agenttesla | 8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe
Size

1.1MB
MD5

06388533c682f59188cf1ffbcdccf2b8
SHA1

07e292076b3864e15ff5f59e8c5716aa1526eba3
SHA256

8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3
SHA512

66af30850a245b50ffaba98a2669129fe7a232a6fb20020b4ca6ec58a1d2024baeeabdab8d8cf64051095907509413be9ceffcea2803a77c8ac8636c65cada13
SSDEEP

12288:GaHTg/Ewz5XzyNLcHu/nweVaeX2JzgskkNJckI1PHS0uBnY+ayxdyY2FCe5:UyNAOfweAPvrJI6GyxdyYg9

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
gator3220.hostgator.com
Port:
587
Username:
[email protected]
Password:
28#75@ts76&&p!!@P
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2392-4-0x0000000004A80000-0x0000000004B38000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-17-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-5-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-6-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-28-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-52-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-8-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-10-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-12-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-14-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-20-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-36-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-68-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-66-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-64-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-62-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-60-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-58-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-56-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-54-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-50-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-48-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-46-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-44-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-42-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-40-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-38-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-34-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-32-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-30-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-26-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-24-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-22-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1
behavioral1/memory/2392-18-0x0000000004A80000-0x0000000004B33000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
2	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2392 set thread context of 1424	2392	8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe	31

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2392	8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe
1424	aspnet_compiler.exe
1424	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe
Token: SeDebugPrivilege	1424	aspnet_compiler.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1424	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1188	2392	8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe	30
PID 2392 wrote to memory of 1188	2392	8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe	30
PID 2392 wrote to memory of 1188	2392	8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe	30
PID 2392 wrote to memory of 1188	2392	8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe	30
PID 2392 wrote to memory of 1424	2392	8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe	31
PID 2392 wrote to memory of 1424	2392	8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe	31
PID 2392 wrote to memory of 1424	2392	8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe	31
PID 2392 wrote to memory of 1424	2392	8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe	31
PID 2392 wrote to memory of 1424	2392	8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe	31
PID 2392 wrote to memory of 1424	2392	8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe	31
PID 2392 wrote to memory of 1424	2392	8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe	31
PID 2392 wrote to memory of 1424	2392	8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe	31
PID 2392 wrote to memory of 1424	2392	8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe	31

C:\Users\Admin\AppData\Local\Temp\8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe
"C:\Users\Admin\AppData\Local\Temp\8fb239b0d4f35af1c3bd27a2b0934deb7e1c6dff1fcc56aa9023677f2a9993f3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  2⤵
  PID:1188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1424-1137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1424-1141-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1424-1140-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1424-1139-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-50-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-6-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-5-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-48-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-28-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-52-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-8-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-10-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-12-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-14-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-0-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/2392-36-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-46-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-66-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-64-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-62-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-60-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-58-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-56-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-54-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-20-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-17-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-68-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-44-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-42-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-40-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-38-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-34-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-32-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-30-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-26-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-24-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-22-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-18-0x0000000004A80000-0x0000000004B33000-memory.dmp

Filesize
716KB

Download
memory/2392-1119-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-1121-0x0000000000C70000-0x0000000000CBC000-memory.dmp

Filesize
304KB

Download
memory/2392-1120-0x0000000000500000-0x0000000000542000-memory.dmp

Filesize
264KB

Download
memory/2392-1122-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/2392-1123-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-1138-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-4-0x0000000004A80000-0x0000000004B38000-memory.dmp

Filesize
736KB

Download
memory/2392-3-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-2-0x0000000000F20000-0x0000000000FD8000-memory.dmp

Filesize
736KB

Download
memory/2392-1-0x0000000001030000-0x0000000001148000-memory.dmp

Filesize
1.1MB

Download