agenttesla | 0766dcf703dbf0243d873fff3b325054eee96ce58a9753ac8aa9891c311b4434

General

Target

62402781, Fiyat Teklif Talebi.pdf.exe
Size

1.2MB
MD5

52e4f8ee79c595a890bc451dfbbbb9f4
SHA1

12b24cc207161c893d5c87fc12453c083275d11f
SHA256

0766dcf703dbf0243d873fff3b325054eee96ce58a9753ac8aa9891c311b4434
SHA512

b10bad66f74786fef8e514c807700127e5518f3b64f14c6f05585f65bf01da7e0ff38de338e88ff1d5698e7c7a4c6f60a3294066ce7ea0d7b8a2881a67e3fcea
SSDEEP

24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8alPCJcAwNhy:sTvC/MTQYxsWR7alPC6B

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4268-17-0x00000000034F0000-0x0000000003544000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-23-0x0000000005A20000-0x0000000005A72000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-24-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-27-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-25-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-29-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-31-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-33-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-35-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-37-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-39-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-41-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-43-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-45-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-47-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-49-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-51-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-53-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-55-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-57-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-59-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-61-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-63-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-65-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-67-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-69-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-71-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-73-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-75-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-77-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-79-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-81-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1
behavioral2/memory/4268-83-0x0000000005A20000-0x0000000005A6D000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctsdvwT = "C:\\Users\\Admin\\AppData\\Roaming\\ctsdvwT\\ctsdvwT.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

62402781, Fiyat Teklif Talebi.pdf.exe

description pid process target process

PID 4536 set thread context of 4268 4536 62402781, Fiyat Teklif Talebi.pdf.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

4268 RegSvcs.exe
4268 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

62402781, Fiyat Teklif Talebi.pdf.exe

pid process

4536 62402781, Fiyat Teklif Talebi.pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 4268 RegSvcs.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

62402781, Fiyat Teklif Talebi.pdf.exe

pid process

4536 62402781, Fiyat Teklif Talebi.pdf.exe
4536 62402781, Fiyat Teklif Talebi.pdf.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

62402781, Fiyat Teklif Talebi.pdf.exe

pid process

4536 62402781, Fiyat Teklif Talebi.pdf.exe
4536 62402781, Fiyat Teklif Talebi.pdf.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

4268 RegSvcs.exe

description	pid	process	target process
PID 4536 set thread context of 4268	4536	62402781, Fiyat Teklif Talebi.pdf.exe	RegSvcs.exe

pid	process
4268	RegSvcs.exe
4268	RegSvcs.exe

pid	process
4536	62402781, Fiyat Teklif Talebi.pdf.exe

description	pid	process
Token: SeDebugPrivilege	4268	RegSvcs.exe

pid	process
4536	62402781, Fiyat Teklif Talebi.pdf.exe
4536	62402781, Fiyat Teklif Talebi.pdf.exe

pid	process
4536	62402781, Fiyat Teklif Talebi.pdf.exe
4536	62402781, Fiyat Teklif Talebi.pdf.exe

pid	process
4268	RegSvcs.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

62402781, Fiyat Teklif Talebi.pdf.exe

description	pid	process	target process
PID 4536 wrote to memory of 4268	4536	62402781, Fiyat Teklif Talebi.pdf.exe	RegSvcs.exe
PID 4536 wrote to memory of 4268	4536	62402781, Fiyat Teklif Talebi.pdf.exe	RegSvcs.exe
PID 4536 wrote to memory of 4268	4536	62402781, Fiyat Teklif Talebi.pdf.exe	RegSvcs.exe
PID 4536 wrote to memory of 4268	4536	62402781, Fiyat Teklif Talebi.pdf.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\62402781, Fiyat Teklif Talebi.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\62402781, Fiyat Teklif Talebi.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\62402781, Fiyat Teklif Talebi.pdf.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut6E3B.tmp
Filesize
262KB

MD5
af93bac11a87df70b05710e2b7218060

SHA1
2a4a8a7ac508ff1981296b784b6042e5d7c150a0

SHA256
33b56671717891b41069f8a8252e1aa46dcd99e681393f4be26235d85291df1c

SHA512
27163075fc4e0d6b98b3188eda42e0d01e5acb0f1f53ee6742e0123c267007ad6829dda77a7517baaf5c5a9f27d90483d7866becf0ce5319e45824163844f4ba

Download Submit
memory/4268-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4268-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4268-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4268-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4268-18-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4268-17-0x00000000034F0000-0x0000000003544000-memory.dmp

Filesize
336KB

Download
memory/4268-19-0x0000000005A10000-0x0000000005A20000-memory.dmp

Filesize
64KB

Download
memory/4268-20-0x0000000005A10000-0x0000000005A20000-memory.dmp

Filesize
64KB

Download
memory/4268-21-0x0000000005A10000-0x0000000005A20000-memory.dmp

Filesize
64KB

Download
memory/4268-22-0x0000000005FD0000-0x0000000006574000-memory.dmp

Filesize
5.6MB

Download
memory/4268-23-0x0000000005A20000-0x0000000005A72000-memory.dmp

Filesize
328KB

Download
memory/4268-24-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-27-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-25-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-29-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-31-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-33-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-35-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-37-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-39-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-41-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-43-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-45-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-47-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-49-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-51-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-53-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-55-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-57-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-59-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-61-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-63-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-65-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-67-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-69-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-71-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-73-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-75-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-77-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-79-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-81-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-83-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4268-1057-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/4268-1056-0x0000000005A10000-0x0000000005A20000-memory.dmp

Filesize
64KB

Download
memory/4268-1059-0x0000000006940000-0x0000000006990000-memory.dmp

Filesize
320KB

Download
memory/4268-1060-0x0000000006B50000-0x0000000006BE2000-memory.dmp

Filesize
584KB

Download
memory/4268-1061-0x0000000006B00000-0x0000000006B0A000-memory.dmp

Filesize
40KB

Download
memory/4268-1062-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4268-1063-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4268-1064-0x0000000005A10000-0x0000000005A20000-memory.dmp

Filesize
64KB

Download
memory/4268-1065-0x0000000005A10000-0x0000000005A20000-memory.dmp

Filesize
64KB

Download
memory/4268-1066-0x0000000005A10000-0x0000000005A20000-memory.dmp

Filesize
64KB

Download
memory/4536-12-0x0000000000A00000-0x0000000000A04000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads