Malware Analysis Report

2025-06-16 02:14

Sample ID 240123-qwg51sagfk
Target 3040-60-0x00000000402F0000-0x000000004034C000-memory.dmp
SHA256 5dca6fc45cc2e4c4ff978fa2de059f689d4de9704c0c5d1b5bde8764fa14fe68
Tags
rat default asyncrat zgrat agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5dca6fc45cc2e4c4ff978fa2de059f689d4de9704c0c5d1b5bde8764fa14fe68

Threat Level: Known bad

The file 3040-60-0x00000000402F0000-0x000000004034C000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat zgrat agenttesla keylogger spyware stealer trojan

ZGRat

Async RAT payload

Detect ZGRat V1

AgentTesla

AsyncRat

Agenttesla family

Asyncrat family

Zgrat family

Async RAT payload

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-23 13:36

Signatures

Agenttesla family

agenttesla

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Zgrat family

zgrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 13:36

Reported

2024-01-23 13:39

Platform

win7-20231215-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3040-60-0x00000000402F0000-0x000000004034C000-memory.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AsyncRat

rat asyncrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3040-60-0x00000000402F0000-0x000000004034C000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3040-60-0x00000000402F0000-0x000000004034C000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\3040-60-0x00000000402F0000-0x000000004034C000-memory.exe"

Network

N/A

Files

memory/2720-0-0x00000000013E0000-0x000000000143C000-memory.dmp

memory/2720-1-0x0000000074960000-0x000000007504E000-memory.dmp

memory/2720-2-0x0000000074960000-0x000000007504E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 13:36

Reported

2024-01-23 13:39

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3040-60-0x00000000402F0000-0x000000004034C000-memory.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AsyncRat

rat asyncrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3040-60-0x00000000402F0000-0x000000004034C000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3040-60-0x00000000402F0000-0x000000004034C000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\3040-60-0x00000000402F0000-0x000000004034C000-memory.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/348-0-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/348-1-0x0000000000B50000-0x0000000000BAC000-memory.dmp

memory/348-2-0x00000000750B0000-0x0000000075860000-memory.dmp