agenttesla | 4dd2869a36c4b826221c8b8131503fd48d3e8871af1ba2405823947c9915de74

General

Target

SecuriteInfo.com.Win32.PWSX-gen.32352.exe
Size

621KB
MD5

12528895f0306755c4fdee8ba97d89d1
SHA1

408636fe1438ba5f210705057beaf9a746ea83f6
SHA256

4dd2869a36c4b826221c8b8131503fd48d3e8871af1ba2405823947c9915de74
SHA512

b139b1a7d08833490e4fa3872391a4b953e0fd97700e46315d86ac41243368b02c3de1d36621e1b9e430018867a9b0211fc48a7c9d1a68cc17af685ce18cb0c7
SSDEEP

12288:L3IU8S6eUdsQKwNsP4xcI1MJwNfA/R4lPd5V18EENHSkkEDWYAj:7ItSAdsQK3I1RNfA/RwP1hENHSkkEKD

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.precise.co.in
Port:
587
Username:
[email protected]
Password:
Singh@2022$
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1932-3-0x0000000000980000-0x0000000000998000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.32352.exe

description pid process target process

PID 1932 set thread context of 3004 1932 SecuriteInfo.com.Win32.PWSX-gen.32352.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2728 schtasks.exe

description	pid	process	target process
PID 1932 set thread context of 3004	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	RegSvcs.exe

pid	process
2728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.32352.exeRegSvcs.exepowershell.exepowershell.exe

pid	process
1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe
1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe
1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe
1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe
1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe
1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe
1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe
3004	RegSvcs.exe
3004	RegSvcs.exe
2768	powershell.exe
2864	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.32352.exeRegSvcs.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe
Token: SeDebugPrivilege	3004	RegSvcs.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.32352.exe

description	pid	process	target process
PID 1932 wrote to memory of 2768	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	powershell.exe
PID 1932 wrote to memory of 2768	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	powershell.exe
PID 1932 wrote to memory of 2768	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	powershell.exe
PID 1932 wrote to memory of 2768	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	powershell.exe
PID 1932 wrote to memory of 2864	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	powershell.exe
PID 1932 wrote to memory of 2864	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	powershell.exe
PID 1932 wrote to memory of 2864	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	powershell.exe
PID 1932 wrote to memory of 2864	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	powershell.exe
PID 1932 wrote to memory of 2728	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	schtasks.exe
PID 1932 wrote to memory of 2728	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	schtasks.exe
PID 1932 wrote to memory of 2728	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	schtasks.exe
PID 1932 wrote to memory of 2728	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	schtasks.exe
PID 1932 wrote to memory of 3004	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	RegSvcs.exe
PID 1932 wrote to memory of 3004	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	RegSvcs.exe
PID 1932 wrote to memory of 3004	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	RegSvcs.exe
PID 1932 wrote to memory of 3004	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	RegSvcs.exe
PID 1932 wrote to memory of 3004	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	RegSvcs.exe
PID 1932 wrote to memory of 3004	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	RegSvcs.exe
PID 1932 wrote to memory of 3004	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	RegSvcs.exe
PID 1932 wrote to memory of 3004	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	RegSvcs.exe
PID 1932 wrote to memory of 3004	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	RegSvcs.exe
PID 1932 wrote to memory of 3004	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	RegSvcs.exe
PID 1932 wrote to memory of 3004	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	RegSvcs.exe
PID 1932 wrote to memory of 3004	1932	SecuriteInfo.com.Win32.PWSX-gen.32352.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.32352.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.32352.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.32352.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ulsrayNTRmtgvg.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ulsrayNTRmtgvg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD52A.tmp"
2⤵
- Creates scheduled task(s)
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD52A.tmp

Filesize
1KB

MD5
ba762edcf7e8bb07cf184345340ee6a3

SHA1
13fdba97ff72a20c6aa2004e9dff3f64e8899b11

SHA256
40ffd659252a659b1fc365b5a902c2097a49ac67dfced8a032e62c22115662ed

SHA512
6f884f1ab7ca28b3598adc71cf9d6440c6687856e2acbea2a1a3d58443076cd16df53e2b9137dd36e797ce60447413fab66d6f805216f6bb90cc457d8b0eea34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZYPT24NB0PVDZ7HEN06L.temp

Filesize
7KB

MD5
5e7606814756e569d0c41798f4fe074c

SHA1
243bcd6f687e8afeaf60df9969788ed4a50e4ae0

SHA256
d36739591ff4d2bec75b74d78f70926715d6c9d7a423ac91de2ff5a4e7a8db73

SHA512
223a74ef4ad2ab747cf329e94e1d9457de324c319473bccac0e3a1f1398321ee6a3483812ad7b1d31c89e67c2872ee9edf15135491a8949a819a04ceabb7d54b

Download Submit
memory/1932-8-0x0000000004740000-0x0000000004780000-memory.dmp

Filesize
256KB

Download
memory/1932-2-0x0000000004740000-0x0000000004780000-memory.dmp

Filesize
256KB

Download
memory/1932-4-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/1932-5-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/1932-6-0x0000000005A20000-0x0000000005A9C000-memory.dmp

Filesize
496KB

Download
memory/1932-7-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/1932-34-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/1932-3-0x0000000000980000-0x0000000000998000-memory.dmp

Filesize
96KB

Download
memory/1932-1-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/1932-0-0x0000000000A60000-0x0000000000B00000-memory.dmp

Filesize
640KB

Download
memory/2768-41-0x0000000002590000-0x00000000025D0000-memory.dmp

Filesize
256KB

Download
memory/2768-39-0x000000006F7D0000-0x000000006FD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-44-0x000000006F7D0000-0x000000006FD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-37-0x000000006F7D0000-0x000000006FD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2864-38-0x000000006F7D0000-0x000000006FD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2864-40-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/2864-45-0x000000006F7D0000-0x000000006FD7B000-memory.dmp

Filesize
5.7MB

Download
memory/3004-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3004-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-42-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-43-0x0000000004A60000-0x0000000004AA0000-memory.dmp

Filesize
256KB

Download
memory/3004-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-47-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads