agenttesla | 726cd214c481a2d479a955e17b46ca6817ea14b30af2effd59e82d4ad32b7c45

General

Target

N factura 24-2024068723.exe
Size

694KB
MD5

edce040806b758f70011f54ffb65985c
SHA1

828ebe650830993ea4c2d6ae81913e73380aa16f
SHA256

489684ef7548f0cad3b675655551bbcd476d1b8fedc9411f797ed73ad820c82a
SHA512

842481c671c6ca37bc83131af972c7c8e2f5af27b6e43005d23a9ad49db0283ab814fb232d1e46172fe4d2e85fda38e1aa699182aeb4c752b1e88bb18bcfcfea
SSDEEP

12288:OsHzOUNUSB/o5LsI1uwajJ5yvv1l2WDGqzYjHglSHKqw5DRFC3lZ2QVL9kpMZWFi:xiUmSB/o5d1ubcv5CljY5hrUlZ2Q3ked

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan upx

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 32 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3108-32-0x0000000003310000-0x0000000003366000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-37-0x00000000058D0000-0x0000000005924000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-41-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-39-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-38-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-43-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-47-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-45-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-49-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-51-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-55-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-53-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-57-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-71-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-73-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-91-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-93-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-89-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-87-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-95-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-85-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-83-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-81-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-79-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-77-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-75-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-69-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-67-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-65-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-63-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-61-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3108-59-0x00000000058D0000-0x000000000591E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4556-0-0x0000000000150000-0x00000000002D7000-memory.dmp	upx
behavioral2/memory/4012-13-0x0000000000150000-0x00000000002D7000-memory.dmp	upx
behavioral2/memory/4556-12-0x0000000000150000-0x00000000002D7000-memory.dmp	upx
behavioral2/memory/4012-29-0x0000000000150000-0x00000000002D7000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com

flow	ioc
22	ip-api.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4556-12-0x0000000000150000-0x00000000002D7000-memory.dmp	autoit_exe
behavioral2/memory/4012-29-0x0000000000150000-0x00000000002D7000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

N factura 24-2024068723.exe

description pid process target process

PID 4012 set thread context of 3108 4012 N factura 24-2024068723.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

3108 RegSvcs.exe
3108 RegSvcs.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

N factura 24-2024068723.exeN factura 24-2024068723.exe

pid process

4556 N factura 24-2024068723.exe
4012 N factura 24-2024068723.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 3108 RegSvcs.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

N factura 24-2024068723.exeN factura 24-2024068723.exe

pid process

4556 N factura 24-2024068723.exe
4556 N factura 24-2024068723.exe
4012 N factura 24-2024068723.exe
4012 N factura 24-2024068723.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

N factura 24-2024068723.exeN factura 24-2024068723.exe

pid process

4556 N factura 24-2024068723.exe
4556 N factura 24-2024068723.exe
4012 N factura 24-2024068723.exe
4012 N factura 24-2024068723.exe

description	pid	process	target process
PID 4012 set thread context of 3108	4012	N factura 24-2024068723.exe	RegSvcs.exe

pid	process
3108	RegSvcs.exe
3108	RegSvcs.exe

pid	process
4556	N factura 24-2024068723.exe
4012	N factura 24-2024068723.exe

description	pid	process
Token: SeDebugPrivilege	3108	RegSvcs.exe

pid	process
4556	N factura 24-2024068723.exe
4556	N factura 24-2024068723.exe
4012	N factura 24-2024068723.exe
4012	N factura 24-2024068723.exe

pid	process
4556	N factura 24-2024068723.exe
4556	N factura 24-2024068723.exe
4012	N factura 24-2024068723.exe
4012	N factura 24-2024068723.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

