agenttesla | 328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
Size

1.1MB
MD5

63d74b4d5b18373ba3230ed473922c70
SHA1

96dd293df1e4d4f7972d3c2d647195b81a1699d8
SHA256

328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa
SHA512

c43d222acef5f5581ad1923431aa66a39161da2e69a02afc64aeb901e3c7465c392d11bad5d14662b66f79e90adc3ef843e78887591a4794486350aa0ba6f512
SSDEEP

24576:0qDEvCTbMWu7rQYlBQcBiT6rprG8amzNiCDJjKJ7ypNh1:0TvC/MTQYxsWR7amgUJI2

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral1/memory/2612-40-0x00000000005C0000-0x0000000000614000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-41-0x0000000000B30000-0x0000000000B82000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-49-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-103-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-101-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-97-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-95-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-93-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-91-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-87-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-85-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-83-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-79-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-77-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-75-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-71-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-69-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-67-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-63-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-61-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-59-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-57-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-55-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-54-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-51-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-47-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-44-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-43-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-99-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-89-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-81-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-73-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2612-65-0x0000000000B30000-0x0000000000B7D000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\skyT = "C:\\Users\\Admin\\AppData\\Roaming\\skyT\\skyT.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2600 set thread context of 2612	2600	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	32

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2612	RegSvcs.exe
2612	RegSvcs.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2360	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
2176	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
2600	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	RegSvcs.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2360	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
2360	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
2176	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
2176	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
2600	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
2600	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2360	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
2360	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
2176	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
2176	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
2600	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
2600	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2612	RegSvcs.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2192	2360	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	28
PID 2360 wrote to memory of 2192	2360	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	28
PID 2360 wrote to memory of 2192	2360	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	28
PID 2360 wrote to memory of 2192	2360	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	28
PID 2360 wrote to memory of 2192	2360	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	28
PID 2360 wrote to memory of 2192	2360	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	28
PID 2360 wrote to memory of 2192	2360	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	28
PID 2360 wrote to memory of 2176	2360	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	29
PID 2360 wrote to memory of 2176	2360	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	29
PID 2360 wrote to memory of 2176	2360	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	29
PID 2360 wrote to memory of 2176	2360	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	29
PID 2176 wrote to memory of 2560	2176	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	30
PID 2176 wrote to memory of 2560	2176	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	30
PID 2176 wrote to memory of 2560	2176	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	30
PID 2176 wrote to memory of 2560	2176	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	30
PID 2176 wrote to memory of 2560	2176	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	30
PID 2176 wrote to memory of 2560	2176	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	30
PID 2176 wrote to memory of 2560	2176	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	30
PID 2176 wrote to memory of 2600	2176	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	31
PID 2176 wrote to memory of 2600	2176	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	31
PID 2176 wrote to memory of 2600	2176	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	31
PID 2176 wrote to memory of 2600	2176	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	31
PID 2600 wrote to memory of 2612	2600	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	32
PID 2600 wrote to memory of 2612	2600	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	32
PID 2600 wrote to memory of 2612	2600	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	32
PID 2600 wrote to memory of 2612	2600	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	32
PID 2600 wrote to memory of 2612	2600	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	32
PID 2600 wrote to memory of 2612	2600	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	32
PID 2600 wrote to memory of 2612	2600	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	32
PID 2600 wrote to memory of 2612	2600	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	32

C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
"C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
  2⤵
  PID:2192
- C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
  "C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
    3⤵
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
    "C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Esher

Filesize
262KB

MD5
18ed30c344f8d682fab7d478762b1cf2

SHA1
98a5297149ae03a5f3c1bf29dc6ace3afb2fb0ed

SHA256
66e8574b0659e2e43cf6c1958db0abc5c9650b9999d6c287d31dbf00a2042751

SHA512
57090c253807e22ba130f37a0b69ce6950cd72a37477040a645669d66f669e27263b452af7fd6fb85decbbd7e5d6fe9d9e3ab98796ef8b351ca595564b9f778b

Download Submit
C:\Users\Admin\AppData\Local\Temp\autF3D.tmp

Filesize
257KB

MD5
b4518906b831aa6ae5072d7702fadbcf

SHA1
53f276bb0725903e159a677e2100908df128138f

SHA256
a8d534f7fb880dcba3a56c9384237c5b286df56dc0a0a8da0b3fb8bc2696321b

SHA512
a9ad64eff4bd622ceebebfc8ce886a19597b3d17518bc705113bdeb4fd7d1442696e75558aebe994eb29621b1715bbcb73332bd92e07dbb071707d43af34343d

Download Submit
C:\Users\Admin\AppData\Local\Temp\autF5D.tmp

Filesize
9KB

MD5
9af133b9b553010c1b0b19f98de14813

SHA1
3644139a3c6d3429f1f2d662461c4b4f4d0e8245

SHA256
484827a635f7959666ab32f84f086867584f24b88b820406b247088de45cf88a

SHA512
debd4b9c4b06c1b2a1b03ec5fe986020a2d48d28087409ff13b3b1a8853fd6b879ba8ebca5f396c6dd0872d01a96ee03c9ca5eb725a64f2e06e088f1010dab5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nonhazardousness

Filesize
28KB

MD5
eafe8751898e0b3c1ea7f59f88dbb724

SHA1
3e94472d4b13544dccf63cae2b695b486458f40c

SHA256
f6efb701356255d6b13eb6a66d405337a30d1d1b2d1263c382fab079ccc34df9

SHA512
575e8c115202394c75910021ffbd7d7c0519f9ffb3777bcf5107179267c02ba3b3aa59a0116d839a3a5aea73e152bd053fccd5b83a421f2a3dc0332c39a1bd28

Download Submit
memory/2360-10-0x00000000001A0000-0x00000000001A4000-memory.dmp

Filesize
16KB

Download
memory/2612-35-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2612-38-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2612-37-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2612-39-0x000000007422E000-0x000000007422F000-memory.dmp

Filesize
4KB

Download
memory/2612-40-0x00000000005C0000-0x0000000000614000-memory.dmp

Filesize
336KB

Download
memory/2612-41-0x0000000000B30000-0x0000000000B82000-memory.dmp

Filesize
328KB

Download
memory/2612-42-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-49-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-289-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-103-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-101-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-97-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-95-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-93-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-91-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-87-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-85-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-83-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-79-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-77-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-75-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-71-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-69-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-67-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-63-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-61-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-59-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-57-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-55-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-54-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-51-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-47-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-46-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-44-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-43-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-99-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-89-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-81-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-73-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-65-0x0000000000B30000-0x0000000000B7D000-memory.dmp

Filesize
308KB

Download
memory/2612-1077-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-1079-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2612-1080-0x000000007422E000-0x000000007422F000-memory.dmp

Filesize
4KB

Download
memory/2612-1081-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download