agenttesla | 4ac078a48ff7d80ccbc37c526e395b51f900c8206afe29e27b2a84bd2cd84532

General

Target

SecuriteInfo.com.Win32.RATX-gen.1832.exe
Size

811KB
MD5

7fb1638e865e58b80b1726a7f7be73f9
SHA1

d1a0f23aa68c74558b2762d21cab404d7ca92217
SHA256

4ac078a48ff7d80ccbc37c526e395b51f900c8206afe29e27b2a84bd2cd84532
SHA512

c6e24465c67beb6b849ce386065812915160d2cd6afca7a5a9d210a056c3ca6d559d2e7fa494c41da7a0c484b080748210d623b38ebd8b98226c3c511d96b672
SSDEEP

12288:Wd6tmebg0pGSMujFv+HUL1300mv6wjIq40+vSIRmx8x4+/LVmIK8:WAtmebgIRvsKJ00mnjIE+v10IZ

Score

10^/10

agenttesla zgrat collection keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
NX@@OLDdollarDV8FW7
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4672-6-0x0000000005C80000-0x0000000005C98000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.RATX-gen.1832.exe

description pid process target process

PID 4672 set thread context of 640 4672 SecuriteInfo.com.Win32.RATX-gen.1832.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

640 RegSvcs.exe
640 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 640 RegSvcs.exe

description	pid	process	target process
PID 4672 set thread context of 640	4672	SecuriteInfo.com.Win32.RATX-gen.1832.exe	RegSvcs.exe

pid	process
640	RegSvcs.exe
640	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	640	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

SecuriteInfo.com.Win32.RATX-gen.1832.exe

description	pid	process	target process
PID 4672 wrote to memory of 640	4672	SecuriteInfo.com.Win32.RATX-gen.1832.exe	RegSvcs.exe
PID 4672 wrote to memory of 640	4672	SecuriteInfo.com.Win32.RATX-gen.1832.exe	RegSvcs.exe
PID 4672 wrote to memory of 640	4672	SecuriteInfo.com.Win32.RATX-gen.1832.exe	RegSvcs.exe
PID 4672 wrote to memory of 640	4672	SecuriteInfo.com.Win32.RATX-gen.1832.exe	RegSvcs.exe
PID 4672 wrote to memory of 640	4672	SecuriteInfo.com.Win32.RATX-gen.1832.exe	RegSvcs.exe
PID 4672 wrote to memory of 640	4672	SecuriteInfo.com.Win32.RATX-gen.1832.exe	RegSvcs.exe
PID 4672 wrote to memory of 640	4672	SecuriteInfo.com.Win32.RATX-gen.1832.exe	RegSvcs.exe
PID 4672 wrote to memory of 640	4672	SecuriteInfo.com.Win32.RATX-gen.1832.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.1832.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.1832.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/640-11-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/640-20-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/640-19-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/640-18-0x0000000006310000-0x00000000064D2000-memory.dmp

Filesize
1.8MB

Download
memory/640-17-0x00000000060F0000-0x0000000006140000-memory.dmp

Filesize
320KB

Download
memory/640-14-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/640-15-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/640-16-0x0000000005240000-0x00000000052A6000-memory.dmp

Filesize
408KB

Download
memory/4672-5-0x0000000005AA0000-0x0000000005AAA000-memory.dmp

Filesize
40KB

Download
memory/4672-9-0x00000000052F0000-0x000000000535A000-memory.dmp

Filesize
424KB

Download
memory/4672-10-0x000000000C8C0000-0x000000000C95C000-memory.dmp

Filesize
624KB

Download
memory/4672-8-0x0000000005E90000-0x0000000005E9A000-memory.dmp

Filesize
40KB

Download
memory/4672-13-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/4672-7-0x0000000005E10000-0x0000000005E18000-memory.dmp

Filesize
32KB

Download
memory/4672-6-0x0000000005C80000-0x0000000005C98000-memory.dmp

Filesize
96KB

Download
memory/4672-0-0x0000000000E40000-0x0000000000F12000-memory.dmp

Filesize
840KB

Download
memory/4672-4-0x0000000005B30000-0x0000000005B40000-memory.dmp

Filesize
64KB

Download
memory/4672-3-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/4672-2-0x0000000005EB0000-0x0000000006454000-memory.dmp

Filesize
5.6MB

Download
memory/4672-1-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads