agenttesla | 0c1dd76cfb46a241305091004455fc8372e7302a23c1a16621f9797911842772

General

Target

bWfV00eDJC2VLNt.exe
Size

620KB
MD5

7e9fd51231a5b40b2fac974b98ddbeab
SHA1

4567771d463f7827a779e13beadafb2be98dd39d
SHA256

a0a6aecabb4be0f50081fa24e2b6efe4807522ffbdd0a09e56a4ace6fa35b3a6
SHA512

5ee035e8c23cf68805df64f475dda06206ca3c38a0e95a40dc2798f2c3a06f5f44a6327efab55f4405a32bb87523d36b893cdf1b9d1ab68027775ffd352151c4
SSDEEP

12288:e93IU8S6eUdfkA7jOZxHBVj4iNjhnIF7seHANhraR8uiLNJk1XaBKQ:elItSAdfN8ISXNxA8uMNJktaBj

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.helikhodro.com
Port:
587
Username:
[email protected]
Password:
@Ii9121070423

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.helikhodro.com
Port:
587
Username:
[email protected]
Password:
@Ii9121070423
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1164-3-0x00000000008D0000-0x00000000008E8000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
4 api.ipify.org
5 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

bWfV00eDJC2VLNt.exe

description pid process target process

PID 1164 set thread context of 2748 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

bWfV00eDJC2VLNt.exeRegSvcs.exe

pid process

1164 bWfV00eDJC2VLNt.exe
1164 bWfV00eDJC2VLNt.exe
1164 bWfV00eDJC2VLNt.exe
2748 RegSvcs.exe
2748 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bWfV00eDJC2VLNt.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1164 bWfV00eDJC2VLNt.exe
Token: SeDebugPrivilege 2748 RegSvcs.exe

flow	ioc
6	ip-api.com
4	api.ipify.org
5	api.ipify.org

description	pid	process	target process
PID 1164 set thread context of 2748	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe

pid	process
1164	bWfV00eDJC2VLNt.exe
1164	bWfV00eDJC2VLNt.exe
1164	bWfV00eDJC2VLNt.exe
2748	RegSvcs.exe
2748	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1164	bWfV00eDJC2VLNt.exe
Token: SeDebugPrivilege	2748	RegSvcs.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

bWfV00eDJC2VLNt.exe

description	pid	process	target process
PID 1164 wrote to memory of 2160	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2160	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2160	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2160	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2160	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2160	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2160	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2748	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2748	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2748	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2748	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2748	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2748	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2748	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2748	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2748	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2748	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2748	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe
PID 1164 wrote to memory of 2748	1164	bWfV00eDJC2VLNt.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\bWfV00eDJC2VLNt.exe
"C:\Users\Admin\AppData\Local\Temp\bWfV00eDJC2VLNt.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a3ec621c5b5c163387e7584d208e5a8

SHA1
54ab9924285dc0a986b926a5ec3171ea6281e86c

SHA256
25b1839fbe5184020801f0d582700484271df43a0d4cb0be284ea881d00cc378

SHA512
57dcaa7b4c4dd6b924200aebb3eaac071b13ed401857d436f3578431fe42928d96dbb02e6f7ad1bf7e1462f0f163d46f5fd67cf00face985c5ff3a92628456b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAE99.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBBAA.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1164-18-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/1164-5-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/1164-6-0x00000000059E0000-0x0000000005A5C000-memory.dmp

Filesize
496KB

Download
memory/1164-1-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/1164-2-0x0000000004C50000-0x0000000004C90000-memory.dmp

Filesize
256KB

Download
memory/1164-3-0x00000000008D0000-0x00000000008E8000-memory.dmp

Filesize
96KB

Download
memory/1164-4-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/1164-0-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2748-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2748-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2748-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2748-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2748-19-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2748-20-0x00000000022F0000-0x0000000002330000-memory.dmp

Filesize
256KB

Download
memory/2748-10-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2748-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2748-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2748-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2748-87-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads