agenttesla | 92a314bf9cd8a43b29277834d900c82f7a2e978dcc19ba1dcad373d56217a623

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FİYAT TEKLİF İSTEĞİ.exe
Size

1.2MB
MD5

d123259f0d919be4c30c511debd1ea8d
SHA1

2fb20310b104f57e4810d512f138a47e2fb1f8b2
SHA256

92a314bf9cd8a43b29277834d900c82f7a2e978dcc19ba1dcad373d56217a623
SHA512

3c5de0afce6edb67c5fca44d5af3ca16076be6d993013acb709a4bd7bf30540ef55b9919a0879924f150adf97ec537b5fdc7e4ad83323350583439869289c062
SSDEEP

24576:xqDEvCTbMWu7rQYlBQcBiT6rprG8apoVBYCk70ww7TNF:xTvC/MTQYxsWR7apo8O

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral1/memory/1972-17-0x0000000000330000-0x0000000000386000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-18-0x0000000000450000-0x00000000004A4000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-69-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-54-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-79-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-77-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-75-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-73-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-71-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-67-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-65-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-63-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-61-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-59-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-57-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-55-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-51-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-49-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-47-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-45-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-43-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-41-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-39-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-37-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-35-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-33-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-31-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-29-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-27-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-25-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-23-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-21-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1972-20-0x0000000000450000-0x000000000049E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1704 set thread context of 1972	1704	FİYAT TEKLİF İSTEĞİ.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1972	RegSvcs.exe
1972	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1704	FİYAT TEKLİF İSTEĞİ.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1704	FİYAT TEKLİF İSTEĞİ.exe
1704	FİYAT TEKLİF İSTEĞİ.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1704	FİYAT TEKLİF İSTEĞİ.exe
1704	FİYAT TEKLİF İSTEĞİ.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1972	1704	FİYAT TEKLİF İSTEĞİ.exe	28
PID 1704 wrote to memory of 1972	1704	FİYAT TEKLİF İSTEĞİ.exe	28
PID 1704 wrote to memory of 1972	1704	FİYAT TEKLİF İSTEĞİ.exe	28
PID 1704 wrote to memory of 1972	1704	FİYAT TEKLİF İSTEĞİ.exe	28
PID 1704 wrote to memory of 1972	1704	FİYAT TEKLİF İSTEĞİ.exe	28
PID 1704 wrote to memory of 1972	1704	FİYAT TEKLİF İSTEĞİ.exe	28
PID 1704 wrote to memory of 1972	1704	FİYAT TEKLİF İSTEĞİ.exe	28
PID 1704 wrote to memory of 1972	1704	FİYAT TEKLİF İSTEĞİ.exe	28

C:\Users\Admin\AppData\Local\Temp\FİYAT TEKLİF İSTEĞİ.exe
"C:\Users\Admin\AppData\Local\Temp\FİYAT TEKLİF İSTEĞİ.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\FİYAT TEKLİF İSTEĞİ.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\turbinate

Filesize
263KB

MD5
9f0b84bb4dd9938dac47b0a24a1aaf38

SHA1
f80e338f714cd4df612b0558200f35917cfa7d03

SHA256
bd0f7defce49abcdc5e9a1b546fb1ca6b0f6cccba0c0f761bf5deae6125c9d82

SHA512
2196b8e4ceb3f3da4cfe40b6392b958555e624ca6cf369e1f8f05909873d6137eca0cf474c20323b5b7928637aaaca07ba69d3594be6a9c6bcfe50f65390d300

Download Submit
memory/1704-11-0x0000000000560000-0x0000000000564000-memory.dmp

Filesize
16KB

Download
memory/1972-12-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1972-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1972-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1972-16-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/1972-17-0x0000000000330000-0x0000000000386000-memory.dmp

Filesize
344KB

Download
memory/1972-18-0x0000000000450000-0x00000000004A4000-memory.dmp

Filesize
336KB

Download
memory/1972-19-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/1972-69-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-54-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-79-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-94-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/1972-93-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/1972-77-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-75-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-73-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-71-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-67-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-65-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-63-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-61-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-59-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-57-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-55-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-51-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-49-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-47-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-45-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-43-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-41-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-39-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-37-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-35-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-33-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-31-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-29-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-27-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-25-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-23-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-21-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-20-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/1972-1066-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/1972-1067-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1972-1068-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/1972-1069-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download