agenttesla | 25a42d6dbd96d7a70df28309aa1f29de5e4df5aa18eca1420302896f7324c006

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Arba Outstanding Statement.exe
Size

1.2MB
MD5

de2adabbce0147d01ae2fc5d80e9efbd
SHA1

5c499b18b0a6059a8266c14c2a7db79ef1511637
SHA256

c6a9cf5bccffab4f117d72117c58d725d779ed907d449426eb93a86956d33947
SHA512

1e13c6b64043253af3be935e7bc83934a2ec47b9a48a184e0d3d0b76e4881d1630b3c7090a408eebc9a5c2fb7fd4d7e985e565f40c99813dca2e57fa50d3124c
SSDEEP

24576:JAHnh+eWsN3skA4RV1Hom2KXMmHa1DIx+YJbBHtT95:Qh+ZkldoPK8Ya1kxxJrb

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral1/memory/2212-16-0x0000000001FE0000-0x0000000002034000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-20-0x0000000002030000-0x0000000002082000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-21-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-22-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-24-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-26-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-28-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-30-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-32-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-34-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-36-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-38-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-40-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-42-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-44-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-46-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-48-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-50-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-52-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-54-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-56-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-58-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-60-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-62-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-64-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-66-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-68-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-70-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-72-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-74-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-76-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-78-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2212-80-0x0000000002030000-0x000000000207D000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2200 set thread context of 2212	2200	Arba Outstanding Statement.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2212	RegSvcs.exe
2212	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2200	Arba Outstanding Statement.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2200	Arba Outstanding Statement.exe
2200	Arba Outstanding Statement.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2200	Arba Outstanding Statement.exe
2200	Arba Outstanding Statement.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2212	2200	Arba Outstanding Statement.exe	28
PID 2200 wrote to memory of 2212	2200	Arba Outstanding Statement.exe	28
PID 2200 wrote to memory of 2212	2200	Arba Outstanding Statement.exe	28
PID 2200 wrote to memory of 2212	2200	Arba Outstanding Statement.exe	28
PID 2200 wrote to memory of 2212	2200	Arba Outstanding Statement.exe	28
PID 2200 wrote to memory of 2212	2200	Arba Outstanding Statement.exe	28
PID 2200 wrote to memory of 2212	2200	Arba Outstanding Statement.exe	28
PID 2200 wrote to memory of 2212	2200	Arba Outstanding Statement.exe	28

C:\Users\Admin\AppData\Local\Temp\Arba Outstanding Statement.exe
"C:\Users\Admin\AppData\Local\Temp\Arba Outstanding Statement.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\Arba Outstanding Statement.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2200-10-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download
memory/2212-11-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2212-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2212-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2212-15-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-16-0x0000000001FE0000-0x0000000002034000-memory.dmp

Filesize
336KB

Download
memory/2212-17-0x0000000004A20000-0x0000000004A60000-memory.dmp

Filesize
256KB

Download
memory/2212-18-0x0000000004A20000-0x0000000004A60000-memory.dmp

Filesize
256KB

Download
memory/2212-19-0x0000000004A20000-0x0000000004A60000-memory.dmp

Filesize
256KB

Download
memory/2212-20-0x0000000002030000-0x0000000002082000-memory.dmp

Filesize
328KB

Download
memory/2212-21-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-22-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-24-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-26-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-28-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-30-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-32-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-34-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-36-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-38-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-40-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-42-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-44-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-46-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-48-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-50-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-52-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-54-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-56-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-58-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-60-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-62-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-64-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-66-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-68-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-70-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-72-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-74-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-76-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-78-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-80-0x0000000002030000-0x000000000207D000-memory.dmp

Filesize
308KB

Download
memory/2212-1051-0x0000000004A20000-0x0000000004A60000-memory.dmp

Filesize
256KB

Download
memory/2212-1052-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-1053-0x0000000004A20000-0x0000000004A60000-memory.dmp

Filesize
256KB

Download
memory/2212-1054-0x0000000004A20000-0x0000000004A60000-memory.dmp

Filesize
256KB

Download
memory/2212-1055-0x0000000004A20000-0x0000000004A60000-memory.dmp

Filesize
256KB

Download