agenttesla | 3a795afc5fc1b74df84201208881753243596f0dec3b5ebd7ced7c350705ccdb

Analysis

max time kernel
141s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LPO.exe
Size

685KB
MD5

fbcef5c1f75e7bfe82c1e79333c298c4
SHA1

26452a8f6e82b129478fa85886c8b8e1c95b7abd
SHA256

2615de3ee09694dd7b8a639d0af2a46f79a4dbecf0d7ccd6d3df6aef797c3b8c
SHA512

e21a5d1c4f8ea6b897f9c481722205867eb2656bd649278e32a86732f6398068181c8a5ed2b124dc49b45e1ffc86b781411f28ac8b23c6cf4db561aee69c488d
SSDEEP

12288:2Xe9PPlowWX0t6mOQwg1Qd15CcYk0We1FA3PItKJW0X8SI+1ZW22NnmAdVMDi4i5:LhloDX0XOf40qKJG52ZWRNnrwi4iXp

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan upx

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 32 IoCs

resource	yara_rule
behavioral2/memory/2672-21-0x0000000005100000-0x0000000005154000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-26-0x00000000051D0000-0x0000000005222000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-28-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-36-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-34-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-84-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-80-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-78-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-76-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-74-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-72-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-70-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-66-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-64-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-62-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-60-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-56-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-52-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-48-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-46-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-45-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-42-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-38-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-32-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-30-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-82-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-68-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-58-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-54-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-50-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-40-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2672-27-0x00000000051D0000-0x000000000521D000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2468-0-0x0000000000EB0000-0x0000000001036000-memory.dmp	upx
behavioral2/memory/2468-13-0x0000000000EB0000-0x0000000001036000-memory.dmp	upx
behavioral2/memory/2468-19-0x0000000000EB0000-0x0000000001036000-memory.dmp	upx

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2468-13-0x0000000000EB0000-0x0000000001036000-memory.dmp	autoit_exe
behavioral2/memory/2468-19-0x0000000000EB0000-0x0000000001036000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2468 set thread context of 2672	2468	LPO.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2672	RegSvcs.exe
2672	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2468	LPO.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2468	LPO.exe
2468	LPO.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2468	LPO.exe
2468	LPO.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2672	2468	LPO.exe	91
PID 2468 wrote to memory of 2672	2468	LPO.exe	91
PID 2468 wrote to memory of 2672	2468	LPO.exe	91
PID 2468 wrote to memory of 2672	2468	LPO.exe	91

C:\Users\Admin\AppData\Local\Temp\LPO.exe
"C:\Users\Admin\AppData\Local\Temp\LPO.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\LPO.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:5840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut3989.tmp

Filesize
261KB

MD5
26e86fb514add9d3f0208ada82285fd1

SHA1
ddbf5156e45eaeed9a75929da2b07a59d2555fae

SHA256
15c19957e79c4d6c11f85315fb7994f72612761ea74df3bb4460ce8057af3b92

SHA512
94ae418b3d51f4a803ac987533093a0493050350bad34db757d404ab62e6793c050e15c75c8d6bde8e7a65948ebbb8e3724fa07ef5e85eca30ddec9e721ed3df

Download Submit
memory/2468-0-0x0000000000EB0000-0x0000000001036000-memory.dmp

Filesize
1.5MB

Download
memory/2468-13-0x0000000000EB0000-0x0000000001036000-memory.dmp

Filesize
1.5MB

Download
memory/2468-14-0x0000000004390000-0x0000000004394000-memory.dmp

Filesize
16KB

Download
memory/2468-19-0x0000000000EB0000-0x0000000001036000-memory.dmp

Filesize
1.5MB

Download
memory/2672-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2672-17-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2672-18-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2672-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2672-20-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

Filesize
4KB

Download
memory/2672-21-0x0000000005100000-0x0000000005154000-memory.dmp

Filesize
336KB

Download
memory/2672-22-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/2672-23-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/2672-24-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/2672-25-0x00000000058B0000-0x0000000005E54000-memory.dmp

Filesize
5.6MB

Download
memory/2672-26-0x00000000051D0000-0x0000000005222000-memory.dmp

Filesize
328KB

Download
memory/2672-28-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-36-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-34-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-84-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-80-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-78-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-76-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-74-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-72-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-70-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-66-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-64-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-62-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-60-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-56-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-52-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-48-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-46-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-45-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-42-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-38-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-32-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-30-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-82-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-68-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-58-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-54-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-50-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-40-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-27-0x00000000051D0000-0x000000000521D000-memory.dmp

Filesize
308KB

Download
memory/2672-1057-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/2672-1058-0x0000000005400000-0x0000000005466000-memory.dmp

Filesize
408KB

Download
memory/2672-1059-0x00000000061C0000-0x0000000006210000-memory.dmp

Filesize
320KB

Download
memory/2672-1060-0x00000000062B0000-0x0000000006342000-memory.dmp

Filesize
584KB

Download
memory/2672-1061-0x0000000006220000-0x000000000622A000-memory.dmp

Filesize
40KB

Download
memory/2672-1062-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2672-1063-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

Filesize
4KB

Download
memory/2672-1064-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download