agenttesla | 57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb

Analysis

max time kernel
143s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2024, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe
Size

1.2MB
MD5

d4089829797177e6d008fcb4379ce1a0
SHA1

50286992343b8a628d879cddc53a6eb954436d42
SHA256

57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb
SHA512

f28af57f563e9340eef734895702bd95236c764b158c445b3a704e45b56b981eda16c0254b1647eaec290500096abb75940785cc591bbcab84d75373ce26e5ff
SSDEEP

24576:DAHnh+eWsN3skA4RV1Hom2KXMmHa22yAys4uZRbAgXKzibK5:Oh+ZkldoPK8Ya22yAypuZmgaziE

Score

10^/10

agenttesla zgrat collection keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral2/memory/4136-28-0x0000000002FA0000-0x0000000002FF6000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-31-0x00000000054B0000-0x0000000005504000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-33-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-40-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-92-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-90-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-88-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-84-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-82-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-80-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-78-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-76-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-74-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-72-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-70-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-68-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-66-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-64-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-62-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-60-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-58-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-54-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-52-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-50-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-48-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-46-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-44-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-42-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-38-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-36-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-34-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-86-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1
behavioral2/memory/4136-56-0x00000000054B0000-0x00000000054FE000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	api.ipify.org
28	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1004 set thread context of 4136	1004	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4136	RegSvcs.exe
4136	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2828	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe
1004	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2828	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe
2828	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe
1004	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe
1004	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2828	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe
2828	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe
1004	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe
1004	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4136	RegSvcs.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 856	2828	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe	85
PID 2828 wrote to memory of 856	2828	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe	85
PID 2828 wrote to memory of 856	2828	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe	85
PID 2828 wrote to memory of 1004	2828	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe	86
PID 2828 wrote to memory of 1004	2828	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe	86
PID 2828 wrote to memory of 1004	2828	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe	86
PID 1004 wrote to memory of 4136	1004	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe	87
PID 1004 wrote to memory of 4136	1004	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe	87
PID 1004 wrote to memory of 4136	1004	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe	87
PID 1004 wrote to memory of 4136	1004	57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe	87

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe
"C:\Users\Admin\AppData\Local\Temp\57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe"
  2⤵
  PID:856
- C:\Users\Admin\AppData\Local\Temp\57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe
  "C:\Users\Admin\AppData\Local\Temp\57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\57effe25b0694954debe861780a0dd92b8925dbf599129644e14c10344c1a1eb.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\intersentimental

Filesize
28KB

MD5
4ffec10d00da56c6aebb0f6f646db6bc

SHA1
fa4a97a74c5171566934d48071d3bc9e55722885

SHA256
d303f72f829a1ef0454eb3f150a89cc1900138462f51bf8f18bf292b75b39ee9

SHA512
e29345d912384c1fb0cab977765df3abb26b4838b4e38eb4ac71d14433f14deb7cee7f2a5afa0c38a03ed9d581c0ad58003d9fcb2705239694d41be52afa146f

Download Submit
memory/2828-10-0x00000000036E0000-0x00000000036E4000-memory.dmp

Filesize
16KB

Download
memory/4136-23-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4136-24-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4136-25-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4136-26-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4136-27-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

Filesize
4KB

Download
memory/4136-28-0x0000000002FA0000-0x0000000002FF6000-memory.dmp

Filesize
344KB

Download
memory/4136-29-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/4136-31-0x00000000054B0000-0x0000000005504000-memory.dmp

Filesize
336KB

Download
memory/4136-30-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/4136-32-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/4136-33-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-40-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-156-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/4136-92-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-90-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-88-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-84-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-82-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-80-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-78-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-76-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-74-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-72-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-70-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-68-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-66-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-64-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-62-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-60-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-58-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-54-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-52-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-50-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-48-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-46-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-44-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-42-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-38-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-36-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-34-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-86-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-56-0x00000000054B0000-0x00000000054FE000-memory.dmp

Filesize
312KB

Download
memory/4136-1066-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/4136-1067-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/4136-1068-0x0000000006B30000-0x0000000006B80000-memory.dmp

Filesize
320KB

Download
memory/4136-1069-0x0000000006C60000-0x0000000006CF2000-memory.dmp

Filesize
584KB

Download
memory/4136-1070-0x0000000006C20000-0x0000000006C2A000-memory.dmp

Filesize
40KB

Download
memory/4136-1071-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4136-1072-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

Filesize
4KB

Download
memory/4136-1073-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download