agenttesla | 76be6cb7d75b3f78abc8074f0885d4efd99059997a285a33a9ea359183be8a68

General

Target

attached final docs.exe
Size

672KB
MD5

05bdbf0f45e344ba71847553e4900da0
SHA1

108de8169c3e3affadabb29a3da9d953efb79c87
SHA256

7f382cc5928a8adf09033a4412af83f103fe25384f7fb39343344432fc71f8c1
SHA512

922c275dd6ae6ed21a0a9789343d1848b739ff0dc5d4f0db4f8722b3b5804e0f9061d4ad1a22a7aef83044ed9fa9adbae33014b2df743fa52f364f9f57bd0198
SSDEEP

12288:2S3IU8S6eUd+qKo5v8XCQNhtFJXuxgOwZ0GPkqxEvYnfgAJ7pArHaBtUzefE:2IItSAd+qKo96vNxZMeA0tHE

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.precise.co.in
Port:
587
Username:
[email protected]
Password:
Singh@2022$
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2360-3-0x00000000009E0000-0x00000000009F8000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

attached final docs.exe

description pid process target process

PID 2360 set thread context of 2624 2360 attached final docs.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2584 schtasks.exe

description	pid	process	target process
PID 2360 set thread context of 2624	2360	attached final docs.exe	RegSvcs.exe

pid	process
2584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

attached final docs.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
2360	attached final docs.exe
2360	attached final docs.exe
2360	attached final docs.exe
2360	attached final docs.exe
2360	attached final docs.exe
2360	attached final docs.exe
2652	powershell.exe
2656	powershell.exe
2360	attached final docs.exe
2624	RegSvcs.exe
2624	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

attached final docs.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2360	attached final docs.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2624	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

attached final docs.exe

description	pid	process	target process
PID 2360 wrote to memory of 2652	2360	attached final docs.exe	powershell.exe
PID 2360 wrote to memory of 2652	2360	attached final docs.exe	powershell.exe
PID 2360 wrote to memory of 2652	2360	attached final docs.exe	powershell.exe
PID 2360 wrote to memory of 2652	2360	attached final docs.exe	powershell.exe
PID 2360 wrote to memory of 2656	2360	attached final docs.exe	powershell.exe
PID 2360 wrote to memory of 2656	2360	attached final docs.exe	powershell.exe
PID 2360 wrote to memory of 2656	2360	attached final docs.exe	powershell.exe
PID 2360 wrote to memory of 2656	2360	attached final docs.exe	powershell.exe
PID 2360 wrote to memory of 2584	2360	attached final docs.exe	schtasks.exe
PID 2360 wrote to memory of 2584	2360	attached final docs.exe	schtasks.exe
PID 2360 wrote to memory of 2584	2360	attached final docs.exe	schtasks.exe
PID 2360 wrote to memory of 2584	2360	attached final docs.exe	schtasks.exe
PID 2360 wrote to memory of 2624	2360	attached final docs.exe	RegSvcs.exe
PID 2360 wrote to memory of 2624	2360	attached final docs.exe	RegSvcs.exe
PID 2360 wrote to memory of 2624	2360	attached final docs.exe	RegSvcs.exe
PID 2360 wrote to memory of 2624	2360	attached final docs.exe	RegSvcs.exe
PID 2360 wrote to memory of 2624	2360	attached final docs.exe	RegSvcs.exe
PID 2360 wrote to memory of 2624	2360	attached final docs.exe	RegSvcs.exe
PID 2360 wrote to memory of 2624	2360	attached final docs.exe	RegSvcs.exe
PID 2360 wrote to memory of 2624	2360	attached final docs.exe	RegSvcs.exe
PID 2360 wrote to memory of 2624	2360	attached final docs.exe	RegSvcs.exe
PID 2360 wrote to memory of 2624	2360	attached final docs.exe	RegSvcs.exe
PID 2360 wrote to memory of 2624	2360	attached final docs.exe	RegSvcs.exe
PID 2360 wrote to memory of 2624	2360	attached final docs.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\attached final docs.exe
"C:\Users\Admin\AppData\Local\Temp\attached final docs.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\attached final docs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TbuoHeok.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TbuoHeok" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7EB1.tmp"
2⤵
- Creates scheduled task(s)
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7EB1.tmp

Filesize
1KB

MD5
2d1982f06dd527232b3755ed0c40b5ca

SHA1
3e0b6ccd842dd1dfd24a5079112937b35d885563

SHA256
2d6440aa5b1d99bfdc8ea34106d537904936f350215328c45e6d6de5e5603a28

SHA512
35cad63118cdc8210b3843022a2f29eecab5a9707ab4a74e0305e4ed8543eb1a9df621c227cab1b2e8587ec35925f27e6612cdb85b83e827891e2163f2369c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
188cc522c0d2ae86bb7645cdb1dce1d4

SHA1
42343fd57667b580e49e1c8a938eae031e581387

SHA256
f6d30e6622c388c2285ac6d578e39c06face4bbd3fc9556b9aba352934238d67

SHA512
0d682be12a69f0b9b9c4d13310c63cc40596d0c87a31bdfe676031e05c8a64a15f57dc0b08fb698f5163b7fbf060371681ef65675565f90544399a1753415b13

Download Submit
memory/2360-0-0x00000000011C0000-0x000000000126E000-memory.dmp

Filesize
696KB

Download
memory/2360-1-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2360-2-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/2360-3-0x00000000009E0000-0x00000000009F8000-memory.dmp

Filesize
96KB

Download
memory/2360-4-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/2360-5-0x0000000000910000-0x000000000091A000-memory.dmp

Filesize
40KB

Download
memory/2360-6-0x00000000004D0000-0x000000000054C000-memory.dmp

Filesize
496KB

Download
memory/2360-7-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2360-8-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/2360-38-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2624-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2624-42-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2624-48-0x0000000004A50000-0x0000000004A90000-memory.dmp

Filesize
256KB

Download
memory/2624-47-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2624-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2624-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2624-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2624-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2624-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2624-43-0x0000000004A50000-0x0000000004A90000-memory.dmp

Filesize
256KB

Download
memory/2624-41-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2624-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2652-22-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/2652-44-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/2652-25-0x0000000002950000-0x0000000002990000-memory.dmp

Filesize
256KB

Download
memory/2652-24-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-21-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-23-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-45-0x000000006F5C0000-0x000000006FB6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads