agenttesla | 15950c159d16cbd4d69e99f4519c42a973ea0444c74da0be153ef708bc7d48f1

General

Target

doc20242803125126.exe
Size

1.1MB
MD5

80b5ba36422500dfcfdc3f554b764bbe
SHA1

42b7867a3dc3a1a79293694dd40aa100b6c8fa61
SHA256

361f6fd74a8f73d2dab79c455f734490b415fc4df5dfe1063fbe8c4cfca39e90
SHA512

0a6d740d04d210e28b21cb953af305625a416f878552408713d25194058177b59857294f9f5025ea834a66ccbfaa3a3c144c877fc1f3af21236c3b730a2dba94
SSDEEP

24576:eRmJkcoQricOIQxiZY1iarshzGuISZlLa6Qjz6:LJZoQrbTFZY1iaohauInjW

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
sslout.de
Port:
587
Username:
it@heizoel-menrad.de
Password:
dataset123

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2596-73-0x00000000050E0000-0x0000000005138000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-79-0x00000000051A0000-0x00000000051F6000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-80-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-81-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-83-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-85-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-87-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-89-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-91-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-93-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-95-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-97-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-99-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-101-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-103-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-105-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-107-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-109-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-111-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-113-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-115-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-117-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-119-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-121-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-123-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-125-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-127-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-129-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-131-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-133-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-135-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-137-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2596-139-0x00000000051A0000-0x00000000051F0000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

doc20242803125126.exe

description pid process target process

PID 4268 set thread context of 2596 4268 doc20242803125126.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2596 RegSvcs.exe
2596 RegSvcs.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

doc20242803125126.exedoc20242803125126.exedoc20242803125126.exedoc20242803125126.exedoc20242803125126.exe

pid process

5020 doc20242803125126.exe
4404 doc20242803125126.exe
3820 doc20242803125126.exe
1844 doc20242803125126.exe
4268 doc20242803125126.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2596 RegSvcs.exe

flow	ioc
2	ip-api.com

description	pid	process	target process
PID 4268 set thread context of 2596	4268	doc20242803125126.exe	RegSvcs.exe

pid	process
2596	RegSvcs.exe
2596	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2596	RegSvcs.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

doc20242803125126.exedoc20242803125126.exedoc20242803125126.exedoc20242803125126.exedoc20242803125126.exe

pid	process
5020	doc20242803125126.exe
5020	doc20242803125126.exe
4404	doc20242803125126.exe
4404	doc20242803125126.exe
3820	doc20242803125126.exe
3820	doc20242803125126.exe
1844	doc20242803125126.exe
1844	doc20242803125126.exe
4268	doc20242803125126.exe
4268	doc20242803125126.exe

Suspicious use of SendNotifyMessage 10 IoCs

Processes:

doc20242803125126.exedoc20242803125126.exedoc20242803125126.exedoc20242803125126.exedoc20242803125126.exe

pid	process
5020	doc20242803125126.exe
5020	doc20242803125126.exe
4404	doc20242803125126.exe
4404	doc20242803125126.exe
3820	doc20242803125126.exe
3820	doc20242803125126.exe
1844	doc20242803125126.exe
1844	doc20242803125126.exe
4268	doc20242803125126.exe
4268	doc20242803125126.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

doc20242803125126.exedoc20242803125126.exedoc20242803125126.exedoc20242803125126.exedoc20242803125126.exe

description	pid	process	target process
PID 5020 wrote to memory of 2992	5020	doc20242803125126.exe	RegSvcs.exe
PID 5020 wrote to memory of 2992	5020	doc20242803125126.exe	RegSvcs.exe
PID 5020 wrote to memory of 2992	5020	doc20242803125126.exe	RegSvcs.exe
PID 5020 wrote to memory of 4404	5020	doc20242803125126.exe	doc20242803125126.exe
PID 5020 wrote to memory of 4404	5020	doc20242803125126.exe	doc20242803125126.exe
PID 5020 wrote to memory of 4404	5020	doc20242803125126.exe	doc20242803125126.exe
PID 4404 wrote to memory of 3804	4404	doc20242803125126.exe	RegSvcs.exe
PID 4404 wrote to memory of 3804	4404	doc20242803125126.exe	RegSvcs.exe
PID 4404 wrote to memory of 3804	4404	doc20242803125126.exe	RegSvcs.exe
PID 4404 wrote to memory of 3820	4404	doc20242803125126.exe	doc20242803125126.exe
PID 4404 wrote to memory of 3820	4404	doc20242803125126.exe	doc20242803125126.exe
PID 4404 wrote to memory of 3820	4404	doc20242803125126.exe	doc20242803125126.exe
PID 3820 wrote to memory of 3980	3820	doc20242803125126.exe	RegSvcs.exe
PID 3820 wrote to memory of 3980	3820	doc20242803125126.exe	RegSvcs.exe
PID 3820 wrote to memory of 3980	3820	doc20242803125126.exe	RegSvcs.exe
PID 3820 wrote to memory of 1844	3820	doc20242803125126.exe	doc20242803125126.exe
PID 3820 wrote to memory of 1844	3820	doc20242803125126.exe	doc20242803125126.exe
PID 3820 wrote to memory of 1844	3820	doc20242803125126.exe	doc20242803125126.exe
PID 1844 wrote to memory of 2260	1844	doc20242803125126.exe	RegSvcs.exe
PID 1844 wrote to memory of 2260	1844	doc20242803125126.exe	RegSvcs.exe
PID 1844 wrote to memory of 2260	1844	doc20242803125126.exe	RegSvcs.exe
PID 1844 wrote to memory of 4268	1844	doc20242803125126.exe	doc20242803125126.exe
PID 1844 wrote to memory of 4268	1844	doc20242803125126.exe	doc20242803125126.exe
PID 1844 wrote to memory of 4268	1844	doc20242803125126.exe	doc20242803125126.exe
PID 4268 wrote to memory of 2596	4268	doc20242803125126.exe	RegSvcs.exe
PID 4268 wrote to memory of 2596	4268	doc20242803125126.exe	RegSvcs.exe
PID 4268 wrote to memory of 2596	4268	doc20242803125126.exe	RegSvcs.exe
PID 4268 wrote to memory of 2596	4268	doc20242803125126.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\doc20242803125126.exe
"C:\Users\Admin\AppData\Local\Temp\doc20242803125126.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\doc20242803125126.exe"
2⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\doc20242803125126.exe
"C:\Users\Admin\AppData\Local\Temp\doc20242803125126.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\doc20242803125126.exe"
3⤵
PID:3804

