba776b2b808040021e0d944b23e77e64273bd7485eb9662fe057ea41a369a873e7b2f0e90b62daf1b5ac88b
SSDEEP

12288:O+O4diU6/GC4sVniwgco34nYN/MghT4rxj+TTM45P0coq/ZrUGv1L:O+seunM4Y9feBB9q+G

Score

10^/10

Detect ZGRat V1 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/2428-1-0x0000000000840000-0x00000000008FC000-memory.dmp family_zgrat_v1
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Suspicious use of SetThreadContext 1 IoCs

Processes:

1.exe

description pid process target process

PID 2428 set thread context of 2068 2428 1.exe AddInProcess32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1.exe

pid process

2428 1.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1.exe

description pid process

Token: SeDebugPrivilege 2428 1.exe

resource	yara_rule
behavioral1/memory/2428-1-0x0000000000840000-0x00000000008FC000-memory.dmp	family_zgrat_v1

description	pid	process	target process
PID 2428 set thread context of 2068	2428	1.exe	AddInProcess32.exe

pid	process
2428	1.exe

description	pid	process
Token: SeDebugPrivilege	2428	1.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

1.exe

description	pid	process	target process
PID 2428 wrote to memory of 2068	2428	1.exe	AddInProcess32.exe
PID 2428 wrote to memory of 2068	2428	1.exe	AddInProcess32.exe
PID 2428 wrote to memory of 2068	2428	1.exe	AddInProcess32.exe
PID 2428 wrote to memory of 2068	2428	1.exe	AddInProcess32.exe
PID 2428 wrote to memory of 2068	2428	1.exe	AddInProcess32.exe
PID 2428 wrote to memory of 2068	2428	1.exe	AddInProcess32.exe
PID 2428 wrote to memory of 2068	2428	1.exe	AddInProcess32.exe
PID 2428 wrote to memory of 2068	2428	1.exe	AddInProcess32.exe
PID 2428 wrote to memory of 2068	2428	1.exe	AddInProcess32.exe
PID 2428 wrote to memory of 2068	2428	1.exe	AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
#cmd
2⤵
PID:2068

memory/2068-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2068-11-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2068-5-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2068-7-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2068-9-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2068-13-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2068-19-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2068-17-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2068-20-0x0000000000401000-0x000000000043D000-memory.dmp

Filesize
240KB

Download
memory/2428-0-0x0000000073EBE000-0x0000000073EBF000-memory.dmp

Filesize
4KB

Download
memory/2428-1-0x0000000000840000-0x00000000008FC000-memory.dmp

Filesize
752KB

Download
memory/2428-4-0x0000000004160000-0x00000000041B4000-memory.dmp

Filesize
336KB

Download
memory/2428-3-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-2-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-21-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download