agenttesla | f3e9ff06f04b6f3fce67e3ae02f89eb6f006ae95391105703abded87bc53f362

General

Target

SecuriteInfo.com.Win32.PWSX-gen.12978.exe
Size

638KB
MD5

ebb74a0fae5bf676cc2db601c2524ece
SHA1

53194206f72983e5cdc408a885c8b549c395e286
SHA256

f3e9ff06f04b6f3fce67e3ae02f89eb6f006ae95391105703abded87bc53f362
SHA512

b98cdaf7b00d19ccb074939d8b1a378937e41b9f38219de88c1166ef7643687341df8c72b6159cd59084b4db1a0fbf15ae91bebce8043bbceeabe8f287410ec2
SSDEEP

12288:LkBgOWP6i9oGpby1sTr55RxD0yaxc0q64ZKNWqAzLuMC2jDTDPGNnjl:gCMGpSsTr55R90yaSF64wNWxzaV2jD3G

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.precise.co.in
Port:
587
Username:
[email protected]
Password:
Singh@2022$
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2188-3-0x00000000001F0000-0x0000000000208000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.12978.exe

description pid process target process

PID 2188 set thread context of 2656 2188 SecuriteInfo.com.Win32.PWSX-gen.12978.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2740 schtasks.exe

description	pid	process	target process
PID 2188 set thread context of 2656	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	RegSvcs.exe

pid	process
2740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.12978.exeRegSvcs.exepowershell.exepowershell.exe

pid	process
2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe
2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe
2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe
2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe
2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe
2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe
2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe
2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe
2656	RegSvcs.exe
2656	RegSvcs.exe
2716	powershell.exe
2580	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.12978.exeRegSvcs.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe
Token: SeDebugPrivilege	2656	RegSvcs.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.12978.exe

description	pid	process	target process
PID 2188 wrote to memory of 2580	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	powershell.exe
PID 2188 wrote to memory of 2580	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	powershell.exe
PID 2188 wrote to memory of 2580	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	powershell.exe
PID 2188 wrote to memory of 2580	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	powershell.exe
PID 2188 wrote to memory of 2716	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	powershell.exe
PID 2188 wrote to memory of 2716	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	powershell.exe
PID 2188 wrote to memory of 2716	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	powershell.exe
PID 2188 wrote to memory of 2716	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	powershell.exe
PID 2188 wrote to memory of 2740	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	schtasks.exe
PID 2188 wrote to memory of 2740	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	schtasks.exe
PID 2188 wrote to memory of 2740	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	schtasks.exe
PID 2188 wrote to memory of 2740	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	schtasks.exe
PID 2188 wrote to memory of 2656	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	RegSvcs.exe
PID 2188 wrote to memory of 2656	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	RegSvcs.exe
PID 2188 wrote to memory of 2656	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	RegSvcs.exe
PID 2188 wrote to memory of 2656	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	RegSvcs.exe
PID 2188 wrote to memory of 2656	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	RegSvcs.exe
PID 2188 wrote to memory of 2656	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	RegSvcs.exe
PID 2188 wrote to memory of 2656	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	RegSvcs.exe
PID 2188 wrote to memory of 2656	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	RegSvcs.exe
PID 2188 wrote to memory of 2656	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	RegSvcs.exe
PID 2188 wrote to memory of 2656	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	RegSvcs.exe
PID 2188 wrote to memory of 2656	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	RegSvcs.exe
PID 2188 wrote to memory of 2656	2188	SecuriteInfo.com.Win32.PWSX-gen.12978.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.12978.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.12978.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.12978.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kqLNrgBFwWv.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kqLNrgBFwWv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEEF.tmp"
2⤵
- Creates scheduled task(s)
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEEF.tmp

Filesize
1KB

MD5
63318dc0a9af347052509b6aed36012f

SHA1
cfe087630202549c7982f713ee095c9db51864e1

SHA256
581987ff10c717b591e0637a8f677dfbb616626675005ec0ea2ea48c194ee7f1

SHA512
84a6cc95203c8842c690fbcaac48301bb5552fb78bc02654011791e11edc802a35547279e7213c4d2dbf8348a9036d0b83b9bee9998d3b0b9309debedf45b1a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VDJH8RMVX34G73CJ7YLT.temp

Filesize
7KB

MD5
1604c96cea9c600a5b2b08855bcbb012

SHA1
e2d889395314682926d0aebfed5a166ff157092a

SHA256
f5565be00067df83dc68ba6897be059a5afd09646a539044177daee5340c17e7

SHA512
d286475e7ec7437d75a3f58b9c3c8f929290dbd3cfef912585ba1c75aaa499a7e0518fea31d5d326fba07ca3b6b1564f247045ec02a9a41064c9af6345ba5e0d

Download Submit
memory/2188-8-0x0000000004A10000-0x0000000004A50000-memory.dmp

Filesize
256KB

Download
memory/2188-2-0x0000000004A10000-0x0000000004A50000-memory.dmp

Filesize
256KB

Download
memory/2188-4-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/2188-5-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/2188-6-0x0000000005140000-0x00000000051BC000-memory.dmp

Filesize
496KB

Download
memory/2188-7-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-38-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-3-0x00000000001F0000-0x0000000000208000-memory.dmp

Filesize
96KB

Download
memory/2188-1-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-0-0x0000000000C30000-0x0000000000CD4000-memory.dmp

Filesize
656KB

Download
memory/2580-45-0x000000006F020000-0x000000006F5CB000-memory.dmp

Filesize
5.7MB

Download
memory/2580-23-0x000000006F020000-0x000000006F5CB000-memory.dmp

Filesize
5.7MB

Download
memory/2580-43-0x0000000002100000-0x0000000002140000-memory.dmp

Filesize
256KB

Download
memory/2580-21-0x000000006F020000-0x000000006F5CB000-memory.dmp

Filesize
5.7MB

Download
memory/2580-28-0x0000000002100000-0x0000000002140000-memory.dmp

Filesize
256KB

Download
memory/2656-37-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2656-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2656-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2656-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2656-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2656-35-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2656-48-0x00000000047E0000-0x0000000004820000-memory.dmp

Filesize
256KB

Download
memory/2656-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2656-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2656-41-0x0000000072E90000-0x000000007357E000-memory.dmp

Filesize
6.9MB

Download
memory/2656-42-0x00000000047E0000-0x0000000004820000-memory.dmp

Filesize
256KB

Download
memory/2656-47-0x0000000072E90000-0x000000007357E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-22-0x000000006F020000-0x000000006F5CB000-memory.dmp

Filesize
5.7MB

Download
memory/2716-44-0x000000006F020000-0x000000006F5CB000-memory.dmp

Filesize
5.7MB

Download
memory/2716-24-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/2716-26-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads