agenttesla | 09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241

General

Target

09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe
Size

1.3MB
MD5

2733d3e9cdcf0af38e45d784cebedf80
SHA1

e0b288da25e9104678373e99857965a3a069c669
SHA256

09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241
SHA512

d99e22bf4e1eafeb4ab6f8a4c9f70f68cb0f49d2218f6aaa42811bcbd8f8cba41aa1270c6826ef90d415793a77881773e05536816e6da0b4d09dfd9dd2a9edea
SSDEEP

24576:AAHnh+eWsN3skA4RV1Hom2KXMmHaW2KYnnjMbgP7EHH7e5:3h+ZkldoPK8YaW2CbgP72Y

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2832-15-0x0000000000450000-0x00000000004A4000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-19-0x0000000000BB0000-0x0000000000C02000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-20-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-21-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-23-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-25-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-27-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-29-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-31-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-33-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-35-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-37-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-39-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-41-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-43-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-45-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-47-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-49-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-51-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-53-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-55-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-57-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-59-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-61-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-63-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-65-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-67-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-77-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-75-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-79-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-73-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-71-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-69-0x0000000000BB0000-0x0000000000BFD000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe

description	pid	process	target process
PID 2780 set thread context of 2832	2780	09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2832 RegSvcs.exe
2832 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe

pid process

2780 09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2832 RegSvcs.exe

pid	process
2832	RegSvcs.exe
2832	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2832	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe

pid	process
2780	09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe
2780	09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe

pid	process
2780	09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe
2780	09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe

description	pid	process	target process
PID 2780 wrote to memory of 2832	2780	09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe	RegSvcs.exe
PID 2780 wrote to memory of 2832	2780	09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe	RegSvcs.exe
PID 2780 wrote to memory of 2832	2780	09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe	RegSvcs.exe
PID 2780 wrote to memory of 2832	2780	09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe	RegSvcs.exe
PID 2780 wrote to memory of 2832	2780	09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe	RegSvcs.exe
PID 2780 wrote to memory of 2832	2780	09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe	RegSvcs.exe
PID 2780 wrote to memory of 2832	2780	09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe	RegSvcs.exe
PID 2780 wrote to memory of 2832	2780	09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe
"C:\Users\Admin\AppData\Local\Temp\09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\09cd94026dff3e9aa72b6598a20edb7f50e7ea7d64d570c11d76f52aaea2e241.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2780-10-0x00000000000C0000-0x00000000000C4000-memory.dmp

Filesize
16KB

Download
memory/2832-11-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2832-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2832-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2832-15-0x0000000000450000-0x00000000004A4000-memory.dmp

Filesize
336KB

Download
memory/2832-17-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/2832-16-0x0000000074D70000-0x000000007545E000-memory.dmp

Filesize
6.9MB

Download
memory/2832-18-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/2832-19-0x0000000000BB0000-0x0000000000C02000-memory.dmp

Filesize
328KB

Download
memory/2832-20-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-21-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-23-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-25-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-27-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-29-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-31-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-33-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-35-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-37-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-39-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-41-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-43-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-45-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-47-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-49-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-51-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-53-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-55-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-57-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-59-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-61-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-63-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-65-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-67-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-77-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-75-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-79-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-73-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-71-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-69-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

Filesize
308KB

Download
memory/2832-1050-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/2832-1051-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2832-1052-0x0000000074D70000-0x000000007545E000-memory.dmp

Filesize
6.9MB

Download
memory/2832-1053-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/2832-1054-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads