agenttesla | 3a795afc5fc1b74df84201208881753243596f0dec3b5ebd7ced7c350705ccdb

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LPO.exe
Size

685KB
MD5

fbcef5c1f75e7bfe82c1e79333c298c4
SHA1

26452a8f6e82b129478fa85886c8b8e1c95b7abd
SHA256

2615de3ee09694dd7b8a639d0af2a46f79a4dbecf0d7ccd6d3df6aef797c3b8c
SHA512

e21a5d1c4f8ea6b897f9c481722205867eb2656bd649278e32a86732f6398068181c8a5ed2b124dc49b45e1ffc86b781411f28ac8b23c6cf4db561aee69c488d
SSDEEP

12288:2Xe9PPlowWX0t6mOQwg1Qd15CcYk0We1FA3PItKJW0X8SI+1ZW22NnmAdVMDi4i5:LhloDX0XOf40qKJG52ZWRNnrwi4iXp

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan upx

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral1/memory/2120-19-0x00000000004F0000-0x0000000000544000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-20-0x00000000020C0000-0x0000000002112000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-82-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-74-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-64-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-58-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-54-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-44-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-34-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-32-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-30-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-28-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-26-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-24-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-23-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-80-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-78-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-76-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-72-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-70-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-68-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-66-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-62-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-60-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-56-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-52-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-50-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-48-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-46-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-42-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-40-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-38-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2120-36-0x00000000020C0000-0x000000000210D000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1640-0-0x0000000000FA0000-0x0000000001126000-memory.dmp	upx
behavioral1/memory/1640-16-0x0000000000FA0000-0x0000000001126000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1640-16-0x0000000000FA0000-0x0000000001126000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1640 set thread context of 2120	1640	LPO.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2120	RegSvcs.exe
2120	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1640	LPO.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1640	LPO.exe
1640	LPO.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1640	LPO.exe
1640	LPO.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2120	1640	LPO.exe	28
PID 1640 wrote to memory of 2120	1640	LPO.exe	28
PID 1640 wrote to memory of 2120	1640	LPO.exe	28
PID 1640 wrote to memory of 2120	1640	LPO.exe	28
PID 1640 wrote to memory of 2120	1640	LPO.exe	28
PID 1640 wrote to memory of 2120	1640	LPO.exe	28
PID 1640 wrote to memory of 2120	1640	LPO.exe	28
PID 1640 wrote to memory of 2120	1640	LPO.exe	28

C:\Users\Admin\AppData\Local\Temp\LPO.exe
"C:\Users\Admin\AppData\Local\Temp\LPO.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\LPO.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fondaco

Filesize
261KB

MD5
26e86fb514add9d3f0208ada82285fd1

SHA1
ddbf5156e45eaeed9a75929da2b07a59d2555fae

SHA256
15c19957e79c4d6c11f85315fb7994f72612761ea74df3bb4460ce8057af3b92

SHA512
94ae418b3d51f4a803ac987533093a0493050350bad34db757d404ab62e6793c050e15c75c8d6bde8e7a65948ebbb8e3724fa07ef5e85eca30ddec9e721ed3df

Download Submit
memory/1640-16-0x0000000000FA0000-0x0000000001126000-memory.dmp

Filesize
1.5MB

Download
memory/1640-12-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/1640-0-0x0000000000FA0000-0x0000000001126000-memory.dmp

Filesize
1.5MB

Download
memory/2120-28-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-18-0x0000000073E9E000-0x0000000073E9F000-memory.dmp

Filesize
4KB

Download
memory/2120-17-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2120-23-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-19-0x00000000004F0000-0x0000000000544000-memory.dmp

Filesize
336KB

Download
memory/2120-20-0x00000000020C0000-0x0000000002112000-memory.dmp

Filesize
328KB

Download
memory/2120-21-0x0000000073E90000-0x000000007457E000-memory.dmp

Filesize
6.9MB

Download
memory/2120-22-0x0000000073E90000-0x000000007457E000-memory.dmp

Filesize
6.9MB

Download
memory/2120-249-0x0000000073E90000-0x000000007457E000-memory.dmp

Filesize
6.9MB

Download
memory/2120-82-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-74-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-64-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-58-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-54-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-44-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-80-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-32-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-30-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2120-26-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-1055-0x0000000073E9E000-0x0000000073E9F000-memory.dmp

Filesize
4KB

Download
memory/2120-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2120-34-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-78-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-76-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-72-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-70-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-68-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-66-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-62-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-60-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-56-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-52-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-50-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-48-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-46-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-42-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-40-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-38-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-36-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-1054-0x0000000073E90000-0x000000007457E000-memory.dmp

Filesize
6.9MB

Download
memory/2120-24-0x00000000020C0000-0x000000000210D000-memory.dmp

Filesize
308KB

Download
memory/2120-1056-0x0000000073E90000-0x000000007457E000-memory.dmp

Filesize
6.9MB

Download