agenttesla | 27e20f8330de69c244a6320a58aa950ea66a34cdecc9ac68f0ca23b82747a9da

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rpago.exe
Size

1.1MB
MD5

5161246e60fbc17c2e85f3180a30c216
SHA1

a3fdb88f66f07f524cf6541d481761d7b69f5403
SHA256

27e20f8330de69c244a6320a58aa950ea66a34cdecc9ac68f0ca23b82747a9da
SHA512

b5895bc0e83332dc2cf177c7dcb49e34e7c6f7b4ac903615b39b6a07920a59db84924ae0b548de5c9da10115affe6c24ca9930435bdd4598620ede776f5789b3
SSDEEP

24576:k4lavt0LkLL9IMixoEgea6G9ISfDIJEZJYdurawq9MmCS:zkwkn9IMHea6G9gSZJYduPaPCS

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/716-49-0x00000000032D0000-0x0000000003326000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-51-0x00000000058A0000-0x00000000058F4000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-53-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-52-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-93-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-95-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-99-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-91-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-113-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-111-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-109-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-107-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-105-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-103-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-87-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-83-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-81-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-77-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-73-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-71-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-69-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-67-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-63-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-59-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-57-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-55-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-101-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-97-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-89-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-85-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-79-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-75-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-65-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1
behavioral2/memory/716-61-0x00000000058A0000-0x00000000058EE000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1392 set thread context of 716	1392	rpago.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
716	RegSvcs.exe
716	RegSvcs.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1596	rpago.exe
4268	rpago.exe
4056	rpago.exe
1392	rpago.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	716	RegSvcs.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1596	rpago.exe
1596	rpago.exe
4268	rpago.exe
4268	rpago.exe
4056	rpago.exe
4056	rpago.exe
1392	rpago.exe
1392	rpago.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1596	rpago.exe
1596	rpago.exe
4268	rpago.exe
4268	rpago.exe
4056	rpago.exe
4056	rpago.exe
1392	rpago.exe
1392	rpago.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 4884	1596	rpago.exe	92
PID 1596 wrote to memory of 4884	1596	rpago.exe	92
PID 1596 wrote to memory of 4884	1596	rpago.exe	92
PID 1596 wrote to memory of 4268	1596	rpago.exe	93
PID 1596 wrote to memory of 4268	1596	rpago.exe	93
PID 1596 wrote to memory of 4268	1596	rpago.exe	93
PID 4268 wrote to memory of 2300	4268	rpago.exe	94
PID 4268 wrote to memory of 2300	4268	rpago.exe	94
PID 4268 wrote to memory of 2300	4268	rpago.exe	94
PID 4268 wrote to memory of 4056	4268	rpago.exe	95
PID 4268 wrote to memory of 4056	4268	rpago.exe	95
PID 4268 wrote to memory of 4056	4268	rpago.exe	95
PID 4056 wrote to memory of 4900	4056	rpago.exe	96
PID 4056 wrote to memory of 4900	4056	rpago.exe	96
PID 4056 wrote to memory of 4900	4056	rpago.exe	96
PID 4056 wrote to memory of 1392	4056	rpago.exe	97
PID 4056 wrote to memory of 1392	4056	rpago.exe	97
PID 4056 wrote to memory of 1392	4056	rpago.exe	97
PID 1392 wrote to memory of 716	1392	rpago.exe	98
PID 1392 wrote to memory of 716	1392	rpago.exe	98
PID 1392 wrote to memory of 716	1392	rpago.exe	98
PID 1392 wrote to memory of 716	1392	rpago.exe	98

C:\Users\Admin\AppData\Local\Temp\rpago.exe
"C:\Users\Admin\AppData\Local\Temp\rpago.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\rpago.exe"
  2⤵
  PID:4884
- C:\Users\Admin\AppData\Local\Temp\rpago.exe
  "C:\Users\Admin\AppData\Local\Temp\rpago.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\rpago.exe"
    3⤵
    PID:2300
- - C:\Users\Admin\AppData\Local\Temp\rpago.exe
    "C:\Users\Admin\AppData\Local\Temp\rpago.exe"
    3⤵
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\rpago.exe"
      4⤵
      PID:4900
  - - C:\Users\Admin\AppData\Local\Temp\rpago.exe
      "C:\Users\Admin\AppData\Local\Temp\rpago.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1392
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rpago.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:5936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dalis

