agenttesla | 0c1dd76cfb46a241305091004455fc8372e7302a23c1a16621f9797911842772

General

Target

bWfV00eDJC2VLNt.exe
Size

620KB
MD5

7e9fd51231a5b40b2fac974b98ddbeab
SHA1

4567771d463f7827a779e13beadafb2be98dd39d
SHA256

a0a6aecabb4be0f50081fa24e2b6efe4807522ffbdd0a09e56a4ace6fa35b3a6
SHA512

5ee035e8c23cf68805df64f475dda06206ca3c38a0e95a40dc2798f2c3a06f5f44a6327efab55f4405a32bb87523d36b893cdf1b9d1ab68027775ffd352151c4
SSDEEP

12288:e93IU8S6eUdfkA7jOZxHBVj4iNjhnIF7seHANhraR8uiLNJk1XaBKQ:elItSAdfN8ISXNxA8uMNJktaBj

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.helikhodro.com
Port:
587
Username:
[email protected]
Password:
@Ii9121070423

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.helikhodro.com
Port:
587
Username:
[email protected]
Password:
@Ii9121070423
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1348-3-0x0000000000950000-0x0000000000968000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 ip-api.com
4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

bWfV00eDJC2VLNt.exe

description pid process target process

PID 1348 set thread context of 3064 1348 bWfV00eDJC2VLNt.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

bWfV00eDJC2VLNt.exeRegSvcs.exe

pid process

1348 bWfV00eDJC2VLNt.exe
1348 bWfV00eDJC2VLNt.exe
3064 RegSvcs.exe
3064 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bWfV00eDJC2VLNt.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1348 bWfV00eDJC2VLNt.exe
Token: SeDebugPrivilege 3064 RegSvcs.exe

flow	ioc
5	api.ipify.org
6	ip-api.com
4	api.ipify.org

description	pid	process	target process
PID 1348 set thread context of 3064	1348	bWfV00eDJC2VLNt.exe	RegSvcs.exe

pid	process
1348	bWfV00eDJC2VLNt.exe
1348	bWfV00eDJC2VLNt.exe
3064	RegSvcs.exe
3064	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1348	bWfV00eDJC2VLNt.exe
Token: SeDebugPrivilege	3064	RegSvcs.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bWfV00eDJC2VLNt.exe

description	pid	process	target process
PID 1348 wrote to memory of 3064	1348	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1348 wrote to memory of 3064	1348	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1348 wrote to memory of 3064	1348	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1348 wrote to memory of 3064	1348	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1348 wrote to memory of 3064	1348	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1348 wrote to memory of 3064	1348	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1348 wrote to memory of 3064	1348	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1348 wrote to memory of 3064	1348	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1348 wrote to memory of 3064	1348	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1348 wrote to memory of 3064	1348	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1348 wrote to memory of 3064	1348	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1348 wrote to memory of 3064	1348	bWfV00eDJC2VLNt.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\bWfV00eDJC2VLNt.exe
"C:\Users\Admin\AppData\Local\Temp\bWfV00eDJC2VLNt.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c859697640d60ff69f1590bd2629013

SHA1
06582574f9db76f63fd148b2961245b478a90fbb

SHA256
edaf4d415020bee2f15eab9e7ffc9233f95ab2b28b6c620e164c21e7403f551c

SHA512
16752d53e0757402df00507cbcbb1c2c586ddefcea4f7dcefaae339ad4559ef7316cef9aace69dd6943a746ebede5602a19cd8ea7f3268524e27d654f0b74d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab278F.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3127.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1348-6-0x0000000005040000-0x00000000050BC000-memory.dmp

Filesize
496KB

Download
memory/1348-5-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download
memory/1348-0-0x0000000000280000-0x0000000000322000-memory.dmp

Filesize
648KB

Download
memory/1348-1-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/1348-2-0x00000000006F0000-0x0000000000730000-memory.dmp

Filesize
256KB

Download
memory/1348-3-0x0000000000950000-0x0000000000968000-memory.dmp

Filesize
96KB

Download
memory/1348-4-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/1348-24-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3064-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3064-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3064-22-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3064-23-0x0000000004B00000-0x0000000004B40000-memory.dmp

Filesize
256KB

Download
memory/3064-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3064-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3064-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3064-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3064-91-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-92-0x0000000004B00000-0x0000000004B40000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads