agenttesla | 79c876d02fe3cbb401a8862883da6c028ab59ddab08d442f81ed1c1ac735ad57

Analysis

max time kernel
139s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2023 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO#202312.exe
Size

662KB
MD5

3cfb07a2465657d8928e675dedcd9978
SHA1

c5bd7e1f89fde69af56a8305e5fac685557da92e
SHA256

b5373781057e3cc3a3e2064f57942adc17f2a3905de6c1037332dfaede7a9cba
SHA512

77c6687b8c635e90b8c19c914d5873ee40a8105448dc96480a2a1c1fb7abcb201ad4cd0a0ae9768a696743a29b1e6d25aeed62dcc93d5d60fee858781326c88a
SSDEEP

12288:huGo+4WpAE9y7Rxkz2Uo6hYMRbG7TyQ8WyDv3WDWHUIpUsimxVR5dx6D78cPLC+:ppAEIxyo6hplGUWyrWDEUIpUOTKD

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.2sautomobile.com
Port:
587
Username:
[email protected]
Password:
Kenzi051008

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.2sautomobile.com
Port:
587
Username:
[email protected]
Password:
Kenzi051008
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4276-6-0x0000000005AA0000-0x0000000005AB8000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PO#202312.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation	PO#202312.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO#202312.exe

description pid process target process

PID 4276 set thread context of 1656 4276 PO#202312.exe PO#202312.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2256 schtasks.exe

description	pid	process	target process
PID 4276 set thread context of 1656	4276	PO#202312.exe	PO#202312.exe

pid	process
2256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exePO#202312.exePO#202312.exe

pid	process
5088	powershell.exe
5088	powershell.exe
3208	powershell.exe
3208	powershell.exe
4276	PO#202312.exe
4276	PO#202312.exe
4276	PO#202312.exe
4276	PO#202312.exe
4276	PO#202312.exe
4276	PO#202312.exe
1656	PO#202312.exe
1656	PO#202312.exe
1656	PO#202312.exe
3208	powershell.exe
5088	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exePO#202312.exePO#202312.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	4276	PO#202312.exe
Token: SeDebugPrivilege	1656	PO#202312.exe
Token: SeManageVolumePrivilege	1264	svchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

PO#202312.exe

description	pid	process	target process
PID 4276 wrote to memory of 3208	4276	PO#202312.exe	powershell.exe
PID 4276 wrote to memory of 3208	4276	PO#202312.exe	powershell.exe
PID 4276 wrote to memory of 3208	4276	PO#202312.exe	powershell.exe
PID 4276 wrote to memory of 5088	4276	PO#202312.exe	powershell.exe
PID 4276 wrote to memory of 5088	4276	PO#202312.exe	powershell.exe
PID 4276 wrote to memory of 5088	4276	PO#202312.exe	powershell.exe
PID 4276 wrote to memory of 2256	4276	PO#202312.exe	schtasks.exe
PID 4276 wrote to memory of 2256	4276	PO#202312.exe	schtasks.exe
PID 4276 wrote to memory of 2256	4276	PO#202312.exe	schtasks.exe
PID 4276 wrote to memory of 2928	4276	PO#202312.exe	PO#202312.exe
PID 4276 wrote to memory of 2928	4276	PO#202312.exe	PO#202312.exe
PID 4276 wrote to memory of 2928	4276	PO#202312.exe	PO#202312.exe
PID 4276 wrote to memory of 3812	4276	PO#202312.exe	PO#202312.exe
PID 4276 wrote to memory of 3812	4276	PO#202312.exe	PO#202312.exe
PID 4276 wrote to memory of 3812	4276	PO#202312.exe	PO#202312.exe
PID 4276 wrote to memory of 1244	4276	PO#202312.exe	PO#202312.exe
PID 4276 wrote to memory of 1244	4276	PO#202312.exe	PO#202312.exe
PID 4276 wrote to memory of 1244	4276	PO#202312.exe	PO#202312.exe
PID 4276 wrote to memory of 1656	4276	PO#202312.exe	PO#202312.exe
PID 4276 wrote to memory of 1656	4276	PO#202312.exe	PO#202312.exe
PID 4276 wrote to memory of 1656	4276	PO#202312.exe	PO#202312.exe
PID 4276 wrote to memory of 1656	4276	PO#202312.exe	PO#202312.exe
PID 4276 wrote to memory of 1656	4276	PO#202312.exe	PO#202312.exe
PID 4276 wrote to memory of 1656	4276	PO#202312.exe	PO#202312.exe
PID 4276 wrote to memory of 1656	4276	PO#202312.exe	PO#202312.exe
PID 4276 wrote to memory of 1656	4276	PO#202312.exe	PO#202312.exe

