agenttesla | 24f07c42706495104f82dda5cacb1be3e3c1dda033f7b0ceaf9c5836007baad6

Analysis

max time kernel
115s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad1f2095f630d9aeadca2ea71aa4f996.exe
Size

708KB
MD5

ad1f2095f630d9aeadca2ea71aa4f996
SHA1

b70f3f9f800b7b818ae016ad254d972a8a73ffa7
SHA256

24f07c42706495104f82dda5cacb1be3e3c1dda033f7b0ceaf9c5836007baad6
SHA512

dcbc71f5d36c1522be7b84cdc73c92f177e7f66994f719a538dddf9ef76f4b4d9f3b7de577eac98be9e14a0e372865388af8925061e55cf3518a22b3d919edc8
SSDEEP

12288:TitcoVhwCsYjlhBaB7t6vSajTQAenCfhDV2BwF8:OtrhTj2heThewF8

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
newbeginning

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/4784-8-0x0000000007CE0000-0x0000000007D58000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-9-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-10-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-12-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-14-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-16-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-18-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-20-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-22-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-24-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-26-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-28-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-30-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-32-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-34-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-36-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-38-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-40-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-42-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-44-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-46-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-48-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-50-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-52-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-54-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-56-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-58-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-60-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-62-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-64-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-66-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-68-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-70-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1
behavioral2/memory/4784-72-0x0000000007CE0000-0x0000000007D53000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/3344-2227-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4784 set thread context of 3344	4784	ad1f2095f630d9aeadca2ea71aa4f996.exe	101

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4784	ad1f2095f630d9aeadca2ea71aa4f996.exe
4784	ad1f2095f630d9aeadca2ea71aa4f996.exe
3344	ad1f2095f630d9aeadca2ea71aa4f996.exe
3344	ad1f2095f630d9aeadca2ea71aa4f996.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	ad1f2095f630d9aeadca2ea71aa4f996.exe
Token: SeDebugPrivilege	3344	ad1f2095f630d9aeadca2ea71aa4f996.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 3344	4784	ad1f2095f630d9aeadca2ea71aa4f996.exe	101
PID 4784 wrote to memory of 3344	4784	ad1f2095f630d9aeadca2ea71aa4f996.exe	101
PID 4784 wrote to memory of 3344	4784	ad1f2095f630d9aeadca2ea71aa4f996.exe	101
PID 4784 wrote to memory of 3344	4784	ad1f2095f630d9aeadca2ea71aa4f996.exe	101
PID 4784 wrote to memory of 3344	4784	ad1f2095f630d9aeadca2ea71aa4f996.exe	101
PID 4784 wrote to memory of 3344	4784	ad1f2095f630d9aeadca2ea71aa4f996.exe	101
PID 4784 wrote to memory of 3344	4784	ad1f2095f630d9aeadca2ea71aa4f996.exe	101
PID 4784 wrote to memory of 3344	4784	ad1f2095f630d9aeadca2ea71aa4f996.exe	101

C:\Users\Admin\AppData\Local\Temp\ad1f2095f630d9aeadca2ea71aa4f996.exe
"C:\Users\Admin\AppData\Local\Temp\ad1f2095f630d9aeadca2ea71aa4f996.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\ad1f2095f630d9aeadca2ea71aa4f996.exe
  C:\Users\Admin\AppData\Local\Temp\ad1f2095f630d9aeadca2ea71aa4f996.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8
1⤵
PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ad1f2095f630d9aeadca2ea71aa4f996.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
memory/3344-2227-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3344-2228-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/3344-2230-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/3344-2231-0x0000000005360000-0x00000000053FC000-memory.dmp

Filesize
624KB

Download
memory/3344-2235-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/3344-2234-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/3344-2233-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/3344-2232-0x0000000005770000-0x0000000005788000-memory.dmp

Filesize
96KB

Download
memory/4784-32-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-40-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-6-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/4784-7-0x0000000006530000-0x000000000658E000-memory.dmp

Filesize
376KB

Download
memory/4784-8-0x0000000007CE0000-0x0000000007D58000-memory.dmp

Filesize
480KB

Download
memory/4784-9-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-10-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-12-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-14-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-16-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-18-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-20-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-22-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-24-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-26-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-28-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-30-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-4-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4784-34-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-36-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-38-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-5-0x0000000005140000-0x000000000514A000-memory.dmp

Filesize
40KB

Download
memory/4784-42-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-44-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-46-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-48-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-50-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-52-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-54-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-56-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-58-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-60-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-62-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-64-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-66-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-68-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-70-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-72-0x0000000007CE0000-0x0000000007D53000-memory.dmp

Filesize
460KB

Download
memory/4784-3-0x0000000004F80000-0x0000000005012000-memory.dmp

Filesize
584KB

Download
memory/4784-2-0x0000000005450000-0x00000000059F4000-memory.dmp

Filesize
5.6MB

Download
memory/4784-1-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/4784-0-0x00000000004E0000-0x0000000000596000-memory.dmp

Filesize
728KB

Download
memory/4784-216-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4784-2229-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download