agenttesla | 45d4b0a1c89a7192b5a3de30e1568200d33941e8bc6b983c6bf5fe525fe83761

General

Target

45d4b0a1c89a7192b5a3de30e1568200d33941e8bc6b983c6bf5fe525fe83761.exe
Size

1.1MB
MD5

9bd9899dfed52791f2ad4ea21194b016
SHA1

7c6165cd84aa9d848869f31491be10c4bcabafb6
SHA256

45d4b0a1c89a7192b5a3de30e1568200d33941e8bc6b983c6bf5fe525fe83761
SHA512

edcad9fc0eb993c95cce3c5a9a1692f87972a4ede0e61aef164a2464c022930c515783751a3a2722be4e9b473a4f60246d171432d49a9b5a620b4c22eefc3346
SSDEEP

24576:lAHnh+eWsN3skA4RV1Hom2KXMmHaco5m0JXfz1IZY3ub5:Uh+ZkldoPK8Yaco5HBA4e

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/3388-50-0x0000000002B10000-0x0000000002B66000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 2 IoCs

pid	Process
4140	name.exe
4144	name.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4144 set thread context of 3388	4144	name.exe	97

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4140	name.exe
4144	name.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2512	45d4b0a1c89a7192b5a3de30e1568200d33941e8bc6b983c6bf5fe525fe83761.exe
2512	45d4b0a1c89a7192b5a3de30e1568200d33941e8bc6b983c6bf5fe525fe83761.exe
2512	45d4b0a1c89a7192b5a3de30e1568200d33941e8bc6b983c6bf5fe525fe83761.exe
4140	name.exe
4140	name.exe
4144	name.exe
4144	name.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2512	45d4b0a1c89a7192b5a3de30e1568200d33941e8bc6b983c6bf5fe525fe83761.exe
2512	45d4b0a1c89a7192b5a3de30e1568200d33941e8bc6b983c6bf5fe525fe83761.exe
2512	45d4b0a1c89a7192b5a3de30e1568200d33941e8bc6b983c6bf5fe525fe83761.exe
4140	name.exe
4140	name.exe
4144	name.exe
4144	name.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 4140	2512	45d4b0a1c89a7192b5a3de30e1568200d33941e8bc6b983c6bf5fe525fe83761.exe	93
PID 2512 wrote to memory of 4140	2512	45d4b0a1c89a7192b5a3de30e1568200d33941e8bc6b983c6bf5fe525fe83761.exe	93
PID 2512 wrote to memory of 4140	2512	45d4b0a1c89a7192b5a3de30e1568200d33941e8bc6b983c6bf5fe525fe83761.exe	93
PID 4140 wrote to memory of 3992	4140	name.exe	94
PID 4140 wrote to memory of 3992	4140	name.exe	94
PID 4140 wrote to memory of 3992	4140	name.exe	94
PID 4140 wrote to memory of 4144	4140	name.exe	96
PID 4140 wrote to memory of 4144	4140	name.exe	96
PID 4140 wrote to memory of 4144	4140	name.exe	96
PID 4144 wrote to memory of 3388	4144	name.exe	97
PID 4144 wrote to memory of 3388	4144	name.exe	97
PID 4144 wrote to memory of 3388	4144	name.exe	97
PID 4144 wrote to memory of 3388	4144	name.exe	97

C:\Users\Admin\AppData\Local\Temp\45d4b0a1c89a7192b5a3de30e1568200d33941e8bc6b983c6bf5fe525fe83761.exe
"C:\Users\Admin\AppData\Local\Temp\45d4b0a1c89a7192b5a3de30e1568200d33941e8bc6b983c6bf5fe525fe83761.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\45d4b0a1c89a7192b5a3de30e1568200d33941e8bc6b983c6bf5fe525fe83761.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\45d4b0a1c89a7192b5a3de30e1568200d33941e8bc6b983c6bf5fe525fe83761.exe"
    3⤵
    PID:3992
- - C:\Users\Admin\AppData\Local\directory\name.exe
    "C:\Users\Admin\AppData\Local\directory\name.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\directory\name.exe"
      4⤵
      PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3760 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:2388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut1558.tmp

Filesize
266KB

MD5
48067d5ba3abc44be5a4cd2cba27fd2e

SHA1
c3b617cb75eb48b8da34eaa3b5eac41610231078

SHA256
035e764be5a63a345536a38aa9adcaa1eeedcfdf75af7731b14d93266aa04e0c

SHA512
bb03360a1d9e1cb02b1ed0d01d391c089038b97645a4a99eb291a6e546ccbcc9dadc80f2367f3acd2f2e593d3173007dd46c8072a0e13f76176f0ec3156faeae

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut65EA.tmp

Filesize
9KB

MD5
63b9c40ef0cb553678ffa8d53c7e30f2

SHA1
372e44d28d6fa195aedce7246be3405238ef4d60

SHA256
56e107f09bd8b3d74443ab0594c70e2a99b8e2c2468787cf006620739fd48e72

SHA512
7885ed1be177e3b330e85098493497275d18ba8b74d2237adfbfe46e0f000d066c3e351154a8e8ee63b114f21978a30291f369cd340bde036f4f67d29ab9d445

Download Submit
C:\Users\Admin\AppData\Local\Temp\colliquefaction

Filesize
28KB

MD5
382d8276cbfb61ad34b47f75811c0991

SHA1
3e578b3dac05a4f3a46dadfa245f82021958a3d6

SHA256
c24e9092b9f3d21ba59b49b3369bbcfb6eca4b6f27569b5e989395bdc0f94e91

SHA512
4d71b5c4439003d747a5674b5670c4138dc9787ba29b9fac1d4eb8a06043ae71c376a2e28f611020a8659bd5d5eeac29c2fef60ca2972a1151fb575612fe2273

Download Submit
C:\Users\Admin\AppData\Local\Temp\croc

Filesize
266KB

MD5
959545bbbb274e818e4a196c161cd12e

SHA1
2ebedf8528442dd1e76a87c427a0136d468eeb32

SHA256
83b2d62ff1ea7f54f2cea00d0967740918c5b658348938304c6e7c6e9bfd4fda

SHA512
b2f00c2613b2dcb1d1bf8795b4f1ce7357a92f7b5da1f2d8be8f2f8e9fcde17f6febd0b153fb18ecf93f248369e148114c86e94e0c378e03afc33c48d9cdeb3c

Download Submit
memory/2512-12-0x00000000026E0000-0x00000000026E4000-memory.dmp

Filesize
16KB

Download
memory/3388-45-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3388-47-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3388-46-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3388-48-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3388-49-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3388-50-0x0000000002B10000-0x0000000002B66000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing