agenttesla | 437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831

Analysis

max time kernel
145s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
Size

1.1MB
MD5

01311bbcca3794100bc4ef5a6f7f471e
SHA1

01372089b8656907ec48e97eb911d05c41b9c651
SHA256

437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831
SHA512

5fcc0ea9c247f591c6d2fcf37d5feb2e237856fe00cce1091eaf6f7254778b31e23507c2eed436c2a437d0033712096777097e6fa7960c14e18af0eee2504d21
SSDEEP

24576:K4lavt0LkLL9IMixoEgea0k9I/l1uh9hq9MmCS:dkwkn9IMHea5y91utaPCS

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral2/memory/3412-39-0x00000000056D0000-0x0000000005724000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-41-0x0000000005760000-0x00000000057B2000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-51-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-97-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-91-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-85-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-77-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-59-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-53-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-49-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-47-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-45-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-43-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-42-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-101-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-99-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-95-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-93-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-89-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-87-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-83-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-82-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-79-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-75-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-74-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-71-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-69-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-67-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-65-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-63-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-61-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-57-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1
behavioral2/memory/3412-56-0x0000000005760000-0x00000000057AD000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	api.ipify.org
17	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3380 set thread context of 3412	3380	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3412	RegSvcs.exe
3412	RegSvcs.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1236	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
732	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
3380	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3412	RegSvcs.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1236	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
1236	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
732	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
732	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
3380	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
3380	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1236	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
1236	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
732	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
732	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
3380	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
3380	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 2168	1236	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe	88
PID 1236 wrote to memory of 2168	1236	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe	88
PID 1236 wrote to memory of 2168	1236	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe	88
PID 1236 wrote to memory of 732	1236	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe	89
PID 1236 wrote to memory of 732	1236	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe	89
PID 1236 wrote to memory of 732	1236	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe	89
PID 732 wrote to memory of 3752	732	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe	90
PID 732 wrote to memory of 3752	732	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe	90
PID 732 wrote to memory of 3752	732	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe	90
PID 732 wrote to memory of 3380	732	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe	91
PID 732 wrote to memory of 3380	732	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe	91
PID 732 wrote to memory of 3380	732	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe	91
PID 3380 wrote to memory of 3412	3380	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe	92
PID 3380 wrote to memory of 3412	3380	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe	92
PID 3380 wrote to memory of 3412	3380	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe	92
PID 3380 wrote to memory of 3412	3380	437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe	92

C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
"C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe"
  2⤵
  PID:2168
- C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
  "C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe"
    3⤵
    PID:3752
- - C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
    "C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3380
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut79B4.tmp

Filesize
260KB

MD5
7bde5cead8dc88649fd9a646987d681b

SHA1
bac867ff6c74d0fc9e303a419856542a1e65fcf0

SHA256
85b581de960dc784124a8c937dae07c17412a0ca44fad8fc4a3554dee60a1b39

SHA512
6204008f3904271656452630be8a5bbc2e4871c68d9a11fe1505210da2187e932ab69e7950af6ab79fb0d4e90db989e2b303c081474518652df48f2747e0074b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut79D4.tmp

Filesize
9KB

MD5
c716019e0d264b1dadd72e704190699b

SHA1
3b922810e3981240b567baac1d7ae2082fbadb90

SHA256
138aae39695cc7715c5ceb2109f42a669480424179a5487d053bd6b8ec8beaa1

SHA512
30b2ac411506483244aae97d8ee971c001ad4465edc3a8255c00923e0be0092976a3e2752568d3240a4354807753c0e29a8901a2b71c3c6acf0a334c5b1bfca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\conged

Filesize
29KB

MD5
75bac33d2f9686ca5a73c23c0499d3c7

SHA1
51cc3027dc9f25d9f8303de574133c0ef6226dba

SHA256
d0ad39e0760c18c0637a6ba84309295db9104a91e30bf13c1dffbb92c5da9ce7

SHA512
70a7d7dac136b1c6ea1f391470a01195319b60945550f9ab37c15b9e766e5f343f82489c8424d83f1d4fa1c8ddc09efc80e5e922b8d59a455ac7773232ef1520

Download Submit
C:\Users\Admin\AppData\Local\Temp\prophetesses

Filesize
192KB

MD5
93f4871f51579b651ca84b1c08b19379

SHA1
bf43ce45181e41cb689bd89bc48548bee0f71221

SHA256
98136aa972cd8c40692b1d582c4191d2b2c5f610cba49a454469642ba7738900

SHA512
ffc120889e216ac9acce071ccdf78231debabaabb75ec1de23cb30518ef144aa7e6d2138f67f818d271994bd4f743c1d5ca89b4f9f35c3a301a6cada597d7402

Download Submit
C:\Users\Admin\AppData\Local\Temp\prophetesses

Filesize
261KB

MD5
4e79f81a94866e0630f2ac3bea08b706

SHA1
c56d834ac8c8928c7291a2ea183bf1342bd3bee2

SHA256
501d2385a7f215159fa32727d8791a2b62e033ed336c327f6d5fc4fb7c09728a

SHA512
80bd22db86705e50b4b8395742945ae04e0055659e42182af966fab8a19f9b9dcacde77137fc5c2d7d6c50b7e1613256082f3caba8b08694281874d9f2152071

Download Submit
memory/1236-10-0x0000000003C30000-0x0000000003C34000-memory.dmp

Filesize
16KB

Download
memory/3412-35-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3412-37-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3412-38-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3412-36-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3412-39-0x00000000056D0000-0x0000000005724000-memory.dmp

Filesize
336KB

Download
memory/3412-40-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/3412-41-0x0000000005760000-0x00000000057B2000-memory.dmp

Filesize
328KB

Download
memory/3412-51-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-97-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-91-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-85-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-77-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-59-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-53-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-49-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-47-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-45-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-43-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-42-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-101-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-99-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-95-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-93-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-89-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-87-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-83-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-82-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-79-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-75-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-74-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-71-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-69-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-67-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-65-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-63-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-61-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-57-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-56-0x0000000005760000-0x00000000057AD000-memory.dmp

Filesize
308KB

Download
memory/3412-1072-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/3412-1073-0x0000000006C90000-0x0000000006CE0000-memory.dmp

Filesize
320KB

Download
memory/3412-1074-0x0000000006D80000-0x0000000006E12000-memory.dmp

Filesize
584KB

Download
memory/3412-1075-0x0000000006CF0000-0x0000000006CFA000-memory.dmp

Filesize
40KB

Download
memory/3412-1076-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download