agenttesla | 7f382cc5928a8adf09033a4412af83f103fe25384f7fb39343344432fc71f8c1

General

Target

attached final docs.exe
Size

672KB
MD5

05bdbf0f45e344ba71847553e4900da0
SHA1

108de8169c3e3affadabb29a3da9d953efb79c87
SHA256

7f382cc5928a8adf09033a4412af83f103fe25384f7fb39343344432fc71f8c1
SHA512

922c275dd6ae6ed21a0a9789343d1848b739ff0dc5d4f0db4f8722b3b5804e0f9061d4ad1a22a7aef83044ed9fa9adbae33014b2df743fa52f364f9f57bd0198
SSDEEP

12288:2S3IU8S6eUd+qKo5v8XCQNhtFJXuxgOwZ0GPkqxEvYnfgAJ7pArHaBtUzefE:2IItSAd+qKo96vNxZMeA0tHE

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.precise.co.in
Port:
587
Username:
[email protected]
Password:
Singh@2022$
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2352-3-0x00000000003B0000-0x00000000003C8000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

attached final docs.exe

description pid process target process

PID 2352 set thread context of 2436 2352 attached final docs.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2708 schtasks.exe

description	pid	process	target process
PID 2352 set thread context of 2436	2352	attached final docs.exe	RegSvcs.exe

pid	process
2708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

attached final docs.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
2352	attached final docs.exe
2352	attached final docs.exe
2352	attached final docs.exe
2352	attached final docs.exe
2352	attached final docs.exe
2352	attached final docs.exe
2848	powershell.exe
2644	powershell.exe
2352	attached final docs.exe
2436	RegSvcs.exe
2436	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

attached final docs.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2352	attached final docs.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2436	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

attached final docs.exe

description	pid	process	target process
PID 2352 wrote to memory of 2644	2352	attached final docs.exe	powershell.exe
PID 2352 wrote to memory of 2644	2352	attached final docs.exe	powershell.exe
PID 2352 wrote to memory of 2644	2352	attached final docs.exe	powershell.exe
PID 2352 wrote to memory of 2644	2352	attached final docs.exe	powershell.exe
PID 2352 wrote to memory of 2848	2352	attached final docs.exe	powershell.exe
PID 2352 wrote to memory of 2848	2352	attached final docs.exe	powershell.exe
PID 2352 wrote to memory of 2848	2352	attached final docs.exe	powershell.exe
PID 2352 wrote to memory of 2848	2352	attached final docs.exe	powershell.exe
PID 2352 wrote to memory of 2708	2352	attached final docs.exe	schtasks.exe
PID 2352 wrote to memory of 2708	2352	attached final docs.exe	schtasks.exe
PID 2352 wrote to memory of 2708	2352	attached final docs.exe	schtasks.exe
PID 2352 wrote to memory of 2708	2352	attached final docs.exe	schtasks.exe
PID 2352 wrote to memory of 2436	2352	attached final docs.exe	RegSvcs.exe
PID 2352 wrote to memory of 2436	2352	attached final docs.exe	RegSvcs.exe
PID 2352 wrote to memory of 2436	2352	attached final docs.exe	RegSvcs.exe
PID 2352 wrote to memory of 2436	2352	attached final docs.exe	RegSvcs.exe
PID 2352 wrote to memory of 2436	2352	attached final docs.exe	RegSvcs.exe
PID 2352 wrote to memory of 2436	2352	attached final docs.exe	RegSvcs.exe
PID 2352 wrote to memory of 2436	2352	attached final docs.exe	RegSvcs.exe
PID 2352 wrote to memory of 2436	2352	attached final docs.exe	RegSvcs.exe
PID 2352 wrote to memory of 2436	2352	attached final docs.exe	RegSvcs.exe
PID 2352 wrote to memory of 2436	2352	attached final docs.exe	RegSvcs.exe
PID 2352 wrote to memory of 2436	2352	attached final docs.exe	RegSvcs.exe
PID 2352 wrote to memory of 2436	2352	attached final docs.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\attached final docs.exe
"C:\Users\Admin\AppData\Local\Temp\attached final docs.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\attached final docs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TbuoHeok" /XML "C:\Users\Admin\AppData\Local\Temp\tmp81CD.tmp"
2⤵
- Creates scheduled task(s)
PID:2708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TbuoHeok.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp81CD.tmp

Filesize
1KB

MD5
2d1982f06dd527232b3755ed0c40b5ca

SHA1
3e0b6ccd842dd1dfd24a5079112937b35d885563

SHA256
2d6440aa5b1d99bfdc8ea34106d537904936f350215328c45e6d6de5e5603a28

SHA512
35cad63118cdc8210b3843022a2f29eecab5a9707ab4a74e0305e4ed8543eb1a9df621c227cab1b2e8587ec35925f27e6612cdb85b83e827891e2163f2369c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7eddcf05d982948466b940fb1c3b0471

SHA1
0b7a29d083eba92b3bf923c6d601f419b830d9ad

SHA256
84938e5e5989e789519f8d3a54a3f5dee40c215ab1126941096b9e5c4518b579

SHA512
78eb84730cc5fe31b9c11fc659e1a74371518c27f2bce3271baf003848727026b050649200a9a8182273bb4362a14c0d9e23897418c4be9136b8ed061e43d43a

Download Submit
memory/2352-40-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2352-1-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2352-2-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/2352-3-0x00000000003B0000-0x00000000003C8000-memory.dmp

Filesize
96KB

Download
memory/2352-4-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2352-5-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/2352-6-0x00000000004A0000-0x000000000051C000-memory.dmp

Filesize
496KB

Download
memory/2352-7-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2352-8-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/2352-0-0x0000000000B00000-0x0000000000BAE000-memory.dmp

Filesize
696KB

Download
memory/2436-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2436-42-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-49-0x00000000021C0000-0x0000000002200000-memory.dmp

Filesize
256KB

Download
memory/2436-48-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2436-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-44-0x00000000021C0000-0x0000000002200000-memory.dmp

Filesize
256KB

Download
memory/2436-37-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-43-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2436-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2644-23-0x000000006F970000-0x000000006FF1B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-25-0x0000000002C60000-0x0000000002CA0000-memory.dmp

Filesize
256KB

Download
memory/2644-31-0x000000006F970000-0x000000006FF1B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-45-0x000000006F970000-0x000000006FF1B000-memory.dmp

Filesize
5.7MB

Download
memory/2848-21-0x000000006F970000-0x000000006FF1B000-memory.dmp

Filesize
5.7MB

Download
memory/2848-46-0x000000006F970000-0x000000006FF1B000-memory.dmp

Filesize
5.7MB

Download
memory/2848-29-0x000000006F970000-0x000000006FF1B000-memory.dmp

Filesize
5.7MB

Download
memory/2848-27-0x0000000001CB0000-0x0000000001CF0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads