Analysis Overview
SHA256
a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c
Threat Level: Known bad
The file a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c was found to be: Known bad.
Malicious Activity Summary
AgentTesla
ZGRat
Detect ZGRat V1
Reads data files stored by FTP clients
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 01:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 01:27
Reported
2024-05-10 01:30
Platform
win7-20240215-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1772 set thread context of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe | C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe
"C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe"
C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe
"C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/1772-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp
memory/1772-1-0x0000000001300000-0x00000000015BC000-memory.dmp
memory/1772-2-0x0000000074A90000-0x000000007517E000-memory.dmp
memory/1772-3-0x00000000054B0000-0x000000000590A000-memory.dmp
memory/1772-4-0x0000000007B60000-0x0000000007D90000-memory.dmp
memory/1772-10-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-5-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-16-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-6-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-42-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-48-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-8-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-54-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-60-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-58-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-56-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-14-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-52-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-64-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-63-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-50-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-46-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-44-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-40-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-38-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-36-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-34-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-32-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-30-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-28-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-26-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-24-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-22-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-20-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-18-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-12-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-66-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-68-0x0000000007B60000-0x0000000007D8B000-memory.dmp
memory/1772-4885-0x0000000074A90000-0x000000007517E000-memory.dmp
memory/1772-4887-0x0000000000B50000-0x0000000000B9C000-memory.dmp
memory/1772-4886-0x00000000049C0000-0x0000000004A2C000-memory.dmp
memory/1772-4888-0x0000000004A30000-0x0000000004A84000-memory.dmp
memory/2392-4906-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2392-4905-0x0000000074A90000-0x000000007517E000-memory.dmp
memory/1772-4904-0x0000000074A90000-0x000000007517E000-memory.dmp
memory/2392-4907-0x0000000074A90000-0x000000007517E000-memory.dmp
memory/2392-4908-0x0000000074A90000-0x000000007517E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 01:27
Reported
2024-05-10 01:30
Platform
win10v2004-20240508-en
Max time kernel
126s
Max time network
128s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 880 set thread context of 1044 | N/A | C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe | C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe
"C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe"
C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe
"C:\Users\Admin\AppData\Local\Temp\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 137.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.apexrnun.com | udp |
| IT | 185.196.9.150:587 | mail.apexrnun.com | tcp |
| US | 8.8.8.8:53 | 150.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
Files
memory/880-0-0x000000007484E000-0x000000007484F000-memory.dmp
memory/880-1-0x00000000007A0000-0x0000000000A5C000-memory.dmp
memory/880-2-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/880-3-0x0000000005C80000-0x00000000060DA000-memory.dmp
memory/880-4-0x0000000007310000-0x0000000007540000-memory.dmp
memory/880-5-0x0000000007AF0000-0x0000000008094000-memory.dmp
memory/880-6-0x00000000075E0000-0x0000000007672000-memory.dmp
memory/880-22-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-56-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-60-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-70-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-68-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-66-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-64-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-62-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-58-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-54-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-48-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-42-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-40-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-38-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-52-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-50-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-46-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-44-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-34-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-32-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-30-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-26-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-24-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-20-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-18-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-16-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-14-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-12-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-36-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-10-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-28-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-8-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-7-0x0000000007310000-0x000000000753B000-memory.dmp
memory/880-4887-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/880-4888-0x0000000005A20000-0x0000000005A8C000-memory.dmp
memory/880-4889-0x0000000005B40000-0x0000000005B8C000-memory.dmp
memory/880-4890-0x0000000005BE0000-0x0000000005C34000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a9acdedbcc185292379f90b97ab6f584461d59aba50542a8fb50f1c2948d8d8c.exe.log
| MD5 | 4b74e933d78bd5e8fb1cc4653fb2133c |
| SHA1 | f6e931eec700fa325bd40c3adc6f1c0eba806066 |
| SHA256 | fd99bed17853f5ad196ca6d4a62f5e2405fbdf5b98cbf45af8b7cef83e4bcec3 |
| SHA512 | b56ff89eff1a757a87dcb875206ae92d39ffdb5adf638600c21bc7c76ff4cc25502ae1060716488c7ed1641f8cdfad2a320443b7b4d9f09808eb86eb87f351ec |
memory/1044-4895-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1044-4896-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/880-4894-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/1044-4898-0x0000000005710000-0x0000000005776000-memory.dmp
memory/1044-4897-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/1044-4899-0x0000000006C60000-0x0000000006CB0000-memory.dmp
memory/1044-4900-0x0000000006D50000-0x0000000006DEC000-memory.dmp
memory/1044-4901-0x0000000006F50000-0x0000000006F5A000-memory.dmp
memory/1044-4902-0x0000000074840000-0x0000000074FF0000-memory.dmp