agenttesla | 726cd214c481a2d479a955e17b46ca6817ea14b30af2effd59e82d4ad32b7c45

General

Target

N factura 24-2024068723.exe
Size

694KB
MD5

edce040806b758f70011f54ffb65985c
SHA1

828ebe650830993ea4c2d6ae81913e73380aa16f
SHA256

489684ef7548f0cad3b675655551bbcd476d1b8fedc9411f797ed73ad820c82a
SHA512

842481c671c6ca37bc83131af972c7c8e2f5af27b6e43005d23a9ad49db0283ab814fb232d1e46172fe4d2e85fda38e1aa699182aeb4c752b1e88bb18bcfcfea
SSDEEP

12288:OsHzOUNUSB/o5LsI1uwajJ5yvv1l2WDGqzYjHglSHKqw5DRFC3lZ2QVL9kpMZWFi:xiUmSB/o5d1ubcv5CljY5hrUlZ2Q3ked

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan upx

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1392-18-0x0000000001F80000-0x0000000001FD6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-22-0x00000000020D0000-0x0000000002124000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-28-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-40-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-48-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-58-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-66-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-64-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-78-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-82-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-80-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-76-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-74-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-72-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-70-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-68-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-62-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-60-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-56-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-54-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-52-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-50-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-46-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-44-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-42-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-38-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-36-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-34-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-32-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-30-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-26-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-24-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1392-23-0x00000000020D0000-0x000000000211E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2804-0-0x0000000001070000-0x00000000011F7000-memory.dmp	upx
behavioral1/memory/2804-14-0x0000000001070000-0x00000000011F7000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2804-14-0x0000000001070000-0x00000000011F7000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

N factura 24-2024068723.exe

description pid process target process

PID 2804 set thread context of 1392 2804 N factura 24-2024068723.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

1392 RegSvcs.exe
1392 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

N factura 24-2024068723.exe

pid process

2804 N factura 24-2024068723.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 1392 RegSvcs.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

N factura 24-2024068723.exe

pid process

2804 N factura 24-2024068723.exe
2804 N factura 24-2024068723.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

N factura 24-2024068723.exe

pid process

2804 N factura 24-2024068723.exe
2804 N factura 24-2024068723.exe

description	pid	process	target process
PID 2804 set thread context of 1392	2804	N factura 24-2024068723.exe	RegSvcs.exe

pid	process
1392	RegSvcs.exe
1392	RegSvcs.exe

pid	process
2804	N factura 24-2024068723.exe

description	pid	process
Token: SeDebugPrivilege	1392	RegSvcs.exe

pid	process
2804	N factura 24-2024068723.exe
2804	N factura 24-2024068723.exe

pid	process
2804	N factura 24-2024068723.exe
2804	N factura 24-2024068723.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

N factura 24-2024068723.exe

description	pid	process	target process
PID 2804 wrote to memory of 1392	2804	N factura 24-2024068723.exe	RegSvcs.exe
PID 2804 wrote to memory of 1392	2804	N factura 24-2024068723.exe	RegSvcs.exe
PID 2804 wrote to memory of 1392	2804	N factura 24-2024068723.exe	RegSvcs.exe
PID 2804 wrote to memory of 1392	2804	N factura 24-2024068723.exe	RegSvcs.exe
PID 2804 wrote to memory of 1392	2804	N factura 24-2024068723.exe	RegSvcs.exe
PID 2804 wrote to memory of 1392	2804	N factura 24-2024068723.exe	RegSvcs.exe
PID 2804 wrote to memory of 1392	2804	N factura 24-2024068723.exe	RegSvcs.exe
PID 2804 wrote to memory of 1392	2804	N factura 24-2024068723.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\N factura 24-2024068723.exe
"C:\Users\Admin\AppData\Local\Temp\N factura 24-2024068723.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\N factura 24-2024068723.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1392-12-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1392-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1392-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1392-18-0x0000000001F80000-0x0000000001FD6000-memory.dmp

Filesize
344KB

Download
memory/1392-20-0x0000000000860000-0x00000000008A0000-memory.dmp

Filesize
256KB

Download
memory/1392-21-0x0000000000860000-0x00000000008A0000-memory.dmp

Filesize
256KB

Download
memory/1392-19-0x0000000000860000-0x00000000008A0000-memory.dmp

Filesize
256KB

Download
memory/1392-17-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/1392-22-0x00000000020D0000-0x0000000002124000-memory.dmp

Filesize
336KB

Download
memory/1392-28-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-40-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-48-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-58-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-66-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-64-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-78-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-82-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-80-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-76-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-74-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-72-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-70-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-68-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-62-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-60-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-56-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-54-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-52-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-50-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-46-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-44-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-42-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-38-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-36-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-34-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-32-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-30-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-26-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-24-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-23-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/1392-1067-0x0000000000860000-0x00000000008A0000-memory.dmp

Filesize
256KB

Download
memory/1392-1068-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1392-1069-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/1392-1070-0x0000000000860000-0x00000000008A0000-memory.dmp

Filesize
256KB

Download
memory/1392-1071-0x0000000000860000-0x00000000008A0000-memory.dmp

Filesize
256KB

Download
memory/1392-1072-0x0000000000860000-0x00000000008A0000-memory.dmp

Filesize
256KB

Download
memory/1392-1073-0x0000000000860000-0x00000000008A0000-memory.dmp

Filesize
256KB

Download
memory/2804-0-0x0000000001070000-0x00000000011F7000-memory.dmp

Filesize
1.5MB

Download
memory/2804-11-0x00000000002D0000-0x00000000002D4000-memory.dmp

Filesize
16KB

Download
memory/2804-14-0x0000000001070000-0x00000000011F7000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads