Analysis Overview
SHA256
5ac895bf45fe96e3f5dd02766c8fac66452ed7fd66921093ae8a9bd79ba2f2a1
Threat Level: Known bad
The file e-dekont.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Detect ZGRat V1
ZGRat
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 08:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 08:31
Reported
2024-05-10 08:33
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1040 set thread context of 2508 | N/A | C:\Users\Admin\AppData\Local\Temp\e-dekont.exe | C:\Users\Admin\AppData\Local\Temp\e-dekont.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e-dekont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e-dekont.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e-dekont.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e-dekont.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e-dekont.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e-dekont.exe
"C:\Users\Admin\AppData\Local\Temp\e-dekont.exe"
C:\Users\Admin\AppData\Local\Temp\e-dekont.exe
"C:\Users\Admin\AppData\Local\Temp\e-dekont.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/1040-0-0x000000007423E000-0x000000007423F000-memory.dmp
memory/1040-1-0x00000000000A0000-0x0000000000354000-memory.dmp
memory/1040-2-0x0000000074230000-0x000000007491E000-memory.dmp
memory/1040-3-0x00000000052B0000-0x000000000570C000-memory.dmp
memory/1040-4-0x0000000007AA0000-0x0000000007CD2000-memory.dmp
memory/1040-6-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-5-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-12-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-18-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-26-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-24-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-22-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-20-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-16-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-14-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-10-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-8-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-28-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-30-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-32-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-34-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-38-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-36-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-40-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-42-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-44-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-46-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-48-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-50-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-52-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-54-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-56-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-60-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-58-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-62-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-64-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-66-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-68-0x0000000007AA0000-0x0000000007CCB000-memory.dmp
memory/1040-4886-0x0000000004A70000-0x0000000004ABC000-memory.dmp
memory/1040-4885-0x00000000049A0000-0x0000000004A0C000-memory.dmp
memory/1040-4887-0x0000000074230000-0x000000007491E000-memory.dmp
memory/1040-4888-0x0000000004B10000-0x0000000004B64000-memory.dmp
memory/2508-4906-0x0000000074230000-0x000000007491E000-memory.dmp
memory/2508-4905-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1040-4904-0x0000000074230000-0x000000007491E000-memory.dmp
memory/2508-4907-0x0000000074230000-0x000000007491E000-memory.dmp
memory/2508-4908-0x0000000074230000-0x000000007491E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 08:31
Reported
2024-05-10 08:33
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2280 set thread context of 2308 | N/A | C:\Users\Admin\AppData\Local\Temp\e-dekont.exe | C:\Users\Admin\AppData\Local\Temp\e-dekont.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e-dekont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e-dekont.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e-dekont.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e-dekont.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e-dekont.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e-dekont.exe
"C:\Users\Admin\AppData\Local\Temp\e-dekont.exe"
C:\Users\Admin\AppData\Local\Temp\e-dekont.exe
"C:\Users\Admin\AppData\Local\Temp\e-dekont.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.gencoldfire.com | udp |
| IT | 185.196.11.12:587 | mail.gencoldfire.com | tcp |
| US | 8.8.8.8:53 | 12.11.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
memory/2280-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmp
memory/2280-1-0x0000000000E50000-0x0000000001104000-memory.dmp
memory/2280-2-0x0000000074EA0000-0x0000000075650000-memory.dmp
memory/2280-3-0x0000000006340000-0x000000000679C000-memory.dmp
memory/2280-4-0x00000000079D0000-0x0000000007C02000-memory.dmp
memory/2280-5-0x00000000081B0000-0x0000000008754000-memory.dmp
memory/2280-6-0x0000000007CA0000-0x0000000007D32000-memory.dmp
memory/2280-10-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-24-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-52-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-56-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-70-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-68-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-66-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-64-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-62-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-60-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-58-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-54-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-50-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-46-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-44-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-42-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-40-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-38-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-36-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-48-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-34-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-32-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-28-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-26-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-22-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-20-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-18-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-16-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-14-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-12-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-8-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-30-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-7-0x00000000079D0000-0x0000000007BFB000-memory.dmp
memory/2280-4887-0x0000000074EA0000-0x0000000075650000-memory.dmp
memory/2280-4889-0x0000000006930000-0x000000000697C000-memory.dmp
memory/2280-4888-0x00000000068C0000-0x000000000692C000-memory.dmp
memory/2280-4890-0x0000000006980000-0x00000000069D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e-dekont.exe.log
| MD5 | 4b74e933d78bd5e8fb1cc4653fb2133c |
| SHA1 | f6e931eec700fa325bd40c3adc6f1c0eba806066 |
| SHA256 | fd99bed17853f5ad196ca6d4a62f5e2405fbdf5b98cbf45af8b7cef83e4bcec3 |
| SHA512 | b56ff89eff1a757a87dcb875206ae92d39ffdb5adf638600c21bc7c76ff4cc25502ae1060716488c7ed1641f8cdfad2a320443b7b4d9f09808eb86eb87f351ec |
memory/2308-4895-0x0000000074EA0000-0x0000000075650000-memory.dmp
memory/2308-4896-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2280-4894-0x0000000074EA0000-0x0000000075650000-memory.dmp
memory/2308-4897-0x00000000054F0000-0x0000000005556000-memory.dmp
memory/2308-4898-0x0000000074EA0000-0x0000000075650000-memory.dmp
memory/2308-4899-0x00000000068B0000-0x0000000006900000-memory.dmp
memory/2308-4900-0x00000000069A0000-0x0000000006A3C000-memory.dmp
memory/2308-4901-0x0000000006BA0000-0x0000000006BAA000-memory.dmp
memory/2308-4902-0x0000000074EA0000-0x0000000075650000-memory.dmp