C:\Users\Admin\AppData\Local\Temp\doc20242803125126.exe
"C:\Users\Admin\AppData\Local\Temp\doc20242803125126.exe"
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\doc20242803125126.exe"
4⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\doc20242803125126.exe
"C:\Users\Admin\AppData\Local\Temp\doc20242803125126.exe"
4⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\doc20242803125126.exe"
5⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\doc20242803125126.exe
"C:\Users\Admin\AppData\Local\Temp\doc20242803125126.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\doc20242803125126.exe"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autC95B.tmp
Filesize
267KB

MD5
840b5fe74139620577e01400cdd437a2

SHA1
36e691008c06cffc80e8ee361518150cb5bc8138

SHA256
f2668ef746437bbce0a2b3d0d6890006edb52f002c50e86326abac3b8a7095c0

SHA512
1bb49c611e3a0012168932e20dea2ad2742da5ab77d571e18aeb111b7f505e75d0b0a301e98e9b25ca31647d09c8d81c0c4f42af28403b0d320773b6be4eb6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\autE020.tmp
Filesize
9KB

MD5
91abb17ca17715609d9dcd9cf7721fff

SHA1
a30a3f16c7804e30b5ab5a6f34eb77eacf018b13

SHA256
a9e42a1ee6f5ca8cf28a378317f477239681bc9ecb4d0dc44cb192c84e594eae

SHA512
7de43e1787bb1dd48ced6b961ab359fb4ada3a4c1c0e00eb92391b369ed8bfde223e6a34c9f465727f40307b91c43c604b2283088619eb18ea7d8aa78afd16a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fondaco
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\snaith
Filesize
29KB

MD5
698010303907efcaee4ee433d75ac09d

SHA1
c6f9697e2ec7a7f6baf1e68b5bf7906474042837

SHA256
e97064e8fd11ee6a56e952bae66425f67206b6f38e10e8213db041a75287e7a5

SHA512
8558e2259da03176161ac98037d831aa66ef99829eb814a3702ea8cad62e9547fab8dfa546ed67a4a707d702870171983276ee2f0609c9d6827dfddb60d7c69c

Download Submit
memory/2596-69-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2596-70-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2596-71-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2596-72-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2596-73-0x00000000050E0000-0x0000000005138000-memory.dmp

Filesize
352KB

Download
memory/2596-74-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-75-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/2596-76-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/2596-77-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/2596-78-0x0000000005660000-0x0000000005B5E000-memory.dmp

Filesize
5.0MB

Download
memory/2596-79-0x00000000051A0000-0x00000000051F6000-memory.dmp

Filesize
344KB

Download
memory/2596-80-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-81-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-83-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-85-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-87-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-89-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-91-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-93-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-95-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-97-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-99-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-101-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-103-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-105-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-107-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-109-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-111-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-113-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-115-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-117-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-119-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-121-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-123-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-125-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-127-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-129-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-131-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-133-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-135-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-137-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-139-0x00000000051A0000-0x00000000051F0000-memory.dmp

Filesize
320KB

Download
memory/2596-1210-0x0000000005360000-0x00000000053C6000-memory.dmp

Filesize
408KB

Download
memory/2596-1211-0x0000000006560000-0x00000000065F2000-memory.dmp

Filesize
584KB

Download
memory/2596-1212-0x0000000006600000-0x0000000006650000-memory.dmp

Filesize
320KB

Download
memory/2596-1213-0x00000000066F0000-0x000000000678C000-memory.dmp

Filesize
624KB

Download
memory/5020-12-0x0000000003FD0000-0x0000000003FD4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads