agenttesla | 3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a

General

Target

3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe
Size

1.2MB
MD5

1b453ca9236f5b70f3c7c255eba1c45a
SHA1

9e66fb5257155f5b44d8b8f24ab377b0f47aaba8
SHA256

3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a
SHA512

eacb7952a901b5fde0f0e6f0ba46b2313d0e13d63fab4fee57115c4c6dd476e7bcbeb0f96f24d2795a4624001c4e562730985dac8d4befc3ed88c997053434d6
SSDEEP

24576:oqDEvCTbMWu7rQYlBQcBiT6rprG8a55MZisxzKqoa+:oTvC/MTQYxsWR7a55Cua

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3492-31-0x00000000028A0000-0x00000000028F4000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-37-0x00000000051A0000-0x00000000051F2000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-39-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-41-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-38-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-43-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-47-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-45-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-49-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-51-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-53-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-55-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-57-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-59-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-61-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-63-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-65-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-67-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-69-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-71-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-73-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-75-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-77-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-79-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-81-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-83-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-85-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-87-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-89-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-91-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-93-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-95-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-97-0x00000000051A0000-0x00000000051ED000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 api.ipify.org
17 api.ipify.org

flow	ioc
16	api.ipify.org
17	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe

description	pid	process	target process
PID 4888 set thread context of 3492	4888	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

3492 RegSvcs.exe
3492 RegSvcs.exe

pid	process
3492	RegSvcs.exe
3492	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe

pid	process
1100	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe
4888	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 3492 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3492	RegSvcs.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe

pid	process
1100	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe
1100	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe
1100	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe
4888	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe
4888	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe

pid	process
1100	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe
1100	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe
1100	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe
4888	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe
4888	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe

description	pid	process	target process
PID 1100 wrote to memory of 5044	1100	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe	RegSvcs.exe
PID 1100 wrote to memory of 5044	1100	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe	RegSvcs.exe
PID 1100 wrote to memory of 5044	1100	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe	RegSvcs.exe
PID 1100 wrote to memory of 4888	1100	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe
PID 1100 wrote to memory of 4888	1100	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe
PID 1100 wrote to memory of 4888	1100	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe
PID 4888 wrote to memory of 3492	4888	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe	RegSvcs.exe
PID 4888 wrote to memory of 3492	4888	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe	RegSvcs.exe
PID 4888 wrote to memory of 3492	4888	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe	RegSvcs.exe
PID 4888 wrote to memory of 3492	4888	3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe
"C:\Users\Admin\AppData\Local\Temp\3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe"
2⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe
"C:\Users\Admin\AppData\Local\Temp\3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\3fb4903b9429a85b65f816eb8f90a3ae01eb38eef3ebb5f622587af468173d1a.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\electicism
Filesize
261KB

MD5
dc97e470ca951592e92d507f8fe34eb9

SHA1
6f4ad49bdfee442adb57b0bfa76b587bd88f4e61

SHA256
653f43b559c2c68448cb899b54c831d5926d14b315c2e57fd7557f0d7d5e9af9

SHA512
f4e2d9add0dfc9b2e2ea8bc341cedc6ba870b3209a608b7d8f8380df1c5a9c5e63d7cfb48e93e9098311c6a522154c23637cfadcd271f4a6405e4d756f336e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\unfatiguing
Filesize
29KB

MD5
97be17809c80c2bd4d289652c46bd2a6

SHA1
7251f0fc7fadc8e2c86b9231cf39c5aa487ba171

SHA256
b05374c43b45bd267de5576097a585eec92ca3714348c9b62366df89d0b70610

SHA512
2f2f25a5afe298a756679baf47b2c7d1d757c9f7a99cac19d82f44de3b8140eb10ae80f54fbd29e8edebe0d3ae610a803a53ebe7271878004ea1ce0abcbbb5cb

Download Submit
memory/1100-12-0x0000000001740000-0x0000000001744000-memory.dmp

Filesize
16KB

Download
memory/3492-27-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3492-28-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3492-29-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3492-30-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3492-31-0x00000000028A0000-0x00000000028F4000-memory.dmp

Filesize
336KB

Download
memory/3492-32-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3492-34-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/3492-33-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/3492-35-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/3492-36-0x0000000005800000-0x0000000005DA4000-memory.dmp

Filesize
5.6MB

Download
memory/3492-37-0x00000000051A0000-0x00000000051F2000-memory.dmp

Filesize
328KB

Download
memory/3492-39-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-41-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-38-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-43-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-47-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-45-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-49-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-51-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-53-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-55-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-57-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-59-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-61-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-63-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-65-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-67-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-69-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-71-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-73-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-75-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-77-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-79-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-81-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-83-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-85-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-87-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-89-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-91-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-93-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-95-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-97-0x00000000051A0000-0x00000000051ED000-memory.dmp

Filesize
308KB

Download
memory/3492-1068-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/3492-1069-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/3492-1070-0x0000000006800000-0x0000000006850000-memory.dmp

Filesize
320KB

Download
memory/3492-1071-0x00000000068F0000-0x0000000006982000-memory.dmp

Filesize
584KB

Download
memory/3492-1072-0x0000000006860000-0x000000000686A000-memory.dmp

Filesize
40KB

Download
memory/3492-1073-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3492-1074-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3492-1075-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/3492-1076-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/3492-1077-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/3492-1078-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads