agenttesla | df4c0ab0891cc41e20180a71eef369f158171b5b8326c849ca34f90dc5283990

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 00:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

46b6a50538c7f268d37095fa9d7e490c.exe
Size

630KB
MD5

46b6a50538c7f268d37095fa9d7e490c
SHA1

5d0ad74f9ab70234a5878b01c55a7d5a727ce1e6
SHA256

df4c0ab0891cc41e20180a71eef369f158171b5b8326c849ca34f90dc5283990
SHA512

5d37a4e9ce66f10228f7d6858cb7b2156187522a879d7503ffea1397a942904a6f64a287366526385257028d4810cce1581f95d0b3486df8b23b4c3e78bf49e1
SSDEEP

12288:AsacL4yf3JPX2gjtqgxZBSlIfP+3bU4iOJmatFB3:AS4EJztnZXe3graDB3

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
Greatest123

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/776-7-0x0000000005A90000-0x0000000005B10000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-8-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-9-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-11-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-13-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-15-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-17-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-19-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-21-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-23-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-25-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-31-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-29-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-27-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-33-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-35-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-37-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-41-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-39-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-43-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-45-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-47-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-49-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-51-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-53-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-57-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-55-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-63-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-61-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-59-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-67-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-65-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-69-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1
behavioral1/memory/776-71-0x0000000005A90000-0x0000000005B0B000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

AgentTesla payload 3 IoCs

resource	yara_rule
behavioral1/memory/2208-2465-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2208-2466-0x0000000001220000-0x0000000001260000-memory.dmp	family_agenttesla
behavioral1/memory/2208-2468-0x0000000001220000-0x0000000001260000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 776 set thread context of 2208	776	46b6a50538c7f268d37095fa9d7e490c.exe	30

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
776	46b6a50538c7f268d37095fa9d7e490c.exe
2208	46b6a50538c7f268d37095fa9d7e490c.exe
2208	46b6a50538c7f268d37095fa9d7e490c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	776	46b6a50538c7f268d37095fa9d7e490c.exe
Token: SeDebugPrivilege	2208	46b6a50538c7f268d37095fa9d7e490c.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 2208	776	46b6a50538c7f268d37095fa9d7e490c.exe	30
PID 776 wrote to memory of 2208	776	46b6a50538c7f268d37095fa9d7e490c.exe	30
PID 776 wrote to memory of 2208	776	46b6a50538c7f268d37095fa9d7e490c.exe	30
PID 776 wrote to memory of 2208	776	46b6a50538c7f268d37095fa9d7e490c.exe	30
PID 776 wrote to memory of 2208	776	46b6a50538c7f268d37095fa9d7e490c.exe	30
PID 776 wrote to memory of 2208	776	46b6a50538c7f268d37095fa9d7e490c.exe	30
PID 776 wrote to memory of 2208	776	46b6a50538c7f268d37095fa9d7e490c.exe	30
PID 776 wrote to memory of 2208	776	46b6a50538c7f268d37095fa9d7e490c.exe	30
PID 776 wrote to memory of 2208	776	46b6a50538c7f268d37095fa9d7e490c.exe	30

C:\Users\Admin\AppData\Local\Temp\46b6a50538c7f268d37095fa9d7e490c.exe
"C:\Users\Admin\AppData\Local\Temp\46b6a50538c7f268d37095fa9d7e490c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776
- C:\Users\Admin\AppData\Local\Temp\46b6a50538c7f268d37095fa9d7e490c.exe
  C:\Users\Admin\AppData\Local\Temp\46b6a50538c7f268d37095fa9d7e490c.exe VGHBH
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/776-0-0x0000000001320000-0x00000000013C2000-memory.dmp

Filesize
648KB

Download
memory/776-1-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/776-2-0x0000000000E30000-0x0000000000E70000-memory.dmp

Filesize
256KB

Download
memory/776-3-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/776-4-0x0000000000E30000-0x0000000000E70000-memory.dmp

Filesize
256KB

Download
memory/776-5-0x0000000004D00000-0x0000000004D62000-memory.dmp

Filesize
392KB

Download
memory/776-6-0x0000000004D60000-0x0000000004DC2000-memory.dmp

Filesize
392KB

Download
memory/776-7-0x0000000005A90000-0x0000000005B10000-memory.dmp

Filesize
512KB

Download
memory/776-8-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-9-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-11-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-13-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-15-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-17-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-19-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-21-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-23-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-25-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-31-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-29-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-27-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-33-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-35-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-37-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-41-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-39-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-43-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-45-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-47-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-49-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-51-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-53-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-57-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-55-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-63-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-61-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-59-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-67-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-65-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-69-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-71-0x0000000005A90000-0x0000000005B0B000-memory.dmp

Filesize
492KB

Download
memory/776-2446-0x0000000000E30000-0x0000000000E70000-memory.dmp

Filesize
256KB

Download
memory/776-2447-0x0000000000E30000-0x0000000000E70000-memory.dmp

Filesize
256KB

Download
memory/776-2460-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2208-2464-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2208-2465-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2208-2466-0x0000000001220000-0x0000000001260000-memory.dmp

Filesize
256KB

Download
memory/2208-2467-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2208-2468-0x0000000001220000-0x0000000001260000-memory.dmp

Filesize
256KB

Download