agenttesla | 01e100cfdb783c2714ea21e39ae159358cc05f48409754643655baacbd115aca

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe
Size

1.1MB
MD5

6dd3fcee83d72a307d0ca48f6da398b0
SHA1

0976eb07bfed46cc79447a40129366ab4c77920c
SHA256

01e100cfdb783c2714ea21e39ae159358cc05f48409754643655baacbd115aca
SHA512

45da22c69eac60dbb36e8c41ba32bf3bc7098b26dda3455038c57716326dc70d9ce1d980949022ccc664c169e082ca586f19dbd138e1a4ab2357f08d99320a01
SSDEEP

24576:TqDEvCTbMWu7rQYlBQcBiT6rprG8a4ArikpaAEU8ie04/aaENU:TTvC/MTQYxsWR7aVmmaNU8fR1E

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral1/memory/2704-30-0x00000000001F0000-0x0000000000244000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-31-0x0000000000BF0000-0x0000000000C42000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-40-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-38-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-46-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-94-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-92-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-90-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-88-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-86-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-84-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-82-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-80-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-78-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-76-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-74-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-72-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-70-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-68-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-66-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-64-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-62-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-60-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-58-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-56-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-54-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-52-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-50-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-48-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-44-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-42-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-36-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2704-35-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctsdvwT = "C:\\Users\\Admin\\AppData\\Roaming\\ctsdvwT\\ctsdvwT.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 2704	2308	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2704	RegSvcs.exe
2704	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2212	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe
2308	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2212	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe
2212	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe
2308	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe
2308	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2212	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe
2212	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe
2308	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe
2308	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2704	RegSvcs.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2736	2212	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	28
PID 2212 wrote to memory of 2736	2212	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	28
PID 2212 wrote to memory of 2736	2212	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	28
PID 2212 wrote to memory of 2736	2212	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	28
PID 2212 wrote to memory of 2736	2212	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	28
PID 2212 wrote to memory of 2736	2212	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	28
PID 2212 wrote to memory of 2736	2212	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	28
PID 2212 wrote to memory of 2308	2212	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	29
PID 2212 wrote to memory of 2308	2212	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	29
PID 2212 wrote to memory of 2308	2212	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	29
PID 2212 wrote to memory of 2308	2212	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	29
PID 2308 wrote to memory of 2704	2308	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	30
PID 2308 wrote to memory of 2704	2308	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	30
PID 2308 wrote to memory of 2704	2308	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	30
PID 2308 wrote to memory of 2704	2308	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	30
PID 2308 wrote to memory of 2704	2308	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	30
PID 2308 wrote to memory of 2704	2308	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	30
PID 2308 wrote to memory of 2704	2308	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	30
PID 2308 wrote to memory of 2704	2308	6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe	30

C:\Users\Admin\AppData\Local\Temp\6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe"
  2⤵
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\6dd3fcee83d72a307d0ca48f6da398b0_NEAS.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\soliloquised

Filesize
261KB

MD5
6cc005fe3b58de3b541cda009371dadb

SHA1
2e0d66edf3f50c62010196bfdefb0df0d5248ab1

SHA256
2f01dadd0110d17545802a6a2e350248dbc55dfad50c47ddab351a63cdc1aa42

SHA512
a328385b12d1e92af4f9dcaa6c9e2718513d9b170ba2ce6fb7735e79550d80da5772f78cfaf62371f006952d2514e1c59e3b4122ca115eabd6709f1927599596

Download Submit
C:\Users\Admin\AppData\Local\Temp\soliloquised

Filesize
261KB

MD5
244e0f6e2bc5ea7db87c2961e52fb66a

SHA1
30941ced5f09b6aedc5e4524d6f85458683eab6b

SHA256
3ef2c6f623d0aacd8bde32505452b00e2c32cfd85b600690d77e50b67945f74e

SHA512
571037aaff68bced9419a10eb705b3a17bde385eec23eaa7a04fce8bec038b0f194b5042e35c227ebc668044824fea49994566436c2e99f2e39a982ca358fcc3

Download Submit
memory/2212-11-0x0000000000760000-0x0000000000764000-memory.dmp

Filesize
16KB

Download
memory/2704-84-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-29-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/2704-28-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2704-78-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-30-0x00000000001F0000-0x0000000000244000-memory.dmp

Filesize
336KB

Download
memory/2704-31-0x0000000000BF0000-0x0000000000C42000-memory.dmp

Filesize
328KB

Download
memory/2704-32-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2704-33-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2704-34-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2704-40-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-38-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-46-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-94-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-1067-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2704-92-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-76-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-88-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-86-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-25-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2704-82-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-1069-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/2704-27-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2704-90-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-74-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-72-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-70-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-68-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-66-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-64-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-62-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-60-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-58-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-56-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-54-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-52-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-50-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-48-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-44-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-42-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-36-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-35-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-80-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2704-1070-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download