C:\Users\Admin\AppData\Local\Temp\PO#202312.exe
"C:\Users\Admin\AppData\Local\Temp\PO#202312.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO#202312.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eKoCjhdl.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eKoCjhdl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD67A.tmp"
2⤵
- Creates scheduled task(s)
PID:2256

C:\Users\Admin\AppData\Local\Temp\PO#202312.exe
"C:\Users\Admin\AppData\Local\Temp\PO#202312.exe"
2⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\PO#202312.exe
"C:\Users\Admin\AppData\Local\Temp\PO#202312.exe"
2⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\PO#202312.exe
"C:\Users\Admin\AppData\Local\Temp\PO#202312.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\PO#202312.exe
"C:\Users\Admin\AppData\Local\Temp\PO#202312.exe"
2⤵
PID:1244

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
f94e815972201f2a9b3caa0c019cc78f

SHA1
9c9044eed5c7798bec32a4d55dfeb7cfe63ceb9c

SHA256
5a76da6733d755547c96b9703c12acc6ffb9701490b151c1ca39b3f794e0976f

SHA512
fe038d249d69f14d08ec800ca93c1899241dba53bbb7f3a6f38ee6792a2a5d2bb3191057e2b8060ae32f5ec2f31cbb9314d8d419886652d5f09d971f29c3e54c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b8537f37270ed81aa4523496fd5147af

SHA1
51ca36fe5faaaaa8327f9463a6e446fd6cbbf8c6

SHA256
f852228b84604b799de37f50b1c1b443be8116a0b60e2b418a3e4ec2a7dea028

SHA512
581d948e00aca97905ed84808bda476dcd712b88d809148b44f2a64486f8bd1dbb67ec62e6aad3f7690a9b9f74a172075a11ff856f050baabbf52154ad4b1348

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2gfjcfu5.4cq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD67A.tmp

Filesize
1KB

MD5
89cedea654a03a1c278a99a555363126

SHA1
b83d66c8ee11fea1fe2a12e4fc57c4e0b8840c23

SHA256
2bc7e078578a53cc2d949151edcc4ea58bcbed276d1631061cd6e6f4f0f731a9

SHA512
5ec95e9b3fcd3cb200b07e9efd9191bb9e3af54f7b5d559a5fcf0cf375a65a2dcc2c349ebb29e8334de492a3c91abd3fafd7a8e6e5bbba248857658038da9f16