N factura 24-2024068723.exeN factura 24-2024068723.exe

description	pid	process	target process
PID 4556 wrote to memory of 760	4556	N factura 24-2024068723.exe	RegSvcs.exe
PID 4556 wrote to memory of 760	4556	N factura 24-2024068723.exe	RegSvcs.exe
PID 4556 wrote to memory of 760	4556	N factura 24-2024068723.exe	RegSvcs.exe
PID 4556 wrote to memory of 4012	4556	N factura 24-2024068723.exe	N factura 24-2024068723.exe
PID 4556 wrote to memory of 4012	4556	N factura 24-2024068723.exe	N factura 24-2024068723.exe
PID 4556 wrote to memory of 4012	4556	N factura 24-2024068723.exe	N factura 24-2024068723.exe
PID 4012 wrote to memory of 3108	4012	N factura 24-2024068723.exe	RegSvcs.exe
PID 4012 wrote to memory of 3108	4012	N factura 24-2024068723.exe	RegSvcs.exe
PID 4012 wrote to memory of 3108	4012	N factura 24-2024068723.exe	RegSvcs.exe
PID 4012 wrote to memory of 3108	4012	N factura 24-2024068723.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\N factura 24-2024068723.exe
"C:\Users\Admin\AppData\Local\Temp\N factura 24-2024068723.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\N factura 24-2024068723.exe"
2⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\N factura 24-2024068723.exe
"C:\Users\Admin\AppData\Local\Temp\N factura 24-2024068723.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\N factura 24-2024068723.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\disturb
Filesize
28KB

MD5
2a614639d699722ed576299ae2f08e03

SHA1
e74dd1a1dfebb18a83cc6c83deef28a3c9b625f6

SHA256
3dfe5f9cb3ad3ad22eddd43b4211d2ae0aebd5d3a7d1505e7ecf12b216a207fd

SHA512
e6c282f864cad85caa9aae91b8a28fe76dcb42f20a88836675135afed7a2d1d5315ad7d626c02155508cc3278e35b984449cea5aaf15b379b237bfdd66a4b936

Download Submit
C:\Users\Admin\AppData\Local\Temp\teer
Filesize
264KB

MD5
cef5aabee2a6e984b5217039d43a6ebb

SHA1
410112426bf704e75bfa15def56ecb320ff36d85

SHA256
d26dee13126f582e6b5ffe0ca639d734665b3a99aaf76df436fe716638c0396a

SHA512
de991e7e5c13a7bd4839c24c5b959025bfe7edb1ad38d89ec14bb7d262b91d572dd99b2df54079f1ff91115fbfa5305a91937df32292c8045c8c1bfe0a53c6eb

Download Submit
memory/3108-73-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-1089-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/3108-26-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3108-1090-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/3108-30-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3108-91-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-28-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3108-32-0x0000000003310000-0x0000000003366000-memory.dmp

Filesize
344KB

Download
memory/3108-31-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/3108-33-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/3108-34-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/3108-35-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/3108-36-0x0000000005EF0000-0x0000000006494000-memory.dmp

Filesize
5.6MB

Download
memory/3108-37-0x00000000058D0000-0x0000000005924000-memory.dmp

Filesize
336KB

Download
memory/3108-41-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-39-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-38-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-43-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-47-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-45-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-49-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-51-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-55-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-53-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-57-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-71-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-1091-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/3108-27-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3108-81-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-89-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-87-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-95-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-85-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-83-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-93-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-79-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-77-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-75-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-69-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-67-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-65-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-63-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-61-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-59-0x00000000058D0000-0x000000000591E000-memory.dmp

Filesize
312KB

Download
memory/3108-1082-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/3108-1083-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/3108-1084-0x0000000006CC0000-0x0000000006D10000-memory.dmp

Filesize
320KB

Download
memory/3108-1085-0x0000000006DB0000-0x0000000006E42000-memory.dmp

Filesize
584KB

Download
memory/3108-1086-0x0000000006D40000-0x0000000006D4A000-memory.dmp

Filesize
40KB

Download
memory/3108-1087-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3108-1088-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4012-29-0x0000000000150000-0x00000000002D7000-memory.dmp

Filesize
1.5MB

Download
memory/4012-13-0x0000000000150000-0x00000000002D7000-memory.dmp

Filesize
1.5MB

Download
memory/4556-0-0x0000000000150000-0x00000000002D7000-memory.dmp

Filesize
1.5MB

Download
memory/4556-11-0x0000000002FF0000-0x0000000002FF4000-memory.dmp

Filesize
16KB

Download
memory/4556-12-0x0000000000150000-0x00000000002D7000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads