agenttesla | 2b1b9a2c985b1f379fa1f6fed2a2ca8c6bf3c9e352fc4a2c27cdd5dcabaca215

Analysis

max time kernel
139s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2023 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO OAU_DECQTRFA00541·PDF.scr
Size

878KB
MD5

89160b80b6c468aa1df713449fecb85a
SHA1

8636828e03b268d1ca379e5ec2f0e202934c1d11
SHA256

4f552d66d0f774acbf75f57ff0a41db9eaa3dfa338795f385865e4c6696713c9
SHA512

51ade18ae3de559a539e957d8c42c65cbe95aba9c3447b9d1c27d315bba9773f46419266b2b5a4b5898d191fa8ecf4c783b4411af26b9afca3382481f2925528
SSDEEP

24576:k+1GNss+LA5WGu4Ljs0OyC4dcwFgOy6v2cmzw6murezzzIeIII0IEzlKyskJ66UN:USsjdnseC4nmD6Ocmzw6murezzzIeIIW

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
gator3220.hostgator.com
Port:
587
Username:
[email protected]
Password:
MCgD#w!TZmaka!@@
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5108-2-0x0000000005040000-0x00000000050EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-4-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-5-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-7-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-9-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-11-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-13-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-15-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-17-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-19-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-23-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-25-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-21-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-27-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-29-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-31-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-33-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-35-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-37-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-39-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-41-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-43-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-45-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-49-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-47-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-51-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-53-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-55-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-57-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-59-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-61-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-63-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-65-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1
behavioral2/memory/5108-67-0x0000000005040000-0x00000000050E3000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

64 api.ipify.org
65 api.ipify.org
66 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO OAU_DECQTRFA00541·PDF.scr

description pid process target process

PID 5108 set thread context of 60 5108 PO OAU_DECQTRFA00541·PDF.scr aspnet_compiler.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3012 60 WerFault.exe aspnet_compiler.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aspnet_compiler.exe

pid process

60 aspnet_compiler.exe
60 aspnet_compiler.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO OAU_DECQTRFA00541·PDF.scraspnet_compiler.exe

description pid process

Token: SeDebugPrivilege 5108 PO OAU_DECQTRFA00541·PDF.scr
Token: SeDebugPrivilege 60 aspnet_compiler.exe

flow	ioc
64	api.ipify.org
65	api.ipify.org
66	ip-api.com

description	pid	process	target process
PID 5108 set thread context of 60	5108	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe

pid	pid_target	process	target process
3012	60	WerFault.exe	aspnet_compiler.exe

pid	process
60	aspnet_compiler.exe
60	aspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	5108	PO OAU_DECQTRFA00541·PDF.scr
Token: SeDebugPrivilege	60	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

PO OAU_DECQTRFA00541·PDF.scr

description	pid	process	target process
PID 5108 wrote to memory of 60	5108	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 5108 wrote to memory of 60	5108	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 5108 wrote to memory of 60	5108	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 5108 wrote to memory of 60	5108	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 5108 wrote to memory of 60	5108	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 5108 wrote to memory of 60	5108	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 5108 wrote to memory of 60	5108	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 5108 wrote to memory of 60	5108	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\PO OAU_DECQTRFA00541·PDF.scr
"C:\Users\Admin\AppData\Local\Temp\PO OAU_DECQTRFA00541·PDF.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 2096
3⤵
- Program crash
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 60 -ip 60
1⤵
PID:3556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-936-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/60-939-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/60-938-0x0000000005820000-0x0000000005886000-memory.dmp

Filesize
408KB

Download
memory/60-937-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/60-935-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5108-43-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-11-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-9-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-49-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-13-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-15-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-17-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-19-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-23-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-25-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-45-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-27-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-47-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-31-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-33-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-35-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-37-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-39-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-41-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-0-0x00000000006C0000-0x00000000007A0000-memory.dmp

Filesize
896KB

Download
memory/5108-21-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-7-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-29-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-51-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-53-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-55-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-57-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-59-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-61-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-63-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-65-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-67-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-926-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/5108-927-0x0000000005240000-0x0000000005282000-memory.dmp

Filesize
264KB

Download
memory/5108-928-0x0000000005280000-0x00000000052CC000-memory.dmp

Filesize
304KB

Download
memory/5108-929-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/5108-930-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/5108-931-0x0000000005C70000-0x0000000006214000-memory.dmp

Filesize
5.6MB

Download
memory/5108-934-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/5108-5-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-4-0x0000000005040000-0x00000000050E3000-memory.dmp

Filesize
652KB

Download
memory/5108-3-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/5108-2-0x0000000005040000-0x00000000050EA000-memory.dmp

Filesize
680KB

Download
memory/5108-1-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download