agenttesla | b4603870f2a94658bd915f7255062c0629fd8b756e96ad465871f9173a7a0379

General

Target

SHIPPING.EXE.exe
Size

629KB
MD5

3de3b2aec3580c30d26038ae32e441d2
SHA1

dfc2501866a225f36d61fe0fcbce7ed288a442cb
SHA256

b4603870f2a94658bd915f7255062c0629fd8b756e96ad465871f9173a7a0379
SHA512

56840bab4753d3c1ed380ee1092b3211fb2aeb723b964dbe2b046cd32b539a3d25b8becf39a117583d62415d6d57f55295a7f74d525aee0f553f535338ae22e1
SSDEEP

12288:w3IU8S6eUdUO2sMCqXHwJORW4iWEgH8CRRjZQ1TGvqbbZuGMkRiPPVFeh:OItSAdUOwMOk/WvjZQ1tZuGMEiPPVF

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.mailo.com
Port:
587
Username:
[email protected]
Password:
Bignosa1995
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2248-3-0x0000000000460000-0x0000000000478000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

SHIPPING.EXE.exe

description pid process target process

PID 2248 set thread context of 2456 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2572 schtasks.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

description	pid	process	target process
PID 2248 set thread context of 2456	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe

pid	process
2572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

SHIPPING.EXE.exeSHIPPING.EXE.exepowershell.exepowershell.exe

pid	process
2248	SHIPPING.EXE.exe
2248	SHIPPING.EXE.exe
2248	SHIPPING.EXE.exe
2248	SHIPPING.EXE.exe
2248	SHIPPING.EXE.exe
2248	SHIPPING.EXE.exe
2456	SHIPPING.EXE.exe
2456	SHIPPING.EXE.exe
2668	powershell.exe
2700	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SHIPPING.EXE.exeSHIPPING.EXE.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2248	SHIPPING.EXE.exe
Token: SeDebugPrivilege	2456	SHIPPING.EXE.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SHIPPING.EXE.exe

pid process

2456 SHIPPING.EXE.exe

pid	process
2456	SHIPPING.EXE.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

SHIPPING.EXE.exe

description	pid	process	target process
PID 2248 wrote to memory of 2668	2248	SHIPPING.EXE.exe	powershell.exe
PID 2248 wrote to memory of 2668	2248	SHIPPING.EXE.exe	powershell.exe
PID 2248 wrote to memory of 2668	2248	SHIPPING.EXE.exe	powershell.exe
PID 2248 wrote to memory of 2668	2248	SHIPPING.EXE.exe	powershell.exe
PID 2248 wrote to memory of 2700	2248	SHIPPING.EXE.exe	powershell.exe
PID 2248 wrote to memory of 2700	2248	SHIPPING.EXE.exe	powershell.exe
PID 2248 wrote to memory of 2700	2248	SHIPPING.EXE.exe	powershell.exe
PID 2248 wrote to memory of 2700	2248	SHIPPING.EXE.exe	powershell.exe
PID 2248 wrote to memory of 2572	2248	SHIPPING.EXE.exe	schtasks.exe
PID 2248 wrote to memory of 2572	2248	SHIPPING.EXE.exe	schtasks.exe
PID 2248 wrote to memory of 2572	2248	SHIPPING.EXE.exe	schtasks.exe
PID 2248 wrote to memory of 2572	2248	SHIPPING.EXE.exe	schtasks.exe
PID 2248 wrote to memory of 2440	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe
PID 2248 wrote to memory of 2440	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe
PID 2248 wrote to memory of 2440	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe
PID 2248 wrote to memory of 2440	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe
PID 2248 wrote to memory of 2448	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe
PID 2248 wrote to memory of 2448	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe
PID 2248 wrote to memory of 2448	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe
PID 2248 wrote to memory of 2448	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe
PID 2248 wrote to memory of 2456	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe
PID 2248 wrote to memory of 2456	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe
PID 2248 wrote to memory of 2456	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe
PID 2248 wrote to memory of 2456	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe
PID 2248 wrote to memory of 2456	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe
PID 2248 wrote to memory of 2456	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe
PID 2248 wrote to memory of 2456	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe
PID 2248 wrote to memory of 2456	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe
PID 2248 wrote to memory of 2456	2248	SHIPPING.EXE.exe	SHIPPING.EXE.exe

C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe
"C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DYFnSoq.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DYFnSoq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD643.tmp"
2⤵
- Creates scheduled task(s)
PID:2572

C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe
"C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"
2⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe
"C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"
2⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe
"C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD643.tmp

Filesize
1KB

MD5
e76492ad9372ff77abca565604535c47

SHA1
4ca0adfefca098b05fb240a90f57d955f2f4533b

SHA256
b173db1dc1ccacb62b81d3e1742f187c361380a5e9dcfcb8aeaba147dd234bc2

SHA512
e5e6cd6bc8c7e675eadca734aceddd8a99dc999e9d73a2956d74b9287e82f031473a4214a3eea3dac60bef5ed9270257286ffc0e2e562bd57524cd3b41f1aeb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f9e1276776ced3585c72376e84e3611

SHA1
3dc3c525765dc4bc432bf532470e582908858141

SHA256
413fea8e83acfbc23c2c81d1f4eb65e79092994519feb8bec72b2424d64c53b0

SHA512
209f93291cb7b70e50039343b01077c88de5762ffc69b5f101e6f662bcc50b44c05bb1fb3051d152e5f70e2c47eb6f53177e87d27c3edcd35e42c4a632d483be

Download Submit
memory/2248-0-0x00000000001E0000-0x0000000000282000-memory.dmp

Filesize
648KB

Download
memory/2248-1-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2248-2-0x0000000002000000-0x0000000002040000-memory.dmp

Filesize
256KB

Download
memory/2248-3-0x0000000000460000-0x0000000000478000-memory.dmp

Filesize
96KB

Download
memory/2248-4-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2248-5-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/2248-6-0x0000000005AE0000-0x0000000005B5A000-memory.dmp

Filesize
488KB

Download
memory/2248-32-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2456-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-41-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2456-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2456-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-46-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2456-45-0x00000000049C0000-0x0000000004A00000-memory.dmp

Filesize
256KB

Download
memory/2456-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-39-0x00000000049C0000-0x0000000004A00000-memory.dmp

Filesize
256KB

Download
memory/2668-38-0x000000006F150000-0x000000006F6FB000-memory.dmp

Filesize
5.7MB

Download
memory/2668-36-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/2668-44-0x000000006F150000-0x000000006F6FB000-memory.dmp

Filesize
5.7MB

Download
memory/2668-33-0x000000006F150000-0x000000006F6FB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-37-0x000000006F150000-0x000000006F6FB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-40-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2700-35-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2700-42-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2700-43-0x000000006F150000-0x000000006F6FB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-34-0x000000006F150000-0x000000006F6FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads