Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 01:54
Static task
static1
Behavioral task
behavioral1
Sample
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe
Resource
win10v2004-20240226-en
General
-
Target
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe
-
Size
1.3MB
-
MD5
59d981ed9028d3247ef3fca52e62b117
-
SHA1
e3e3d5233b2665cfdba8caac7ce36b46250bc0f6
-
SHA256
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d
-
SHA512
7f3501e07048a11e6df67806d67fa7078cb798267b944b0269dbe7b80730d1258104d74fc4e5512316624034148116c7020972ac6c3ba3d176e9c78264d17c5c
-
SSDEEP
24576:4qDEvCTbMWu7rQYlBQcBiT6rprG8aQ1CCjqxkKqTBAEnLrhX:4TvC/MTQYxsWR7aQ8Cmx5qrh
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7098045317:AAG_bq6J7neFFo87IXHfNBxKyzNKV56RSAA/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 33 IoCs
Processes:
resource yara_rule behavioral1/memory/3024-17-0x00000000020C0000-0x0000000002118000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-18-0x0000000002220000-0x0000000002276000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-28-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-42-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-66-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-80-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-78-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-76-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-74-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-72-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-70-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-68-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-64-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-62-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-60-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-58-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-56-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-54-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-52-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-50-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-48-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-46-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-44-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-40-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-38-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-36-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-34-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-32-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-30-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-26-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-24-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-22-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 behavioral1/memory/3024-21-0x0000000002220000-0x0000000002271000-memory.dmp family_zgrat_v1 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZQjTZ = "C:\\Users\\Admin\\AppData\\Roaming\\ZQjTZ\\ZQjTZ.exe" RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exedescription pid Process procid_target PID 1600 set thread context of 3024 1600 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 28 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid Process 3024 RegSvcs.exe 3024 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exepid Process 1600 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid Process Token: SeDebugPrivilege 3024 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exepid Process 1600 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 1600 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exepid Process 1600 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 1600 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid Process 3024 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exedescription pid Process procid_target PID 1600 wrote to memory of 3024 1600 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 28 PID 1600 wrote to memory of 3024 1600 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 28 PID 1600 wrote to memory of 3024 1600 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 28 PID 1600 wrote to memory of 3024 1600 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 28 PID 1600 wrote to memory of 3024 1600 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 28 PID 1600 wrote to memory of 3024 1600 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 28 PID 1600 wrote to memory of 3024 1600 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 28 PID 1600 wrote to memory of 3024 1600 b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\b48a1be74fa295306d499815bfac2071feee2573c226758f75287d667514f83d.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD5bfd0a24603de75fbdc525aae0f0c7823
SHA11c26cdb7b35452bf41b0fd9160acf8e5848a8b93
SHA256531af262fb42e94c46b27f1e7901fcd974f0ca7a7ca3f622e122494dca8997c1
SHA5124588be1d3def44af913ac9492a0ae164602b71155fc6cd6f42ce79cc7623e46df412b15b103d83f3f547be56387e07f17f574fb04dd2c84bd8f084b8df842fb6