agenttesla | e709e4b36a75347f128678da33353713f2bf7a56cf3a84275e8e1679f2f3adbe

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EXJ-CHPV-05-N01-001.exe
Size

767KB
MD5

57d4e5602ac60212f7c422321c9b0b80
SHA1

a6d42a59f9d8121cfaab73f4b2b416e229fbafcd
SHA256

8a2fc6d9e2cc5549bc52b8914be340fbd0f72ae63d6f8b7959d1854342767e26
SHA512

b725661cbd3d35d889289fb86a3ca2a6355768cd35e047ff82f64c7717759703c24af2f2ee7bc31f50af3fc073fe9a1dee560d71305f180a2cb56676021aeed0
SSDEEP

12288:BLS6MKtR/ZZ4xYalDPn+v1spR4R9xSQkyRZNQKMza1Nn9zD7N+bd0/:pS6MkR/ZytPnIY2bSQkyRZNXMzeN1o0/

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.strato.de
Port:
587
Username:
[email protected]
Password:
Oy1)8JSu_qPx(rzV_{Xu

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 22 IoCs

resource	yara_rule
behavioral1/memory/2692-31-0x0000000001FD0000-0x0000000002028000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-33-0x00000000020C0000-0x0000000002116000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-51-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-73-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-71-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-69-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-67-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-65-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-63-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-61-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-59-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-57-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-55-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-53-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-49-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-47-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-45-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-43-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-41-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-39-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-37-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-36-0x00000000020C0000-0x0000000002110000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zNAKSP = "C:\\Users\\Admin\\AppData\\Roaming\\zNAKSP\\zNAKSP.exe"	wmplayer.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org
13	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2188 set thread context of 2692	2188	EXJ-CHPV-05-N01-001.exe	32

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2692	wmplayer.exe
2692	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	wmplayer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2692	wmplayer.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2876	2188	EXJ-CHPV-05-N01-001.exe	28
PID 2188 wrote to memory of 2876	2188	EXJ-CHPV-05-N01-001.exe	28
PID 2188 wrote to memory of 2876	2188	EXJ-CHPV-05-N01-001.exe	28
PID 2188 wrote to memory of 2876	2188	EXJ-CHPV-05-N01-001.exe	28
PID 2188 wrote to memory of 2876	2188	EXJ-CHPV-05-N01-001.exe	28
PID 2188 wrote to memory of 2876	2188	EXJ-CHPV-05-N01-001.exe	28
PID 2188 wrote to memory of 2876	2188	EXJ-CHPV-05-N01-001.exe	28
PID 2188 wrote to memory of 2876	2188	EXJ-CHPV-05-N01-001.exe	28
PID 2188 wrote to memory of 1364	2188	EXJ-CHPV-05-N01-001.exe	29
PID 2188 wrote to memory of 1364	2188	EXJ-CHPV-05-N01-001.exe	29
PID 2188 wrote to memory of 1364	2188	EXJ-CHPV-05-N01-001.exe	29
PID 2188 wrote to memory of 1364	2188	EXJ-CHPV-05-N01-001.exe	29
PID 2188 wrote to memory of 1364	2188	EXJ-CHPV-05-N01-001.exe	29
PID 2188 wrote to memory of 1364	2188	EXJ-CHPV-05-N01-001.exe	29
PID 2188 wrote to memory of 1364	2188	EXJ-CHPV-05-N01-001.exe	29
PID 2188 wrote to memory of 1364	2188	EXJ-CHPV-05-N01-001.exe	29
PID 2188 wrote to memory of 1364	2188	EXJ-CHPV-05-N01-001.exe	29
PID 2188 wrote to memory of 2068	2188	EXJ-CHPV-05-N01-001.exe	30
PID 2188 wrote to memory of 2068	2188	EXJ-CHPV-05-N01-001.exe	30
PID 2188 wrote to memory of 2068	2188	EXJ-CHPV-05-N01-001.exe	30
PID 2188 wrote to memory of 2068	2188	EXJ-CHPV-05-N01-001.exe	30
PID 2188 wrote to memory of 2596	2188	EXJ-CHPV-05-N01-001.exe	31
PID 2188 wrote to memory of 2596	2188	EXJ-CHPV-05-N01-001.exe	31
PID 2188 wrote to memory of 2596	2188	EXJ-CHPV-05-N01-001.exe	31
PID 2188 wrote to memory of 2596	2188	EXJ-CHPV-05-N01-001.exe	31
PID 2188 wrote to memory of 2692	2188	EXJ-CHPV-05-N01-001.exe	32
PID 2188 wrote to memory of 2692	2188	EXJ-CHPV-05-N01-001.exe	32
PID 2188 wrote to memory of 2692	2188	EXJ-CHPV-05-N01-001.exe	32
PID 2188 wrote to memory of 2692	2188	EXJ-CHPV-05-N01-001.exe	32
PID 2188 wrote to memory of 2692	2188	EXJ-CHPV-05-N01-001.exe	32
PID 2188 wrote to memory of 2692	2188	EXJ-CHPV-05-N01-001.exe	32
PID 2188 wrote to memory of 2692	2188	EXJ-CHPV-05-N01-001.exe	32
PID 2188 wrote to memory of 2692	2188	EXJ-CHPV-05-N01-001.exe	32
PID 2188 wrote to memory of 2692	2188	EXJ-CHPV-05-N01-001.exe	32
PID 2188 wrote to memory of 2692	2188	EXJ-CHPV-05-N01-001.exe	32
PID 2188 wrote to memory of 2588	2188	EXJ-CHPV-05-N01-001.exe	33
PID 2188 wrote to memory of 2588	2188	EXJ-CHPV-05-N01-001.exe	33
PID 2188 wrote to memory of 2588	2188	EXJ-CHPV-05-N01-001.exe	33
PID 2188 wrote to memory of 2588	2188	EXJ-CHPV-05-N01-001.exe	33