Download Submit
memory/1264-146-0x000001CA6A8A0000-0x000001CA6A8A1000-memory.dmp

Filesize
4KB

Download
memory/1264-164-0x000001CA6A9D0000-0x000001CA6A9D1000-memory.dmp

Filesize
4KB

Download
memory/1264-149-0x000001CA6A890000-0x000001CA6A891000-memory.dmp

Filesize
4KB

Download
memory/1264-167-0x000001CA6A9E0000-0x000001CA6A9E1000-memory.dmp

Filesize
4KB

Download
memory/1264-144-0x000001CA6A890000-0x000001CA6A891000-memory.dmp

Filesize
4KB

Download
memory/1264-143-0x000001CA6A8A0000-0x000001CA6A8A1000-memory.dmp

Filesize
4KB

Download
memory/1264-142-0x000001CA6AC80000-0x000001CA6AC81000-memory.dmp

Filesize
4KB

Download
memory/1264-141-0x000001CA6AC80000-0x000001CA6AC81000-memory.dmp

Filesize
4KB

Download
memory/1264-140-0x000001CA6AC80000-0x000001CA6AC81000-memory.dmp

Filesize
4KB

Download
memory/1264-139-0x000001CA6AC80000-0x000001CA6AC81000-memory.dmp

Filesize
4KB

Download
memory/1264-138-0x000001CA6AC80000-0x000001CA6AC81000-memory.dmp

Filesize
4KB

Download
memory/1264-137-0x000001CA6AC80000-0x000001CA6AC81000-memory.dmp

Filesize
4KB

Download
memory/1264-136-0x000001CA6AC80000-0x000001CA6AC81000-memory.dmp

Filesize
4KB

Download
memory/1264-152-0x000001CA6A7D0000-0x000001CA6A7D1000-memory.dmp

Filesize
4KB

Download
memory/1264-135-0x000001CA6AC80000-0x000001CA6AC81000-memory.dmp

Filesize
4KB

Download
memory/1264-134-0x000001CA6AC80000-0x000001CA6AC81000-memory.dmp

Filesize
4KB

Download
memory/1264-133-0x000001CA6AC80000-0x000001CA6AC81000-memory.dmp

Filesize
4KB

Download
memory/1264-168-0x000001CA6AAF0000-0x000001CA6AAF1000-memory.dmp

Filesize
4KB

Download
memory/1264-132-0x000001CA6AC50000-0x000001CA6AC51000-memory.dmp

Filesize
4KB

Download
memory/1264-166-0x000001CA6A9E0000-0x000001CA6A9E1000-memory.dmp

Filesize
4KB

Download
memory/1264-116-0x000001CA62660000-0x000001CA62670000-memory.dmp

Filesize
64KB

Download
memory/1656-99-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/1656-98-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/1656-50-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/1656-51-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/1656-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-90-0x0000000006630000-0x0000000006680000-memory.dmp

Filesize
320KB

Download
memory/3208-80-0x0000000007750000-0x00000000077F3000-memory.dmp

Filesize
652KB

Download
memory/3208-86-0x0000000007AC0000-0x0000000007ACE000-memory.dmp

Filesize
56KB

Download
memory/3208-15-0x0000000002C40000-0x0000000002C76000-memory.dmp

Filesize
216KB

Download
memory/3208-16-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/3208-59-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/3208-78-0x0000000006B30000-0x0000000006B4E000-memory.dmp

Filesize
120KB

Download
memory/3208-17-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/3208-25-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/3208-57-0x000000007FBF0000-0x000000007FC00000-memory.dmp

Filesize
64KB

Download
memory/3208-55-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/3208-81-0x0000000007ED0000-0x000000000854A000-memory.dmp

Filesize
6.5MB

Download
memory/3208-93-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/3208-84-0x0000000007B10000-0x0000000007BA6000-memory.dmp

Filesize
600KB

Download
memory/3208-89-0x0000000007BB0000-0x0000000007BB8000-memory.dmp

Filesize
32KB

Download
memory/4276-49-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/4276-23-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/4276-1-0x0000000000CF0000-0x0000000000D9A000-memory.dmp

Filesize
680KB

Download
memory/4276-2-0x0000000005CA0000-0x0000000006244000-memory.dmp

Filesize
5.6MB

Download
memory/4276-3-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/4276-4-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/4276-5-0x0000000005930000-0x000000000593A000-memory.dmp

Filesize
40KB

Download
memory/4276-6-0x0000000005AA0000-0x0000000005AB8000-memory.dmp

Filesize
96KB

Download
memory/4276-7-0x0000000005C80000-0x0000000005C88000-memory.dmp

Filesize
32KB

Download
memory/4276-8-0x0000000005C90000-0x0000000005C9A000-memory.dmp

Filesize
40KB

Download
memory/4276-47-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/4276-9-0x0000000009610000-0x000000000968A000-memory.dmp

Filesize
488KB

Download
memory/4276-10-0x0000000008130000-0x00000000081CC000-memory.dmp

Filesize
624KB

Download
memory/4276-0-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/5088-82-0x00000000075C0000-0x00000000075DA000-memory.dmp

Filesize
104KB

Download
memory/5088-31-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/5088-20-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/5088-21-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/5088-19-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/5088-60-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/5088-18-0x0000000005470000-0x0000000005A98000-memory.dmp

Filesize
6.2MB

Download
memory/5088-58-0x0000000007480000-0x00000000074B2000-memory.dmp

Filesize
200KB

Download
memory/5088-56-0x000000007F400000-0x000000007F410000-memory.dmp

Filesize
64KB

Download
memory/5088-24-0x00000000053D0000-0x00000000053F2000-memory.dmp

Filesize
136KB

Download
memory/5088-48-0x0000000005DF0000-0x0000000006144000-memory.dmp

Filesize
3.3MB

Download
memory/5088-87-0x0000000007800000-0x0000000007814000-memory.dmp

Filesize
80KB

Download
memory/5088-97-0x0000000075040000-0x00000000757F0000-memory.dmp

Filesize
7.7MB

Download
memory/5088-52-0x00000000062A0000-0x00000000062BE000-memory.dmp

Filesize
120KB

Download
memory/5088-53-0x0000000006300000-0x000000000634C000-memory.dmp

Filesize
304KB

Download
memory/5088-83-0x0000000007630000-0x000000000763A000-memory.dmp

Filesize
40KB

Download
memory/5088-54-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/5088-85-0x00000000077C0000-0x00000000077D1000-memory.dmp

Filesize
68KB

Download
memory/5088-88-0x0000000007900000-0x000000000791A000-memory.dmp

Filesize
104KB

Download