agenttesla | 25a42d6dbd96d7a70df28309aa1f29de5e4df5aa18eca1420302896f7324c006

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Arba Outstanding Statement.exe
Size

1.2MB
MD5

de2adabbce0147d01ae2fc5d80e9efbd
SHA1

5c499b18b0a6059a8266c14c2a7db79ef1511637
SHA256

c6a9cf5bccffab4f117d72117c58d725d779ed907d449426eb93a86956d33947
SHA512

1e13c6b64043253af3be935e7bc83934a2ec47b9a48a184e0d3d0b76e4881d1630b3c7090a408eebc9a5c2fb7fd4d7e985e565f40c99813dca2e57fa50d3124c
SSDEEP

24576:JAHnh+eWsN3skA4RV1Hom2KXMmHa1DIx+YJbBHtT95:Qh+ZkldoPK8Ya1kxxJrb

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral2/memory/2152-15-0x00000000053F0000-0x0000000005444000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-20-0x0000000005480000-0x00000000054D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-22-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-21-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-24-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-26-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-28-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-30-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-32-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-34-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-36-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-38-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-40-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-42-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-44-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-46-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-48-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-50-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-52-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-54-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-56-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-58-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-60-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-64-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-62-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-66-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-68-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-70-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-72-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-74-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-76-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-80-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1
behavioral2/memory/2152-78-0x0000000005480000-0x00000000054CD000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	api.ipify.org
14	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3184 set thread context of 2152	3184	Arba Outstanding Statement.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2152	RegSvcs.exe
2152	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3184	Arba Outstanding Statement.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2152	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3184	Arba Outstanding Statement.exe
3184	Arba Outstanding Statement.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3184	Arba Outstanding Statement.exe
3184	Arba Outstanding Statement.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 2152	3184	Arba Outstanding Statement.exe	85
PID 3184 wrote to memory of 2152	3184	Arba Outstanding Statement.exe	85
PID 3184 wrote to memory of 2152	3184	Arba Outstanding Statement.exe	85
PID 3184 wrote to memory of 2152	3184	Arba Outstanding Statement.exe	85

C:\Users\Admin\AppData\Local\Temp\Arba Outstanding Statement.exe
"C:\Users\Admin\AppData\Local\Temp\Arba Outstanding Statement.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\Arba Outstanding Statement.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2152-11-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2152-12-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2152-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2152-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2152-15-0x00000000053F0000-0x0000000005444000-memory.dmp

Filesize
336KB

Download
memory/2152-16-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/2152-17-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/2152-18-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/2152-19-0x0000000005AE0000-0x0000000006084000-memory.dmp

Filesize
5.6MB

Download
memory/2152-20-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2152-22-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-21-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-24-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-26-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-28-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-30-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-32-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-34-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-36-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-38-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-40-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-42-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-44-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-46-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-48-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-50-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-52-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-54-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-56-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-58-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-60-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-64-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-62-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-66-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-68-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-70-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-72-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-74-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-76-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-80-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-78-0x0000000005480000-0x00000000054CD000-memory.dmp

Filesize
308KB

Download
memory/2152-1051-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/2152-1052-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/2152-1053-0x0000000006C40000-0x0000000006C90000-memory.dmp

Filesize
320KB

Download
memory/2152-1054-0x0000000006D30000-0x0000000006DC2000-memory.dmp

Filesize
584KB

Download
memory/2152-1055-0x0000000006CA0000-0x0000000006CAA000-memory.dmp

Filesize
40KB

Download
memory/2152-1056-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/2152-1057-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2152-1058-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/2152-1059-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/2152-1060-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/3184-10-0x00000000015D0000-0x00000000015D4000-memory.dmp

Filesize
16KB

Download