agenttesla | 6fcadc10d94ebbafb62fd909da84fc8bd4d097e05d2c8ffe111dae982037a950

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe
Size

1.3MB
MD5

cff5c70a05d8c31cbbe5b672b0bff870
SHA1

94f728622f8eabceccc8b1f013cf20998f070782
SHA256

6fcadc10d94ebbafb62fd909da84fc8bd4d097e05d2c8ffe111dae982037a950
SHA512

217c235c2baf1611b38cbbb876582ae685ed57509c863cb4dab9efd1ac6ad92d5656bd2749da2df4de10ce52aed72428716ca2537d866fd9f432183012bf12b6
SSDEEP

24576:9AHnh+eWsN3skA4RV1Hom2KXMmHao2MB5X7MZxOtd5:ch+ZkldoPK8Yao55

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral1/memory/2600-16-0x00000000003B0000-0x0000000000404000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-17-0x0000000000BF0000-0x0000000000C42000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-22-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-26-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-24-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-68-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-50-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-34-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-21-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-80-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-78-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-76-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-74-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-72-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-70-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-66-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-64-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-62-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-60-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-58-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-56-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-54-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-52-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-48-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-46-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-44-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-42-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-40-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-38-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-36-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-32-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-30-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2600-28-0x0000000000BF0000-0x0000000000C3D000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 2600	2084	cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2600	RegSvcs.exe
2600	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2084	cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2084	cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe
2084	cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2084	cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe
2084	cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2600	2084	cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe	28
PID 2084 wrote to memory of 2600	2084	cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe	28
PID 2084 wrote to memory of 2600	2084	cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe	28
PID 2084 wrote to memory of 2600	2084	cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe	28
PID 2084 wrote to memory of 2600	2084	cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe	28
PID 2084 wrote to memory of 2600	2084	cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe	28
PID 2084 wrote to memory of 2600	2084	cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe	28
PID 2084 wrote to memory of 2600	2084	cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\cff5c70a05d8c31cbbe5b672b0bff870_NeikiAnalytics.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2084-10-0x00000000002A0000-0x00000000002A4000-memory.dmp

Filesize
16KB

Download
memory/2600-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2600-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2600-12-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2600-15-0x00000000742BE000-0x00000000742BF000-memory.dmp

Filesize
4KB

Download
memory/2600-16-0x00000000003B0000-0x0000000000404000-memory.dmp

Filesize
336KB

Download
memory/2600-17-0x0000000000BF0000-0x0000000000C42000-memory.dmp

Filesize
328KB

Download
memory/2600-18-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-19-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-20-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-22-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-26-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-24-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-68-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-50-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-34-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-21-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-80-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-78-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-76-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-74-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-72-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-70-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-66-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-64-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-62-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-60-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-58-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-56-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-54-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-52-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-48-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-46-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-44-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-42-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-40-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-38-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-36-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-32-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-30-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-28-0x0000000000BF0000-0x0000000000C3D000-memory.dmp

Filesize
308KB

Download
memory/2600-1051-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-1052-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2600-1053-0x00000000742BE000-0x00000000742BF000-memory.dmp

Filesize
4KB

Download
memory/2600-1054-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download