Filesize
263KB

MD5
97203eaf1432f948575f453fc92a14e6

SHA1
a681f2a85d97dbb0d4392d49280b4364fb18ae13

SHA256
48541e7dcddda069d8370215adf254407a3968b817d9873bee4ebcb5eccd09da

SHA512
dc2dc9647c92d48cba669e672f589af6c53655f201677f66feb4ee27b39312ead50b3ded9c66bdacc989b6fb207b2200648939bcbeddf09fe975db94b21fa0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut16EE.tmp

Filesize
257KB

MD5
7fb7f4edd73d621553c69417060b47de

SHA1
fb99c839774d04584e20a49275dfb84fb0e975d7

SHA256
bc116ccb26aea3c36a37412d32981495414d2d37598004df0f45d31fe7e5b03a

SHA512
d8b0c81f2f3e007727dd09037cdf5bb6f8de12ba93040df7a074273784d6bbee34578bba2f6f5f31bbd9fe73f63b2750da1db4def17acc4b379af9285014bea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut170E.tmp

Filesize
9KB

MD5
58a81b155afe30d0ea281d2ba2d93436

SHA1
4970d3f16c9c2fe0602acc458aa367997d7163bb

SHA256
8c8ef9760b517bd01676d21826d48e8c327d2a26f94be22bbdfb62c679122d7b

SHA512
62ffea278e5fc511f4572f1bf998d3da49f54d01233533894eb4f3cb85b8b10a88f5cfae0abc7efac04401ded6bf65f26d7245194e1efc867f41033afef104ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\pluffer

Filesize
28KB

MD5
738a4c8f5d050a93d2207e65c9293ee3

SHA1
9debf3f220c31f4ceefaec03c0947dd4eaa7f9f6

SHA256
1ad139757c3b751b0c2531700bd3073e5461d571d67647dba3dd7112cbf3f6ec

SHA512
37f4a679a5118954982d56208f80ffac0340084e6e59cb1112da48f00c3c3f61152d60cebfa283a004355caaf18d2e62eac9fea0608bfe1d738c9b39f558424b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pluffer

Filesize
28KB

MD5
0d2be9bbedba832976bd02d9af369a86

SHA1
546c5d03992698936710f954fe460767e5115ef7

SHA256
2a1d4a0b4777d9150355e72d2eaaec8361219bebd22110b0ee41755bd35fd319

SHA512
e0b82ea1a0e15234c562b78a5b113f6f781229427dc8d8fbd1a89bd2ad102358bad8055720c2180ce2fe7861cc39dec1d331084186abd09ca626b553d3c7e36a

Download Submit
memory/716-87-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-77-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-48-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/716-49-0x00000000032D0000-0x0000000003326000-memory.dmp

Filesize
344KB

Download
memory/716-50-0x0000000005EC0000-0x0000000006464000-memory.dmp

Filesize
5.6MB

Download
memory/716-51-0x00000000058A0000-0x00000000058F4000-memory.dmp

Filesize
336KB

Download
memory/716-53-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-52-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-93-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-95-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-99-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-91-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-113-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-111-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-109-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-107-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-105-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-103-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-1099-0x0000000006CC0000-0x0000000006CCA000-memory.dmp

Filesize
40KB

Download
memory/716-83-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-81-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-47-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/716-73-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-71-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-69-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-67-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-63-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-59-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-57-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-55-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-101-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-97-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-89-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-85-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-79-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-75-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-65-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-61-0x00000000058A0000-0x00000000058EE000-memory.dmp

Filesize
312KB

Download
memory/716-1096-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/716-1097-0x0000000006C40000-0x0000000006C90000-memory.dmp

Filesize
320KB

Download
memory/716-1098-0x0000000006D30000-0x0000000006DC2000-memory.dmp

Filesize
584KB

Download
memory/1596-10-0x0000000004D30000-0x0000000004D34000-memory.dmp

Filesize
16KB

Download