agenttesla | 8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 01:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe
Size

1.2MB
MD5

473e41f5cbd714b3c04cf897803a330b
SHA1

4b7cfbc87d878587f4bc34541fd319c46cea2bca
SHA256

8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831
SHA512

8be6a593734bd265830e8a0053c875655b88148e6f54a8bdf86d9309504451ac93121430385879249e5058f7de0c5e9c81fc1edf0c0fbdcbb1407452bbb1a3f8
SSDEEP

24576:QqDEvCTbMWu7rQYlBQcBiT6rpFd+zhLFbFfgZO1OGn4cyLCyi5:QTvC/MTQYxsWPkzhVFfgt0gC

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral2/memory/4444-29-0x0000000002CC0000-0x0000000002D14000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-32-0x0000000002D20000-0x0000000002D72000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-34-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-33-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-36-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-38-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-40-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-42-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-44-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-50-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-48-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-54-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-52-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-56-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-58-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-62-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-66-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-72-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-76-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-80-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-78-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-82-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-88-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-90-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-86-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-92-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-84-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-74-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-70-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-68-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-64-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-60-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4444-46-0x0000000002D20000-0x0000000002D6C000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5088 set thread context of 4444	5088	8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4444	RegSvcs.exe
4444	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2292	8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe
5088	8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4444	RegSvcs.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2028	2292	8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe	86
PID 2292 wrote to memory of 2028	2292	8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe	86
PID 2292 wrote to memory of 2028	2292	8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe	86
PID 2292 wrote to memory of 5088	2292	8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe	87
PID 2292 wrote to memory of 5088	2292	8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe	87
PID 2292 wrote to memory of 5088	2292	8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe	87
PID 5088 wrote to memory of 4444	5088	8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe	88
PID 5088 wrote to memory of 4444	5088	8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe	88
PID 5088 wrote to memory of 4444	5088	8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe	88
PID 5088 wrote to memory of 4444	5088	8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe	88

C:\Users\Admin\AppData\Local\Temp\8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe
"C:\Users\Admin\AppData\Local\Temp\8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe"
  2⤵
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe
  "C:\Users\Admin\AppData\Local\Temp\8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\8f291e6386a4fce0e928b50244ea8c2b53d3411f981ba4492196435b33c88831.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurtling

Filesize
96KB

MD5
5f92ba1758ebebadc2beb4983395c62b

SHA1
792d0a14fce22791383dc2a2b5440c517426c245

SHA256
da91839f8ff61ad9cd62dd38c4593c08a9abf6099594a9e33186798969aa3649

SHA512
b5e29921d50531652e1184d311e7af6fed4a13e1e362b0a6b337ccaf4c441ade880782f08ae542a8c618b051d095d7585f5aa214345acbba402e6b489a058a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\sticket

Filesize
261KB

MD5
b8757eb299672efbf718791abdde6768

SHA1
9d0414bc67df283b9f756ed84168037e04319392

SHA256
0aba09543ccbb70509c628fcbb3152da22150dbfd06730cf8865859eae46c376

SHA512
ea8b1d1bf0c16b1ca03584a7db0a9feed7e5d44aa762b843d8579a1699ebef9b3310b0c355e87898e0dad1c4d33433f01c8bcc08b92b564cb52b71ccf07472a4

Download Submit
memory/2292-10-0x00000000020A0000-0x00000000020A4000-memory.dmp

Filesize
16KB

Download
memory/4444-23-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4444-24-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4444-25-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4444-26-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4444-27-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/4444-28-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/4444-29-0x0000000002CC0000-0x0000000002D14000-memory.dmp

Filesize
336KB

Download
memory/4444-30-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/4444-31-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/4444-32-0x0000000002D20000-0x0000000002D72000-memory.dmp

Filesize
328KB

Download
memory/4444-34-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-33-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-36-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-38-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-40-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-42-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-44-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-50-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-48-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-54-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-52-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-56-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-58-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-62-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-66-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-72-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-76-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-80-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-78-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-82-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-88-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-90-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-86-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-92-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-84-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-74-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-70-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-68-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-64-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-60-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-46-0x0000000002D20000-0x0000000002D6C000-memory.dmp

Filesize
304KB

Download
memory/4444-1065-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/4444-1066-0x0000000002E30000-0x0000000002E96000-memory.dmp

Filesize
408KB

Download
memory/4444-1067-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4444-1068-0x00000000062B0000-0x0000000006300000-memory.dmp

Filesize
320KB

Download
memory/4444-1069-0x00000000063A0000-0x0000000006432000-memory.dmp

Filesize
584KB

Download
memory/4444-1070-0x0000000006310000-0x000000000631A000-memory.dmp

Filesize
40KB

Download
memory/4444-1071-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/4444-1072-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/4444-1073-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/4444-1074-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/4444-1075-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download