agenttesla | 41430a71d6847e8c25206b5101164baa53b098ca1ee9c8d71a33ceb09e672927

General

Target

LAM CHUAN.exe
Size

573KB
MD5

b2d39ecdb67012426b8a8b7389a71aa8
SHA1

8905ac8f4674b55fd41cd15fbf9965bad5041f8d
SHA256

41430a71d6847e8c25206b5101164baa53b098ca1ee9c8d71a33ceb09e672927
SHA512

6e77e4529745999175c4ad760d962264846a9947bb5964842d67b4483c9c4a2f0e6ed5d73b6e5df18a8db75cc103e024a361f7821c9c52968be09799d4e1dfe9
SSDEEP

12288:TJ3IU8S6eUdwCY/d/8EqXrfLLzsRqzORl3gQgN0LcvxJ0EwFVvoMYRHA:ThItSAdwCYFe0Ri6lQQgN0SxJnwEMuH

Score

10^/10

agenttesla zgrat collection keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
NX@@OLDdollarDV8FW7
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3872-6-0x0000000004E70000-0x0000000004E88000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

LAM CHUAN.exe

description pid process target process

PID 3872 set thread context of 2604 3872 LAM CHUAN.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2604 RegSvcs.exe
2604 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2604 RegSvcs.exe

description	pid	process	target process
PID 3872 set thread context of 2604	3872	LAM CHUAN.exe	RegSvcs.exe

pid	process
2604	RegSvcs.exe
2604	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2604	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

LAM CHUAN.exe

description	pid	process	target process
PID 3872 wrote to memory of 2604	3872	LAM CHUAN.exe	RegSvcs.exe
PID 3872 wrote to memory of 2604	3872	LAM CHUAN.exe	RegSvcs.exe
PID 3872 wrote to memory of 2604	3872	LAM CHUAN.exe	RegSvcs.exe
PID 3872 wrote to memory of 2604	3872	LAM CHUAN.exe	RegSvcs.exe
PID 3872 wrote to memory of 2604	3872	LAM CHUAN.exe	RegSvcs.exe
PID 3872 wrote to memory of 2604	3872	LAM CHUAN.exe	RegSvcs.exe
PID 3872 wrote to memory of 2604	3872	LAM CHUAN.exe	RegSvcs.exe
PID 3872 wrote to memory of 2604	3872	LAM CHUAN.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\LAM CHUAN.exe
"C:\Users\Admin\AppData\Local\Temp\LAM CHUAN.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2604-11-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2604-20-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/2604-19-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/2604-18-0x0000000006640000-0x0000000006802000-memory.dmp

Filesize
1.8MB

Download
memory/2604-17-0x0000000006420000-0x0000000006470000-memory.dmp

Filesize
320KB

Download
memory/2604-15-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/2604-16-0x0000000001C90000-0x0000000001CF6000-memory.dmp

Filesize
408KB

Download
memory/2604-14-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/3872-5-0x0000000004AB0000-0x0000000004ABA000-memory.dmp

Filesize
40KB

Download
memory/3872-9-0x00000000044C0000-0x000000000452A000-memory.dmp

Filesize
424KB

Download
memory/3872-10-0x00000000063A0000-0x000000000643C000-memory.dmp

Filesize
624KB

Download
memory/3872-8-0x0000000005000000-0x000000000500A000-memory.dmp

Filesize
40KB

Download
memory/3872-13-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/3872-7-0x0000000004EE0000-0x0000000004EE8000-memory.dmp

Filesize
32KB

Download
memory/3872-6-0x0000000004E70000-0x0000000004E88000-memory.dmp

Filesize
96KB

Download
memory/3872-0-0x0000000000020000-0x00000000000B6000-memory.dmp

Filesize
600KB

Download
memory/3872-4-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3872-3-0x0000000004B40000-0x0000000004BD2000-memory.dmp

Filesize
584KB

Download
memory/3872-2-0x0000000005050000-0x00000000055F4000-memory.dmp

Filesize
5.6MB

Download
memory/3872-1-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads