agenttesla | 5b8ccfa10415999c180007db5d1ad1bb7b876914421ca65e11d0a39259128a8f

Analysis

max time kernel
136s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2023 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO OAU_DECQTRFA00541·PDF.scr
Size

876KB
MD5

db8fdd697dafaa4aeb307452d652e0ef
SHA1

2addcfa14726e4c3e049873f7cfe0f2d42a04923
SHA256

9a37e5fffbac484741276e5f1e6e3c69edb6de33844ee2d99c9ce3adcf5deca9
SHA512

27fe99a63ea198bdfd9cd20415b0bf5d4a607ac8351f6c4e45df2c771ab6c6f1f4e19d386dca06d548110297f88d4bf52a0ff0d0b25890c75d3feb2213ffc827
SSDEEP

12288:613dUDuaee2A+cOpyd3Xo9c7T2zA+ctdOdplOXTdxvbhecadhoSHwerwGdx:I1aL2LoXGjAMCkc+w

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
uymzbwhxnsbuprue
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1072-2-0x00000000051F0000-0x0000000005298000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-4-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-5-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-7-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-9-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-11-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-13-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-15-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-17-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-19-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-21-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-23-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-25-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-27-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-29-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-31-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-33-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-35-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-37-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-39-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-41-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-43-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-45-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-47-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-49-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-51-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-53-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-55-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-57-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-59-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-61-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-63-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-65-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1
behavioral2/memory/1072-67-0x00000000051F0000-0x0000000005292000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO OAU_DECQTRFA00541·PDF.scr

description pid process target process

PID 1072 set thread context of 2896 1072 PO OAU_DECQTRFA00541·PDF.scr aspnet_compiler.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4428 2896 WerFault.exe aspnet_compiler.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

PO OAU_DECQTRFA00541·PDF.scraspnet_compiler.exe

pid process

1072 PO OAU_DECQTRFA00541·PDF.scr
1072 PO OAU_DECQTRFA00541·PDF.scr
2896 aspnet_compiler.exe
2896 aspnet_compiler.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO OAU_DECQTRFA00541·PDF.scraspnet_compiler.exe

description pid process

Token: SeDebugPrivilege 1072 PO OAU_DECQTRFA00541·PDF.scr
Token: SeDebugPrivilege 2896 aspnet_compiler.exe

description	pid	process	target process
PID 1072 set thread context of 2896	1072	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe

pid	pid_target	process	target process
4428	2896	WerFault.exe	aspnet_compiler.exe

pid	process
1072	PO OAU_DECQTRFA00541·PDF.scr
1072	PO OAU_DECQTRFA00541·PDF.scr
2896	aspnet_compiler.exe
2896	aspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	1072	PO OAU_DECQTRFA00541·PDF.scr
Token: SeDebugPrivilege	2896	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

PO OAU_DECQTRFA00541·PDF.scr

description	pid	process	target process
PID 1072 wrote to memory of 4140	1072	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 1072 wrote to memory of 4140	1072	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 1072 wrote to memory of 4140	1072	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 1072 wrote to memory of 2896	1072	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 1072 wrote to memory of 2896	1072	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 1072 wrote to memory of 2896	1072	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 1072 wrote to memory of 2896	1072	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 1072 wrote to memory of 2896	1072	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 1072 wrote to memory of 2896	1072	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 1072 wrote to memory of 2896	1072	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 1072 wrote to memory of 2896	1072	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\PO OAU_DECQTRFA00541·PDF.scr
"C:\Users\Admin\AppData\Local\Temp\PO OAU_DECQTRFA00541·PDF.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
2⤵
PID:4140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1388
3⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2896 -ip 2896
1⤵
PID:2644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-43-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-7-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-2-0x00000000051F0000-0x0000000005298000-memory.dmp

Filesize
672KB

Download
memory/1072-3-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/1072-4-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-5-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-45-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-9-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-11-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-13-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-15-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-47-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-19-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-21-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-23-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-25-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-27-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-29-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-31-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-33-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-0-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/1072-37-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-39-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-41-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-35-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-1-0x0000000000750000-0x0000000000830000-memory.dmp

Filesize
896KB

Download
memory/1072-17-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-49-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-51-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-53-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-55-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-57-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-59-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-61-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-63-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-65-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-67-0x00000000051F0000-0x0000000005292000-memory.dmp

Filesize
648KB

Download
memory/1072-926-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/1072-927-0x00000000052E0000-0x0000000005322000-memory.dmp

Filesize
264KB

Download
memory/1072-928-0x0000000005320000-0x000000000536C000-memory.dmp

Filesize
304KB

Download
memory/1072-929-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/1072-930-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/1072-931-0x0000000005D40000-0x00000000062E4000-memory.dmp

Filesize
5.6MB

Download
memory/1072-936-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/2896-934-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-933-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/2896-937-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/2896-938-0x0000000005260000-0x00000000052C6000-memory.dmp

Filesize
408KB

Download
memory/2896-939-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download