C:\Users\Admin\AppData\Local\Temp\EXJ-CHPV-05-N01-001.exe
"C:\Users\Admin\AppData\Local\Temp\EXJ-CHPV-05-N01-001.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2596
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2692
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4203eadfc69237ac858454ad2b1e782f

SHA1
163081fee9ec3d1ef2635c7f8ec7b28bbcc5e309

SHA256
02571fd83f89f7ce1b1cd42fb9d9aa8968301b2e63e3c5d3f25a82f6bcd89b7c

SHA512
8649974f2a810bafcf114641b7489753356a59b08ce324a6f69f96576f813782803d398757739b7f317d9a22afc45ce80b51e37ef400cc99f519e0d9388b14be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2F01.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/2188-29-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

Filesize
9.9MB

Download
memory/2188-1-0x0000000000F50000-0x0000000000F7A000-memory.dmp

Filesize
168KB

Download
memory/2188-2-0x0000000000E70000-0x0000000000F0E000-memory.dmp

Filesize
632KB

Download
memory/2188-3-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

Filesize
9.9MB

Download
memory/2188-0-0x000007FEF5A83000-0x000007FEF5A84000-memory.dmp

Filesize
4KB

Download
memory/2692-65-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-53-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-30-0x000000007461E000-0x000000007461F000-memory.dmp

Filesize
4KB

Download
memory/2692-28-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2692-31-0x0000000001FD0000-0x0000000002028000-memory.dmp

Filesize
352KB

Download
memory/2692-34-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2692-33-0x00000000020C0000-0x0000000002116000-memory.dmp

Filesize
344KB

Download
memory/2692-51-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-73-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-71-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-69-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-67-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-1372-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2692-63-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-61-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-59-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-57-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-55-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-27-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2692-49-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-47-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-45-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-43-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-41-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-39-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-37-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-36-0x00000000020C0000-0x0000000002110000-memory.dmp

Filesize
320KB

Download
memory/2692-35-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2692-32-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2692-1168-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2692-1371-0x000000007461E000-0x000000007461F000-memory.dmp

Filesize
4KB

Download
memory/2876-6-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2876-7-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2876-9-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2876-5-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2876-4-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download