agenttesla | 06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe
Size

1.1MB
MD5

7ff29697c6340dee69f9028797b75099
SHA1

61dd53508f660a766e1ab154af3769955551c139
SHA256

06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8
SHA512

3b739f2f2871432b2564770a08dd6e44c14b07044144cbf68967a8d29f952cd0cd1b38d5cf4e00b66b5d5d4b46b313d7fbc3a0bda2bfef9f97635b01f5dbdaf7
SSDEEP

24576:MqDEvCTbMWu7rQYlBQcBiT6rprG8aJHr6t8+F9nlc4gqNA:MTvC/MTQYxsWR7aJHr6tJplj

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral2/memory/3900-18-0x0000000003100000-0x0000000003156000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-21-0x0000000005620000-0x0000000005674000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-26-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-32-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-30-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-28-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-24-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-23-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-80-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-36-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-82-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-78-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-76-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-75-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-72-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-70-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-69-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-66-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-64-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-62-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-60-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-58-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-56-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-55-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-52-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-50-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-48-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-46-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-44-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-42-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-40-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-38-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3900-34-0x0000000005620000-0x000000000566F000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctsdvwT = "C:\\Users\\Admin\\AppData\\Roaming\\ctsdvwT\\ctsdvwT.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4008 set thread context of 3900	4008	06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2228	4008	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3900	RegSvcs.exe
3900	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4008	06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3900	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4008	06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe
4008	06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4008	06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe
4008	06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3900	RegSvcs.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 3900	4008	06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe	87
PID 4008 wrote to memory of 3900	4008	06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe	87
PID 4008 wrote to memory of 3900	4008	06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe	87
PID 4008 wrote to memory of 3900	4008	06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe	87

C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe
"C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\06a3d9d3f6a3bfa1d129412617aaed1275fe2ed602ae0d199e614bdc50085cc8.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 724
  2⤵
  - Program crash
  PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4008 -ip 4008
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut4343.tmp

Filesize
265KB

MD5
e89ff9237c86ef826d487a5e74aa43ea

SHA1
a4ecb4a1784bf32f761259b8a3ddd46ab828c91b

SHA256
402c6803447338a42349e4a5e1474717a2d7d1b294f71e798a28db7f767fc979

SHA512
623818ce2be965bfcbf3fbc762e4fe4a3fcd33d5f397bf636a6b0a8c6f3e057b7a440f7b454dd6034658201b3f170620981b8e0daf73aac6789ee638fc5d242d

Download Submit
memory/3900-13-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3900-14-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3900-15-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3900-16-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3900-17-0x0000000073B3E000-0x0000000073B3F000-memory.dmp

Filesize
4KB

Download
memory/3900-18-0x0000000003100000-0x0000000003156000-memory.dmp

Filesize
344KB

Download
memory/3900-19-0x0000000073B30000-0x00000000742E0000-memory.dmp

Filesize
7.7MB

Download
memory/3900-20-0x0000000005D80000-0x0000000006324000-memory.dmp

Filesize
5.6MB

Download
memory/3900-21-0x0000000005620000-0x0000000005674000-memory.dmp

Filesize
336KB

Download
memory/3900-22-0x0000000073B30000-0x00000000742E0000-memory.dmp

Filesize
7.7MB

Download
memory/3900-26-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-32-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-30-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-28-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-24-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-23-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-80-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-36-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-82-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-78-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-76-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-75-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-72-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-70-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-69-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-66-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-64-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-62-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-60-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-58-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-56-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-55-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-52-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-50-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-48-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-46-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-44-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-42-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-40-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-38-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-34-0x0000000005620000-0x000000000566F000-memory.dmp

Filesize
316KB

Download
memory/3900-1119-0x0000000073B30000-0x00000000742E0000-memory.dmp

Filesize
7.7MB

Download
memory/3900-1120-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/3900-1122-0x0000000006780000-0x00000000067D0000-memory.dmp

Filesize
320KB

Download
memory/3900-1123-0x0000000006870000-0x000000000690C000-memory.dmp

Filesize
624KB

Download
memory/3900-1124-0x0000000006BF0000-0x0000000006C82000-memory.dmp

Filesize
584KB

Download
memory/3900-1125-0x0000000006BB0000-0x0000000006BBA000-memory.dmp

Filesize
40KB

Download
memory/3900-1126-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3900-1127-0x0000000073B3E000-0x0000000073B3F000-memory.dmp

Filesize
4KB

Download
memory/3900-1128-0x0000000073B30000-0x00000000742E0000-memory.dmp

Filesize
7.7MB

Download
memory/4008-12-0x0000000001820000-0x0000000001824000-memory.dmp

Filesize
16KB

Download