Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

zgRAT

109
Global rank
94 infographic chevron month
Month rank
97 infographic chevron week
Week rank
0
IOCs

zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.

RAT
Type
Unknown
Origin
1 April, 2021
First seen
3 April, 2025
Last seen

How to analyze zgRAT with ANY.RUN

RAT
Type
Unknown
Origin
1 April, 2021
First seen
3 April, 2025
Last seen

IOCs

IP addresses
157.20.182.16
94.156.105.136
Domains
cornpop.cloudns.be
Last Seen at

Recent blog posts

post image
Release Notes: Android VM, Pre-Installed Dev...
watchers 155
comments 0
post image
How to Hunt and Investigate Linux Malware 
watchers 319
comments 0
post image
Salvador Stealer: New Android Malware That Ph...
watchers 3336
comments 0

What is zgRAT malware?

zgRAT, a remote access trojan (RAT), has been active in the cybersecurity landscape since its launch in 2021. This malware is designed to infect systems, collect sensitive data, and exfiltrate the stolen information to command-and-control (C2) servers.

zgRAT is primarily distributed through loader malware such as PrivateLoader and SmokeLoader, which act as delivery mechanisms for the RAT. Interestingly, researchers have noted that some samples of zgRAT can be mistaken for PureCrypter due to shared code elements.

With ANY.RUN’s Interactive Sandbox, we can safely execute a zgRAT malware and analyze its behavior on an actual live system.

zgRAT analysis inside ANY.RUN Sandbox Analysis of a malicious zgRAT process inside the ANY.RUN sandbox

As observed in this sandbox session, the threat dropped is immediately detected after attempting to gain foothold on the machine.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

zgRAT malware technical details

zgRAT is equipped with advanced capabilities to perform malicious activities on the infected machines, including:

  • Keylogging: zgRAT can record every keystroke, capturing information like usernames, passwords, and financial data, which is then sent to attackers.
  • Stealing of sensitive data: The malware scans infected systems for valuable information, including browser credentials, which it exfiltrates to C2 servers.
  • Dropping additional malware: zgRAT can download and install other malicious software, further compromising the security of the infected device.
  • Worm-like behavior: zgRAT can spread through USB drives, automatically executing and infecting new devices when connected.
  • Exfiltration via Telegram and Discord: The malware uses popular messaging platforms like Telegram and Discord for data exfiltration, bypassing traditional security measures and making detection more difficult.
  • Process Injection: zgRAT employs process injection to evade detection, injecting its malicious code into legitimate processes to operate stealthily and persist on infected systems.
  • Use of scripts: The malware utilizes scripts embedded in various file types to download its payload, making it easier to bypass security measures and gain a foothold on target devices.
  • Code obfuscation: zgRAT uses code obfuscation techniques to modify its code, making it harder for security software to analyze and identify, allowing it to remain undetected for longer periods.

Analysis of zgRAT Execution Process

Use ANY.RUN’s Interactive Sandbox to analyze malicious files and URLs. Check out this analysis of a zgRAT sample.

zgRAT analysis inside ANY.RUN Sandbox Analysis of a zgRAT sample inside the ANY.RUN sandbox

zgRAT is often spread through phishing emails containing malicious attachments like Windows Shortcut (LNK) files or Batch scripts (BAT). Opening these attachments triggers a script that drops additional payloads onto the system. The initial script may download and execute a malicious executable, continuing the infection process.

zgRAT analysis inside ANY.RUN Sandbox Process graph of a zgRAT execution chain demonstrated by the ANY.RUN sandbox

To evade detection, zgRAT uses obfuscation techniques such as packing, dynamic code generation, and XOR encryption. It also employs anti-tampering protections similar to ConfuserEx and loads extra DLLs to execute obfuscated methods. The malware complicates static analysis by making dynamic function calls via randomly named wrapper methods.

For persistence, zgRAT modifies registry entries or creates scheduled tasks to run automatically on startup. It creates mutexes to prevent multiple instances and communicates with a command and control (C2) server, allowing attackers to send commands and exfiltrate data. zgRAT can steal sensitive information through keylogging and screen capturing, and as a Remote Access Trojan (RAT), it enables remote control of infected machines, command execution, and file manipulation without user consent.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

zgRAT distribution methods

One of the most common techniques for distributing zgRAT is through phishing emails, which trick users into downloading and executing malicious attachments or clicking on links that lead to the download of malware.

zgRAT is frequently dropped by loader malware that act as intermediaries, ensuring that zgRAT is delivered efficiently to infected systems. Some loaders have also been observed using malvertising techniques, particularly through Google Ads. Malvertising involves malicious advertisements that, when clicked, redirect users to websites that download and install malicious software.

Collecting zgRAT Threat Intelligence

Threat Intelligence Lookup helps security professionals keep up with the latest samples and indicators of zgRAT.

The service provides access to a extensive database containing insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 search parameters, users can find specific data related to threats, including IP addresses, domains, file names, process artifacts, mutexes, etc.

zgRAT results in ANY.RUN's TI Lookup TI Lookup provides a list of sandbox sessions featuring zgRAT malware

For instance, important context on zgRAT can be searched by with the query like threatName:"zgRAT". This will return all related samples and sandbox results relevant to this remote access trojan.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

zgRAT malware represents a significant threat to businesses, with its advanced capabilities and sophisticated distribution methods. Its ability to steal sensitive data, spread via USB drives, and exfiltrate information through popular messaging platforms makes it a serious security concern.

To ensure proactive identification of malicious content, use ANY.RUN’s Interactive Sandbox that lets you quickly run analysis of any file and URL to determine if it poses a risk.

Sign up for a free ANY.RUN account to access unlimited cyber threat analysis →

HAVE A LOOK AT

Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
DarkTortilla screenshot
DarkTortilla
darktortilla
DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More