Analysis Overview
SHA256
94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043
Threat Level: Known bad
The file 94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043 was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Detect ZGRat V1
ZGRat
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-02 01:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-02 01:05
Reported
2024-05-02 01:07
Platform
win7-20231129-en
Max time kernel
118s
Max time network
135s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2328 set thread context of 2624 | N/A | C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe | C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe
"C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe"
C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe
"C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe"
Network
| Country | Destination | Domain | Proto |
| UA | 5.34.182.232:80 | 5.34.182.232 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/2328-0-0x000000007474E000-0x000000007474F000-memory.dmp
memory/2328-1-0x00000000003A0000-0x00000000003DC000-memory.dmp
memory/2328-2-0x0000000074740000-0x0000000074E2E000-memory.dmp
memory/2328-3-0x00000000066C0000-0x00000000068F0000-memory.dmp
memory/2328-4-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-15-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-17-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-13-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-21-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-25-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-29-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-31-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-35-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-39-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-41-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-51-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-53-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-49-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-47-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-45-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-43-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-37-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-33-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-27-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-23-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-19-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-11-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-9-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-7-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-55-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-5-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-57-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-67-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-66-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-63-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-4884-0x0000000074740000-0x0000000074E2E000-memory.dmp
memory/2328-61-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-60-0x00000000066C0000-0x00000000068EA000-memory.dmp
memory/2328-4886-0x00000000042C0000-0x000000000430C000-memory.dmp
memory/2328-4885-0x00000000057B0000-0x000000000581C000-memory.dmp
memory/2328-4887-0x00000000046F0000-0x0000000004744000-memory.dmp
memory/2624-4902-0x0000000074740000-0x0000000074E2E000-memory.dmp
memory/2624-4901-0x0000000074740000-0x0000000074E2E000-memory.dmp
memory/2328-4900-0x0000000074740000-0x0000000074E2E000-memory.dmp
memory/2624-4899-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2624-4917-0x0000000074740000-0x0000000074E2E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-02 01:05
Reported
2024-05-02 01:07
Platform
win10v2004-20240419-en
Max time kernel
140s
Max time network
133s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4640 set thread context of 4936 | N/A | C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe | C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe
"C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe"
C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe
"C:\Users\Admin\AppData\Local\Temp\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| UA | 5.34.182.232:80 | 5.34.182.232 | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 232.182.34.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 66.29.151.236:587 | tcp | |
| US | 8.8.8.8:53 | 236.151.29.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.15.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4640-0-0x000000007485E000-0x000000007485F000-memory.dmp
memory/4640-1-0x0000000000410000-0x000000000044C000-memory.dmp
memory/4640-2-0x0000000074850000-0x0000000075000000-memory.dmp
memory/4640-3-0x0000000005EF0000-0x0000000006120000-memory.dmp
memory/4640-4-0x00000000066D0000-0x0000000006C74000-memory.dmp
memory/4640-5-0x0000000006220000-0x00000000062B2000-memory.dmp
memory/4640-15-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-13-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-29-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-33-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-55-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-59-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-69-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-67-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-65-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-63-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-61-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-57-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-53-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-51-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-49-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-47-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-45-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-43-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-41-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-39-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-37-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-35-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-31-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-25-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-27-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-19-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-17-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-11-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-9-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-7-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-23-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-21-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-6-0x0000000005EF0000-0x000000000611A000-memory.dmp
memory/4640-4886-0x0000000074850000-0x0000000075000000-memory.dmp
memory/4640-4887-0x0000000005820000-0x000000000588C000-memory.dmp
memory/4640-4888-0x0000000005890000-0x00000000058DC000-memory.dmp
memory/4640-4889-0x0000000005BF0000-0x0000000005C44000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\94f3761d04c98e0447311db1addf9326270921c0f5170242107d81124480f043.exe.log
| MD5 | f3eb81974dc5933681e933f07209ff5f |
| SHA1 | 7af8cae0f1d03e82daaf784df9886705685baac7 |
| SHA256 | e82069884dd428bd6a1c67fe00c5fa56f9c4d62b538b694694a699588f1f4ab2 |
| SHA512 | d9aa3871dffb76c8a73a7940fa03bbc9b65cf575cbd07f7c1fbf490cb0f3d670415eaef0bf79e34689f61ab3cdfbb104efdef004becc12e54b501f02f948aaff |
memory/4936-4893-0x0000000074850000-0x0000000075000000-memory.dmp
memory/4640-4894-0x0000000074850000-0x0000000075000000-memory.dmp
memory/4936-4895-0x0000000000800000-0x0000000000842000-memory.dmp
memory/4936-4896-0x0000000004E40000-0x0000000004EA6000-memory.dmp
memory/4936-4897-0x0000000074850000-0x0000000075000000-memory.dmp
memory/4936-4898-0x0000000006430000-0x0000000006480000-memory.dmp
memory/4936-4899-0x0000000006520000-0x00000000065BC000-memory.dmp
memory/4936-4900-0x00000000064D0000-0x00000000064DA000-memory.dmp
memory/4936-4901-0x0000000074850000-0x0000000075000000-memory.dmp