agenttesla | dd29fa71d454deae29357f4f0771b69413979c149a7bbf3096924f66fe2c5d91 | Triage

Submit
Reports

Overview

overview

Static

static

1

5e488c9b95...30.rtf

windows7-x64

5e488c9b95...30.rtf

windows10-2004-x64

1

Sharing

General

Target

5e488c9b956a9b6dfce1aa3309479c30.rtf
Size

70KB
Sample

240315-f8vlrshc2w
MD5

5e488c9b956a9b6dfce1aa3309479c30
SHA1

f0553cdb501f5a13c829beb433c22ae35e3693c2
SHA256

dd29fa71d454deae29357f4f0771b69413979c149a7bbf3096924f66fe2c5d91
SHA512

08f79f99affbb74b00262b0a3381fdb3aa4459c8be885152385b81d00f8ef8863c19e1a7af7df004de089673513b2be9931ce11897b389edd9a7157ed295bd36
SSDEEP

1536:HUcN5OSn3jEvo2aPvO++EyIN4tiEoKTPsmAxbf:HUcuWPvOBLtiEoKTUmG

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

5e488c9b956a9b6dfce1aa3309479c30.rtf

Resource

win7-20240221-en

agenttesla zgrat keylogger rat spyware stealer trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

5e488c9b956a9b6dfce1aa3309479c30.rtf

Resource

win10v2004-20240226-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.elquijotebanquetes.com
Port:
21
Username:
[email protected]
Password:
kFxADjwNBm$_

Targets

- Target
  
  5e488c9b956a9b6dfce1aa3309479c30.rtf
- Size
  
  70KB
- MD5
  
  5e488c9b956a9b6dfce1aa3309479c30
- SHA1
  
  f0553cdb501f5a13c829beb433c22ae35e3693c2
- SHA256
  
  dd29fa71d454deae29357f4f0771b69413979c149a7bbf3096924f66fe2c5d91
- SHA512
  
  08f79f99affbb74b00262b0a3381fdb3aa4459c8be885152385b81d00f8ef8863c19e1a7af7df004de089673513b2be9931ce11897b389edd9a7157ed295bd36
- SSDEEP
  
  1536:HUcN5OSn3jEvo2aPvO++EyIN4tiEoKTPsmAxbf:HUcuWPvOBLtiEoKTUmG
Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslazgratkeyloggerratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy