agenttesla | b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed

General

Target

b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe
Size

1.1MB
MD5

623ee380ebde7c5c8f12d9847de16305
SHA1

caea83bfa0f2c44a5f4645dc1fb1642e57dca3f4
SHA256

b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed
SHA512

74ab2ce17e0536a21281647228d7cb5b79f67dbac56bb76652a3954b9dd291c9f6953b80d625acec21c5c1427255ab6046eae88ce5ac80cba64b6fe3768905ea
SSDEEP

24576:pAHnh+eWsN3skA4RV1Hom2KXMmHaOrw/kS0dI8+cLUkf5:wh+ZkldoPK8YaOukOcLr

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1944-17-0x0000000004F30000-0x0000000004F84000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-23-0x0000000005000000-0x0000000005054000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-24-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-25-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-27-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-29-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-31-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-33-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-35-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-37-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-39-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-41-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-43-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-45-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-47-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-49-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-51-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-53-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-55-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-57-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-59-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-61-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-63-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-65-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-67-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-69-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-71-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-73-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-75-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-77-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-79-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-81-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1
behavioral2/memory/1944-83-0x0000000005000000-0x000000000504D000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

36 ip-api.com

flow	ioc
36	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe

description	pid	process	target process
PID 968 set thread context of 1944	968	b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

1944 RegSvcs.exe
1944 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe

pid process

968 b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 1944 RegSvcs.exe

pid	process
1944	RegSvcs.exe
1944	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1944	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe

pid	process
968	b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe
968	b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe

pid	process
968	b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe
968	b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe

description	pid	process	target process
PID 968 wrote to memory of 1944	968	b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe	RegSvcs.exe
PID 968 wrote to memory of 1944	968	b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe	RegSvcs.exe
PID 968 wrote to memory of 1944	968	b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe	RegSvcs.exe
PID 968 wrote to memory of 1944	968	b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe
"C:\Users\Admin\AppData\Local\Temp\b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\b3ee243fec9de264cfd5f0743552ffc89b1379236153d36b48d9d520620228ed.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut3642.tmp
Filesize
262KB

MD5
08f3164f66456fd3891bc4d13481905c

SHA1
c5d5ccadfaf5229b57db852a098516b01d42e6ca

SHA256
51526fcb85fed1fb2810ef1fd5386bb2e39514aa89328cdd31d4413074e0f1fe

SHA512
a7c9de657cbb8c9ce6784af8034bbfdee04a5779fce560a21921385e37ecef7bce5e50e66253cbad1565768caed29a961686ea55a64a9d1c62ba07b1845257e6

Download Submit
memory/968-12-0x0000000003F10000-0x0000000003F14000-memory.dmp

Filesize
16KB

Download
memory/1944-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1944-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1944-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1944-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1944-19-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/1944-18-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/1944-17-0x0000000004F30000-0x0000000004F84000-memory.dmp

Filesize
336KB

Download
memory/1944-20-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/1944-21-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/1944-22-0x00000000055A0000-0x0000000005B44000-memory.dmp

Filesize
5.6MB

Download
memory/1944-23-0x0000000005000000-0x0000000005054000-memory.dmp

Filesize
336KB

Download
memory/1944-24-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-25-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-27-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-29-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-31-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-33-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-35-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-37-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-39-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-41-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-43-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-45-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-47-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-49-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-51-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-53-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-55-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-57-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-59-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-61-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-63-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-65-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-67-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-69-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-71-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-73-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-75-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-77-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-79-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-81-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-83-0x0000000005000000-0x000000000504D000-memory.dmp

Filesize
308KB

Download
memory/1944-1068-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/1944-1069-0x0000000005200000-0x0000000005266000-memory.dmp

Filesize
408KB

Download
memory/1944-1070-0x00000000063E0000-0x0000000006430000-memory.dmp

Filesize
320KB

Download
memory/1944-1071-0x00000000064D0000-0x0000000006562000-memory.dmp

Filesize
584KB

Download
memory/1944-1072-0x0000000006460000-0x000000000646A000-memory.dmp

Filesize
40KB

Download
memory/1944-1073-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1944-1074-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/1944-1075-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/1944-1076-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads