Analysis
-
max time kernel
71s -
max time network
76s -
platform
windows10-1703_x64 -
resource
win10-20231025-en -
resource tags
-
submitted
12-12-2023 14:51
General
-
Target
Zecdtuorders.exe
-
Size
871KB
-
MD5
7e4166e62463bf537fb9f4fefeb11b0f
-
SHA1
1bbf554f92a484b4140eb127e926b4d493a07860
-
SHA256
edfe3d2b49b3e5b9a133c3ee9144565f413f683a1e53af9d295d568ddfb62e0d
-
SHA512
287b0aafe17e76e3d530fa512001b13dfaa4b513dfc30898759a9f249e79cb703ee4c075afa695f8e270039d35699cc7e462f29d957df2b1abf0f00bf0254746
-
SSDEEP
12288:IgAhV0VWCDxtMsxaSY86xdYiditORC+k8HPCK+ooJFqgvSXikzXnN2NGtioeRJv:BMYSitORdTnAsgvdkDnNqXDM
Malware Config
Extracted
Protocol: smtp- Host:
198.23.221.13 - Port:
587 - Username:
[email protected] - Password:
admin2
Extracted
agenttesla
Protocol: smtp- Host:
198.23.221.13 - Port:
587 - Username:
[email protected] - Password:
admin2 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 34 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Zecdtuorders.exe"C:\Users\Admin\AppData\Local\Temp\Zecdtuorders.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Zecdtuorders.exeC:\Users\Admin\AppData\Local\Temp\Zecdtuorders.exe2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
927B
MD5536cab636369af6e580d95bfdc11c573
SHA18a41a39758475ae0e08bc74f42f898ad2272aca1
SHA25684012832b818435c678ed4d0a9970e9e0dc3c94d3906035fdf84330e16474626
SHA51234abac8aa79bd9d889fe8ca73d91aede83307a533a513d8b8e46d5a22f22dad53a4a9557cc64c94d79e21ef3929348ca4b6ef27f6cbdf7b341f615d2f9df8fa7
-
Filesize
264KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
624KB
-
Filesize
320KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
4KB
-
Filesize
264KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
64KB
-
Filesize
680KB
-
Filesize
6.9MB
-
Filesize
896KB
-
Filesize
304KB
-
Filesize
5.0MB
-
Filesize
6.9MB