agenttesla | 1bb76901f992100d6b323a70b3324f4850aea1d069c3d956f344de94d93ebc33

Analysis

max time kernel
50s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdf8661bfba3b34c9c876c216db9bac1.exe
Size

767KB
MD5

cdf8661bfba3b34c9c876c216db9bac1
SHA1

30dc311efcb113155f32b818b171e7e3ffa03b88
SHA256

7bb1a4ceb5f46fa0a8313404d39bfe9838bd8ec84ee1d2f8ab9ddb41de92e8c4
SHA512

d8acd7b9080991994883dfe414fc5af888c06cc86aee1a74802adb17a854d9e53ddfc1ddf625b94eccd936ca0c99b7574bca532a9152cc2ac9dfafd65b359afb
SSDEEP

12288:WYIZYFeueRy5KPtlaA3OK4nwFpJaKdpkyoQGqUerMvcL7eiKEXqXdVFSZ2:BIZYFjkyYPtsAN4nwjJ/kvQRbK4qXdVF

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bulktz.com.ng
Port:
587
Username:
[email protected]
Password:
{LI-SwWPFy1!
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral31/memory/1968-7-0x0000000005530000-0x00000000055BA000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1968	cdf8661bfba3b34c9c876c216db9bac1.exe
1968	cdf8661bfba3b34c9c876c216db9bac1.exe
1968	cdf8661bfba3b34c9c876c216db9bac1.exe
1968	cdf8661bfba3b34c9c876c216db9bac1.exe
1968	cdf8661bfba3b34c9c876c216db9bac1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	cdf8661bfba3b34c9c876c216db9bac1.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2864	1968	cdf8661bfba3b34c9c876c216db9bac1.exe	30
PID 1968 wrote to memory of 2864	1968	cdf8661bfba3b34c9c876c216db9bac1.exe	30
PID 1968 wrote to memory of 2864	1968	cdf8661bfba3b34c9c876c216db9bac1.exe	30
PID 1968 wrote to memory of 2864	1968	cdf8661bfba3b34c9c876c216db9bac1.exe	30
PID 1968 wrote to memory of 888	1968	cdf8661bfba3b34c9c876c216db9bac1.exe	32
PID 1968 wrote to memory of 888	1968	cdf8661bfba3b34c9c876c216db9bac1.exe	32
PID 1968 wrote to memory of 888	1968	cdf8661bfba3b34c9c876c216db9bac1.exe	32
PID 1968 wrote to memory of 888	1968	cdf8661bfba3b34c9c876c216db9bac1.exe	32
PID 1968 wrote to memory of 3020	1968	cdf8661bfba3b34c9c876c216db9bac1.exe	33
PID 1968 wrote to memory of 3020	1968	cdf8661bfba3b34c9c876c216db9bac1.exe	33
PID 1968 wrote to memory of 3020	1968	cdf8661bfba3b34c9c876c216db9bac1.exe	33
PID 1968 wrote to memory of 3020	1968	cdf8661bfba3b34c9c876c216db9bac1.exe	33

C:\Users\Admin\AppData\Local\Temp\cdf8661bfba3b34c9c876c216db9bac1.exe
"C:\Users\Admin\AppData\Local\Temp\cdf8661bfba3b34c9c876c216db9bac1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\cdf8661bfba3b34c9c876c216db9bac1.exe"
  2⤵
  PID:2864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rQQiKKhI.exe"
  2⤵
  PID:888
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rQQiKKhI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1323.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3020
- C:\Users\Admin\AppData\Local\Temp\cdf8661bfba3b34c9c876c216db9bac1.exe
  "C:\Users\Admin\AppData\Local\Temp\cdf8661bfba3b34c9c876c216db9bac1.exe"
  2⤵
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1323.tmp

Filesize
1KB

MD5
2a6d0f82b734d39634802098b1089938

SHA1
c868f13322d759283042145a6f469bc4c9d11dc9

SHA256
49309ef1fe6183ea13fc67d1a15a9f17bc76eee077f5387f2126f91cc2a31d6c

SHA512
aa65c09146986df3e71ae7a932e2b58322b3303c19e63bd99fa67bdc523f98f95325856551f3916cbc0594be4dc79f63a2e532dfc1fb113ce9f50c2082e259d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A382G1G55FHD961146S6.temp

Filesize
7KB

MD5
094b5250d654639e2bfd1074257a7371

SHA1
030fce3f73a14892f90f13ccb5ae2b3b0dbfd984

SHA256
968912e3e8b8722587f06a61daaa167003a08b4dbec54b0da4ac631fb17649b9

SHA512
29c56cf716d25f84698a4c4811cf226a060eaa7f3ce1b33e25bfd2ee1d5e51b8f4329a6258725c2ce34dfda51f16f6737a5ee706249c58beb5b0aa7e481e149c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
094b5250d654639e2bfd1074257a7371

SHA1
030fce3f73a14892f90f13ccb5ae2b3b0dbfd984

SHA256
968912e3e8b8722587f06a61daaa167003a08b4dbec54b0da4ac631fb17649b9

SHA512
29c56cf716d25f84698a4c4811cf226a060eaa7f3ce1b33e25bfd2ee1d5e51b8f4329a6258725c2ce34dfda51f16f6737a5ee706249c58beb5b0aa7e481e149c

Download Submit
memory/888-36-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/888-45-0x000000006D2D0000-0x000000006D87B000-memory.dmp

Filesize
5.7MB

Download
memory/888-33-0x000000006D2D0000-0x000000006D87B000-memory.dmp

Filesize
5.7MB

Download
memory/888-39-0x000000006D2D0000-0x000000006D87B000-memory.dmp

Filesize
5.7MB

Download
memory/888-42-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/1968-7-0x0000000005530000-0x00000000055BA000-memory.dmp

Filesize
552KB

Download
memory/1968-2-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/1968-1-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/1968-3-0x0000000000780000-0x000000000078C000-memory.dmp

Filesize
48KB

Download
memory/1968-32-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/1968-6-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/1968-0-0x0000000000830000-0x00000000008F6000-memory.dmp

Filesize
792KB

Download
memory/1968-5-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/1968-20-0x0000000006310000-0x0000000006362000-memory.dmp

Filesize
328KB

Download
memory/1968-4-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2136-23-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2136-22-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2136-24-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2136-31-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2136-52-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2136-37-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/2136-29-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2136-51-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/2136-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2136-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2136-40-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2136-21-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2864-41-0x00000000023F0000-0x0000000002430000-memory.dmp

Filesize
256KB

Download
memory/2864-49-0x000000006D2D0000-0x000000006D87B000-memory.dmp

Filesize
5.7MB

Download
memory/2864-38-0x000000006D2D0000-0x000000006D87B000-memory.dmp

Filesize
5.7MB

Download
memory/2864-35-0x00000000023F0000-0x0000000002430000-memory.dmp

Filesize
256KB

Download
memory/2864-34-0x000000006D2D0000-0x000000006D87B000-memory.dmp

Filesize
5.7MB

Download