agenttesla | 9c0346e08a28cec8ab5be231e650450bbf64ebc42a14169e755ed9badef3b630

General

Target

SecuriteInfo.com.Win32.PWSX-gen.29615.exe
Size

646KB
MD5

8b2c546750137d4cbce416cd031e7c88
SHA1

7775afe55e151330c6ba7f34808de5e13b9d990d
SHA256

9c0346e08a28cec8ab5be231e650450bbf64ebc42a14169e755ed9badef3b630
SHA512

77a3057ed7d517704126b9662d9d0b8e2400e70276e14244d6f60efccd0a8b1681aae2edc71becea3e591ed9b8586efcaa3b17a92920b2ba35e7ef4a7c602abb
SSDEEP

12288:3m3IU8S6eUdgOcP3bHoRrU++6aZ9mQafptczaJrlPrs4f:3cItSAdgOiToRrUR62pKeglPg

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.2sautomobile.com
Port:
587
Username:
[email protected]
Password:
Kenzi051008
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2108-3-0x0000000000690000-0x00000000006A8000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.29615.exe

description pid process target process

PID 2108 set thread context of 2084 2108 SecuriteInfo.com.Win32.PWSX-gen.29615.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2616 schtasks.exe

description	pid	process	target process
PID 2108 set thread context of 2084	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe

pid	process
2616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.29615.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe
2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe
2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe
2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe
2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe
2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe
2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe
2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe
2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe
2436	powershell.exe
2660	powershell.exe
2084	RegSvcs.exe
2084	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.29615.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2084	RegSvcs.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.29615.exe

description	pid	process	target process
PID 2108 wrote to memory of 2660	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	powershell.exe
PID 2108 wrote to memory of 2660	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	powershell.exe
PID 2108 wrote to memory of 2660	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	powershell.exe
PID 2108 wrote to memory of 2660	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	powershell.exe
PID 2108 wrote to memory of 2436	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	powershell.exe
PID 2108 wrote to memory of 2436	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	powershell.exe
PID 2108 wrote to memory of 2436	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	powershell.exe
PID 2108 wrote to memory of 2436	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	powershell.exe
PID 2108 wrote to memory of 2616	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	schtasks.exe
PID 2108 wrote to memory of 2616	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	schtasks.exe
PID 2108 wrote to memory of 2616	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	schtasks.exe
PID 2108 wrote to memory of 2616	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	schtasks.exe
PID 2108 wrote to memory of 2496	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2496	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2496	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2496	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2496	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2496	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2496	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2084	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2084	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2084	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2084	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2084	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2084	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2084	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2084	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2084	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2084	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2084	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe
PID 2108 wrote to memory of 2084	2108	SecuriteInfo.com.Win32.PWSX-gen.29615.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.29615.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.29615.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.29615.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YyuYEkUmnRX.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YyuYEkUmnRX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA5C1.tmp"
2⤵
- Creates scheduled task(s)
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA5C1.tmp

Filesize
1KB

MD5
27a1be849360a98e91086699f262dcab

SHA1
b14f39c777ee2b32b305cafc34e278c861ba077f

SHA256
f51fa0d9dbebbd0e94af9ab78e1caefcc3d68ea1f88769bd5350da8148741941

SHA512
d38c5f17a60bf742752888f5772e0a5fc2c8858309af2993fd0f3495620a2359dc36b70e85b617f1980154a54ef3fdb81d861417d208e54042bd92266a24103c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VX33KVGW2Z8XTUGFVTUW.temp

Filesize
7KB

MD5
f23843c4b1a4b2b1b2a5641b3f748b7f

SHA1
a45e6bfb26d08af37bc95bddaf5abf9e0c16f718

SHA256
c201ee605d0be4811f59d68ac2331cef7eaf177e445b99f5b0b89cfdf14cc994

SHA512
ef02914542f7a8794e6b58f5609bc8b7fe38325424fbd74c6c54d246b02d5b160950e791aadcef7fab199f3890c871346ff2bf9bdb7e960cbff2a8bbde6b3a0c

Download Submit
memory/2084-41-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-35-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2084-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-44-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-45-0x0000000004C70000-0x0000000004CB0000-memory.dmp

Filesize
256KB

Download
memory/2084-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2108-7-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2108-3-0x0000000000690000-0x00000000006A8000-memory.dmp

Filesize
96KB

Download
memory/2108-1-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2108-2-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/2108-40-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2108-8-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/2108-0-0x0000000000E00000-0x0000000000EA8000-memory.dmp

Filesize
672KB

Download
memory/2108-6-0x0000000005920000-0x000000000599A000-memory.dmp

Filesize
488KB

Download
memory/2108-5-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2108-4-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/2436-21-0x000000006F7B0000-0x000000006FD5B000-memory.dmp

Filesize
5.7MB

Download
memory/2436-42-0x000000006F7B0000-0x000000006FD5B000-memory.dmp

Filesize
5.7MB

Download
memory/2436-23-0x000000006F7B0000-0x000000006FD5B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-24-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/2660-43-0x000000006F7B0000-0x000000006FD5B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-22-0x000000006F7B0000-0x000000006FD5B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads