agenttesla | 0ae05a66eb5e6dd6fc26a59f27d48f3cd28ae6c1454082045a32aff02d87c854

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO-20231228003.exe
Size

1.3MB
MD5

bb078c83338aa40005dcc903e8d00842
SHA1

99516fbbfc72156970db12059d52a9d2f16aff5b
SHA256

0ae05a66eb5e6dd6fc26a59f27d48f3cd28ae6c1454082045a32aff02d87c854
SHA512

5b56402c626a92237d1e0a11e6c9034b1632fda921eb5c6fc0389b44e1f4c6eaa0318d0fa0ec2d5be8221c240d98d754bd275a9097f6bd592d3626af0d199e4e
SSDEEP

24576:y4lavt0LkLL9IMixoEgeadMxjIuN6RimoUayq9MmCS:lkwkn9IMHeadAjCCU1aPCS

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral1/memory/2516-28-0x0000000000340000-0x0000000000394000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-30-0x00000000005C0000-0x0000000000612000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-36-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-50-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-92-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-90-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-88-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-86-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-84-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-82-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-80-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-78-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-76-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-74-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-72-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-70-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-68-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-66-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-64-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-62-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-60-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-58-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-56-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-54-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-52-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-48-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-46-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-44-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-42-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-40-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-38-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-34-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-33-0x00000000005C0000-0x000000000060D000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 2516	2524	PO-20231228003.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2516	RegSvcs.exe
2516	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1612	PO-20231228003.exe
2524	PO-20231228003.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1612	PO-20231228003.exe
1612	PO-20231228003.exe
2524	PO-20231228003.exe
2524	PO-20231228003.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1612	PO-20231228003.exe
1612	PO-20231228003.exe
2524	PO-20231228003.exe
2524	PO-20231228003.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2336	1612	PO-20231228003.exe	28
PID 1612 wrote to memory of 2336	1612	PO-20231228003.exe	28
PID 1612 wrote to memory of 2336	1612	PO-20231228003.exe	28
PID 1612 wrote to memory of 2336	1612	PO-20231228003.exe	28
PID 1612 wrote to memory of 2336	1612	PO-20231228003.exe	28
PID 1612 wrote to memory of 2336	1612	PO-20231228003.exe	28
PID 1612 wrote to memory of 2336	1612	PO-20231228003.exe	28
PID 1612 wrote to memory of 2524	1612	PO-20231228003.exe	29
PID 1612 wrote to memory of 2524	1612	PO-20231228003.exe	29
PID 1612 wrote to memory of 2524	1612	PO-20231228003.exe	29
PID 1612 wrote to memory of 2524	1612	PO-20231228003.exe	29
PID 2524 wrote to memory of 2516	2524	PO-20231228003.exe	30
PID 2524 wrote to memory of 2516	2524	PO-20231228003.exe	30
PID 2524 wrote to memory of 2516	2524	PO-20231228003.exe	30
PID 2524 wrote to memory of 2516	2524	PO-20231228003.exe	30
PID 2524 wrote to memory of 2516	2524	PO-20231228003.exe	30
PID 2524 wrote to memory of 2516	2524	PO-20231228003.exe	30
PID 2524 wrote to memory of 2516	2524	PO-20231228003.exe	30
PID 2524 wrote to memory of 2516	2524	PO-20231228003.exe	30

C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe
"C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe"
  2⤵
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe
  "C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ageless

Filesize
262KB

MD5
c3a05fabceffe2fc8def9cbdd30cd3d2

SHA1
32ef7e0a9d3f2ba30c3573fdd26714a96b12428c

SHA256
91fb367c7bff600e4db5b8a96136b0fe500b193f4587d971563baa9d8187b7a9

SHA512
2dc0d4b09aabe3a9b931d4f6ec99fecf19e5845a9f4d7765ed858fb4f77ec15824bbc600ccdc6bd30816ed6ff3189e2203f059d6989d33bc48501a0f34310573

Download Submit
C:\Users\Admin\AppData\Local\Temp\maneuverability

Filesize
28KB

MD5
0890ddda3c33d9596c0ed994671c138e

SHA1
00d5c6a246cb9ad2620feca83d27731b65116eb8

SHA256
d9afa70063c694a5c80caee8f4f5f55a66cc1289896d3f0993fd7ed9c97551c9

SHA512
d8631f8ec094770c1a369140af157837232e90173b764c73339cac3911efc6559ee9667fde656ffad9e0ba40f79ab8536bf6a55a057101e2770eb74f483b4a2f

Download Submit
memory/1612-10-0x0000000000640000-0x0000000000644000-memory.dmp

Filesize
16KB

Download
memory/2516-78-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-27-0x00000000741BE000-0x00000000741BF000-memory.dmp

Filesize
4KB

Download
memory/2516-26-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2516-74-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-28-0x0000000000340000-0x0000000000394000-memory.dmp

Filesize
336KB

Download
memory/2516-30-0x00000000005C0000-0x0000000000612000-memory.dmp

Filesize
328KB

Download
memory/2516-29-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-32-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-31-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-36-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-76-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-92-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-72-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-1063-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-88-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-86-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-84-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-82-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-80-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-23-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2516-50-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-25-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2516-90-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-70-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-68-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-66-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-64-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-62-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-60-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-58-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-56-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-54-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-52-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-48-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-46-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-44-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-42-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-40-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-38-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-34-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-33-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2516-1064-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2516-1065-0x00000000741BE000-0x00000000741BF000-memory.dmp

Filesize
4KB

Download
memory/2516-1066-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download