agenttesla | 2b1b9a2c985b1f379fa1f6fed2a2ca8c6bf3c9e352fc4a2c27cdd5dcabaca215

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
12-12-2023 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO OAU_DECQTRFA00541·PDF.scr
Size

878KB
MD5

89160b80b6c468aa1df713449fecb85a
SHA1

8636828e03b268d1ca379e5ec2f0e202934c1d11
SHA256

4f552d66d0f774acbf75f57ff0a41db9eaa3dfa338795f385865e4c6696713c9
SHA512

51ade18ae3de559a539e957d8c42c65cbe95aba9c3447b9d1c27d315bba9773f46419266b2b5a4b5898d191fa8ecf4c783b4411af26b9afca3382481f2925528
SSDEEP

24576:k+1GNss+LA5WGu4Ljs0OyC4dcwFgOy6v2cmzw6murezzzIeIII0IEzlKyskJ66UN:USsjdnseC4nmD6Ocmzw6murezzzIeIIW

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
gator3220.hostgator.com
Port:
587
Username:
[email protected]
Password:
MCgD#w!TZmaka!@@
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2412-2-0x00000000047C0000-0x000000000486A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-4-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-5-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-7-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-9-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-11-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-13-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-15-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-17-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-19-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-21-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-23-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-25-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-27-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-29-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-31-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-33-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-35-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-37-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-39-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-41-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-43-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-45-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-47-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-49-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-51-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-53-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-55-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-57-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-59-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-61-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-63-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-65-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1
behavioral1/memory/2412-67-0x00000000047C0000-0x0000000004863000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
6 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO OAU_DECQTRFA00541·PDF.scr

description pid process target process

PID 2412 set thread context of 1800 2412 PO OAU_DECQTRFA00541·PDF.scr aspnet_compiler.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aspnet_compiler.exe

pid process

1800 aspnet_compiler.exe
1800 aspnet_compiler.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO OAU_DECQTRFA00541·PDF.scraspnet_compiler.exe

description pid process

Token: SeDebugPrivilege 2412 PO OAU_DECQTRFA00541·PDF.scr
Token: SeDebugPrivilege 1800 aspnet_compiler.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

aspnet_compiler.exe

pid process

1800 aspnet_compiler.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org
6	ip-api.com

description	pid	process	target process
PID 2412 set thread context of 1800	2412	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe

pid	process
1800	aspnet_compiler.exe
1800	aspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	2412	PO OAU_DECQTRFA00541·PDF.scr
Token: SeDebugPrivilege	1800	aspnet_compiler.exe

pid	process
1800	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

PO OAU_DECQTRFA00541·PDF.scr

description	pid	process	target process
PID 2412 wrote to memory of 1800	2412	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2412 wrote to memory of 1800	2412	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2412 wrote to memory of 1800	2412	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2412 wrote to memory of 1800	2412	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2412 wrote to memory of 1800	2412	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2412 wrote to memory of 1800	2412	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2412 wrote to memory of 1800	2412	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2412 wrote to memory of 1800	2412	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2412 wrote to memory of 1800	2412	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\PO OAU_DECQTRFA00541·PDF.scr
"C:\Users\Admin\AppData\Local\Temp\PO OAU_DECQTRFA00541·PDF.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1800-948-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/1800-951-0x00000000047A0000-0x00000000047E0000-memory.dmp

Filesize
256KB

Download
memory/1800-950-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/1800-949-0x00000000047A0000-0x00000000047E0000-memory.dmp

Filesize
256KB

Download
memory/1800-947-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2412-43-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-11-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-9-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-47-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-13-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-15-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-17-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-19-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-21-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-23-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-25-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-27-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-29-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-31-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-33-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-49-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-37-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-39-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-41-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-0-0x0000000000170000-0x0000000000250000-memory.dmp

Filesize
896KB

Download
memory/2412-2-0x00000000047C0000-0x000000000486A000-memory.dmp

Filesize
680KB

Download
memory/2412-7-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-35-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-51-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-53-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-55-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-57-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-59-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-61-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-63-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-65-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-67-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-926-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2412-927-0x0000000001E90000-0x0000000001ED2000-memory.dmp

Filesize
264KB

Download
memory/2412-928-0x0000000004B50000-0x0000000004B9C000-memory.dmp

Filesize
304KB

Download
memory/2412-929-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-930-0x0000000001F40000-0x0000000001F80000-memory.dmp

Filesize
256KB

Download
memory/2412-943-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-5-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-4-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-3-0x0000000001F40000-0x0000000001F80000-memory.dmp

Filesize
256KB

Download
memory/2412-45-0x00000000047C0000-0x0000000004863000-memory.dmp

Filesize
652KB

Download
memory/2412-1-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download