agenttesla | c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f

Analysis

max time kernel
162s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe
Size

726KB
MD5

031869edeea7feb77af952ea0117f35b
SHA1

e5591137e9e7774b440d6808c06d5580552c7fdc
SHA256

c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f
SHA512

989d42981cb0080ebb269a9ca4a3229336b0340b9d8ff6b8ccff3ebe20786aff17e03e79d4008bf1e3d3ff7bfa084ae9d60c480ecf6f6de55324b188c85a5144
SSDEEP

12288:vkAzjWfB/rX5NPZTZp6H/XC28nnFqH6Wsgdaccy5SaG9F10:v/OJ/rLZl4/C28FosXTyIK

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.cyber.net.pk
Port:
587
Username:
[email protected]
Password:
Zain2357@

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.cyber.net.pk
Port:
587
Username:
[email protected]
Password:
Zain2357@
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/2732-2-0x0000000004D60000-0x0000000004E0C000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-3-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-4-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-6-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-8-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-10-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-12-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-14-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-16-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-18-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-20-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-22-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-24-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-26-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-28-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-30-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-32-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-34-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-36-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-38-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-40-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-44-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-42-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-46-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-48-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-50-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-52-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-54-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-56-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-58-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-60-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-62-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-64-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1
behavioral2/memory/2732-66-0x0000000004D60000-0x0000000004E05000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vlevvwzr = "C:\\Users\\Admin\\AppData\\Roaming\\Vlevvwzr.exe"	c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DlXsFNN = "C:\\Users\\Admin\\AppData\\Roaming\\DlXsFNN\\DlXsFNN.exe"	c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	api.ipify.org
59	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2732 set thread context of 4584	2732	c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe	93

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\CBFE9EB43B3B37FE0DFBC4C2EB2D4E07D08BD8E8	c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\CBFE9EB43B3B37FE0DFBC4C2EB2D4E07D08BD8E8\Blob = 030000000100000014000000cbfe9eb43b3b37fe0dfbc4c2eb2d4e07d08bd8e81400000001000000140000000cdb6c82490f4a670ab814ee7ac4485288eb563804000000010000001000000098eb0b62c3fe53eac8caa8fdb58020ee0f0000000100000020000000b4e0a8c98b0aae43b7383037accd11a1c964971f6b74fcbc370cd030fb328ddd19000000010000001000000058f4c3aea49be319eaff0e54cef46cd35c00000001000000040000000008000018000000010000001000000014c3bd3549ee225aece13734ad8ca0b82000000001000000b7040000308204b33082039ba00302010202100b259422ced9812a15a04e99528a0efa300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3137313130323132323433335a170d3237313130323132323433335a3060310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d311f301d06035504031316526170696453534c20544c532052534120434120473130820122300d06092a864886f70d01010105000382010f003082010a0282010100bfb9592544123516e25d5049050ae0cbfc8dda25089a67a6a26d11e36a9fdaa7dcf2d5a60dae985eed871a3703283ec66f5c347e84d24ea3d81b80e6154cfabc81773ce08ef960a38789503836b249419ea9dac250caac7ad07904223cc837ed4b40b7d74e5a6ece74e839ad61c930f4cb28ad172398c1444cfbf088f05345329061c36da1a5e01090e38b9aca93e5064961e8a4eea96f9fc81f0fe5dd0e7937924baebb4786fafbb2ad21abe6e5f92d18455a5bf5cc5403721fc42a6775eb79bacffc9cc7fa8b6bdcf2bc82dcedc4296fe93b4cbadaf56135ed83d29fd00d8c6f840a8f4f0d6dcdf65c2129008dbf0d601a882ec8242eec713b0675bc7924850203010001a382016630820162301d0603551d0e041604140cdb6c82490f4a670ab814ee7ac4485288eb5638301f0603551d230418301680144e2254201895e6e36ee60ffafab912ed06178f39300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7447322e63726c30630603551d20045c305a303706096086480186fd6c0101302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c01023008060667810c0102013008060667810c010202300d06092a864886f70d01010b050003820101001944a539be0add6b664a56e6139d146011d733448a5cfa8733393a5d05290a1785ff8a94f1a3a16a3b324501435758a1fee3c883b60746d162093ab81becdbe375f54fbee726048e23da6afd3a82c2dba467bbbd54b2f7240ab759dcb69a828bbef0bcb55991ce401ed314029112888db046f34312c835ff478b98823e9988d4ff660e8623a4687e0aa0a4376cb0b7345c8450128b7121970accfde9189f4509b30798c2cbcae05dfae096bd5705da881801ac2e7c2852fcf4fad43f6bab33d14b9236baa6b7b66213e382612605a106714c6fb006424bcdabd28d4bd75ddc659cd7b1ff7576b57a7a31cd68c4d2105d163c4f8546f45b7c22f28df8fe6f05c7	c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4584	c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe
4584	c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe
Token: SeDebugPrivilege	4584	c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 4584	2732	c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe	93
PID 2732 wrote to memory of 4584	2732	c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe	93
PID 2732 wrote to memory of 4584	2732	c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe	93
PID 2732 wrote to memory of 4584	2732	c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe	93
PID 2732 wrote to memory of 4584	2732	c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe	93
PID 2732 wrote to memory of 4584	2732	c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe	93
PID 2732 wrote to memory of 4584	2732	c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe	93
PID 2732 wrote to memory of 4584	2732	c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe	93

C:\Users\Admin\AppData\Local\Temp\c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe
"C:\Users\Admin\AppData\Local\Temp\c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe
  C:\Users\Admin\AppData\Local\Temp\c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe
  2⤵
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c1e3420f0a16ce2a0bb44a91cd4c70460833a28e4ccaea6205d020a6b4a4287f.exe.log

Filesize
927B

MD5
4a911455784f74e368a4c2c7876d76f4

SHA1
a1700a0849ffb4f26671eb76da2489946b821c34

SHA256
264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

SHA512
4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

Download Submit
memory/2732-0-0x0000000000430000-0x00000000004EC000-memory.dmp

Filesize
752KB

Download
memory/2732-1-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/2732-2-0x0000000004D60000-0x0000000004E0C000-memory.dmp

Filesize
688KB

Download
memory/2732-3-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-4-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-6-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-8-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-10-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-12-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-14-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-16-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-18-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-20-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-22-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-24-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-26-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-28-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-30-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-32-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-34-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-36-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-38-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-40-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-44-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-42-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-46-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-48-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-50-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-52-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-54-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-56-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-58-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-60-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-62-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-64-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-66-0x0000000004D60000-0x0000000004E05000-memory.dmp

Filesize
660KB

Download
memory/2732-935-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/2732-936-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/2732-937-0x0000000004E50000-0x0000000004E92000-memory.dmp

Filesize
264KB

Download
memory/2732-938-0x0000000004E90000-0x0000000004EDC000-memory.dmp

Filesize
304KB

Download
memory/2732-939-0x0000000005870000-0x0000000005E14000-memory.dmp

Filesize
5.6MB

Download
memory/2732-945-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/4584-946-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/4584-944-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4584-947-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/4584-948-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/4584-950-0x0000000006EF0000-0x0000000006F40000-memory.dmp

Filesize
320KB

Download
memory/4584-951-0x0000000006FE0000-0x000000000707C000-memory.dmp

Filesize
624KB

Download
memory/4584-952-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/4584-953-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/4584-956-0x00000000071B0000-0x0000000007242000-memory.dmp

Filesize
584KB

Download
memory/4584-957-0x0000000007290000-0x000000000729A000-memory.dmp

Filesize
40KB

Download