agenttesla

General

Target

docs.img
Size

4.5MB
Sample

240509-sj6nysbb54
MD5

ddafd0d260613473a326eff5f54074c2
SHA1

6ccd13e2bcd30fc0b1654124743a2cca5d27a569
SHA256

c746343dbf42d70877c196353b5b557627de860c685fd43497c1b5c1f4a371b6
SHA512

5fbe2dac8140ba975b56456b1df52aa913a7df4031187a43826bd6cc68afecdc149af2f447c17393b8106aac7d1f5aa9452c0642fb9c5f1d56bbb1eb1f986596
SSDEEP

24576:R+QvNyw6fDZokD9S0WlH8Uboat0M4wfrO8IKuEI//zyyUI2CdXTiwIR0inmDB+R3:

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.id-net.fr
Port:
587
Username:
[email protected]
Password:
zhi33

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.id-net.fr
Port:
587
Username:
[email protected]
Password:
zhi33
Email To:
[email protected]

Targets

- Target
  
  Pozgp.exe
- Size
  
  4.5MB
- MD5
  
  698b7994c863d2d76b466a15e7949d12
- SHA1
  
  938e7331f2ec8f536b318478171877c9ac4d6c38
- SHA256
  
  022d2bc35f453e0be4546eb14de3f2f642b2cb500ef0bd61dd8d2650a7877e36
- SHA512
  
  042cb657b2bc66c8522879b317add27b71fda4a0a4e4f967c9219059746f99fe490a9d32072ed4310189eebc4d4178bd99f904b805201cfd57e1451528aa7869
- SSDEEP
  
  24576:v+QvNyw6fDZokD9S0WlH8Uboat0M4wfrO8IKuEI//zyyUI2CdXTiwIR0inmDB+R3:
Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detect ZGRat V1

ZGRat

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2