agenttesla | 55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe
Size

1.1MB
MD5

7e2e4be9954534c726a8cadffec10ac6
SHA1

bc33e4e0ffab747e7de429b21895e6c1af45a01b
SHA256

55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f
SHA512

a451ab24b1527fda77ee01336797acdc948124218eb2f1e74cb72fbc65764782fb5c1a939cbc01beccb1ee92c663e403a1c8913d7603799d0298a0d866472b92
SSDEEP

24576:l4lavt0LkLL9IMixoEgea5LTONsmImJbQcUIrq9MmCS:8kwkn9IMHea5LCCmImJlUOaPCS

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral1/memory/2572-42-0x0000000000300000-0x0000000000354000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-43-0x0000000000BD0000-0x0000000000C22000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-45-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-65-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-91-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-103-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-101-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-99-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-97-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-95-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-93-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-89-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-85-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-83-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-81-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-77-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-75-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-73-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-71-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-67-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-63-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-61-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-59-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-55-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-53-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-51-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-49-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-47-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-87-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-79-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-69-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-57-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-44-0x0000000000BD0000-0x0000000000C1D000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe"	RegSvcs.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org
4	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2664 set thread context of 2572	2664	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2572	RegSvcs.exe
2572	RegSvcs.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2188	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe
1996	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe
2664	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	RegSvcs.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2188	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe
2188	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe
1996	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe
1996	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe
2664	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe
2664	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2188	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe
2188	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe
1996	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe
1996	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe
2664	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe
2664	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2224	2188	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	28
PID 2188 wrote to memory of 2224	2188	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	28
PID 2188 wrote to memory of 2224	2188	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	28
PID 2188 wrote to memory of 2224	2188	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	28
PID 2188 wrote to memory of 2224	2188	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	28
PID 2188 wrote to memory of 2224	2188	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	28
PID 2188 wrote to memory of 2224	2188	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	28
PID 2188 wrote to memory of 1996	2188	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	29
PID 2188 wrote to memory of 1996	2188	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	29
PID 2188 wrote to memory of 1996	2188	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	29
PID 2188 wrote to memory of 1996	2188	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	29
PID 1996 wrote to memory of 2660	1996	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	30
PID 1996 wrote to memory of 2660	1996	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	30
PID 1996 wrote to memory of 2660	1996	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	30
PID 1996 wrote to memory of 2660	1996	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	30
PID 1996 wrote to memory of 2660	1996	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	30
PID 1996 wrote to memory of 2660	1996	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	30
PID 1996 wrote to memory of 2660	1996	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	30
PID 1996 wrote to memory of 2664	1996	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	31
PID 1996 wrote to memory of 2664	1996	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	31
PID 1996 wrote to memory of 2664	1996	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	31
PID 1996 wrote to memory of 2664	1996	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	31
PID 2664 wrote to memory of 2572	2664	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	32
PID 2664 wrote to memory of 2572	2664	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	32
PID 2664 wrote to memory of 2572	2664	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	32
PID 2664 wrote to memory of 2572	2664	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	32
PID 2664 wrote to memory of 2572	2664	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	32
PID 2664 wrote to memory of 2572	2664	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	32
PID 2664 wrote to memory of 2572	2664	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	32
PID 2664 wrote to memory of 2572	2664	55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe	32

C:\Users\Admin\AppData\Local\Temp\55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe
"C:\Users\Admin\AppData\Local\Temp\55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe"
  2⤵
  PID:2224
- C:\Users\Admin\AppData\Local\Temp\55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe
  "C:\Users\Admin\AppData\Local\Temp\55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe"
    3⤵
    PID:2660
- - C:\Users\Admin\AppData\Local\Temp\55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe
    "C:\Users\Admin\AppData\Local\Temp\55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\55ef7668db1510c5c62979a247e9473962ffee441b6c34579c1ca4aee1ae894f.exe"
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut9C2.tmp

Filesize
9KB

MD5
86e8966f9f68a5274252e34fb6454ab3

SHA1
021940f93d80d4c7686cc0a4c3018aa7b99833f9

SHA256
a2fd885eef12a836c2db4dd72bd19ec7c4409d22bce33674be18dcff9bd61dee

SHA512
3e921809a23ddc120b2a4a72f82f7b98b84db068c6ae5b61440344c19ec54818cc9aa60c93c7f95c1fa13eae3da2a846392a4548354711f5b929ae7370b73bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\directiveness

Filesize
262KB

MD5
b5ff7082507761c010856e0c64f98641

SHA1
df5af0251bfc0fb0b32a5ac7767e9ac0609ed1e7

SHA256
d355bcc3238abe347e39f9759973e6ea93e49fbbe4697b159105f92f74fd01d2

SHA512
373769d68a68661c3d74b1c5eb716bb9ce817ff71f8f16cc16cf22738a244113b97dd0ca3e63fc5085bf3444d1a6086a1db5c5d407736cc01020570081e7edf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\directiveness

Filesize
262KB

MD5
8d01fa14795945ee0fc7b56514734614

SHA1
c232fd86191e18c7da604196d4f17be60996ca62

SHA256
42a2b3e1e1b168d84f5912c8ad600c36e6259fe59b3835b032115bf552185bc1

SHA512
3ff7d9905a1c44a8d5f59837313309fa7ed6f797995ac7fe5f897adbbea300f5cd8c5843f7776f3f8bbcdb191a921ad14ca3c27620619289489ffcd3c5cbdc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\directiveness

Filesize
262KB

MD5
78818edf83df89d0f363543f3738d43f

SHA1
2974cf9d93ba05859f71fb3e961045a9fa2df399

SHA256
1dc5f9d17ff9d9f690d0c95b8b45a5ea47c2c3e713f53ff8c2773fb22aa0e46f

SHA512
db328528a9c0544c541bf4dffb7f15e95a780d583aceba5cbe24609b1d3e932f74e03b2cf31b2ea493aa5159fa4786a8877b2b77bacb238ee62d0650d7ade53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nonhazardousness

Filesize
29KB

MD5
ccc12790de8eea677ecd48acf5a6882e

SHA1
e90da69f452d2bf23f160157fe7c2ad6075200da

SHA256
67a1285b338d01d2172d1166e6e8fe92976f9cbaa1410a26e56dc4965fc8f4be

SHA512
e2c720a81cb5e77cc3064cec6c15b53b23516459cd7e57959c5b7334a00dabd94abe86f4c797cb9a06f04d4673826496a0483c527b8e7c676f20a1edeb2c0fcc

Download Submit
memory/2188-11-0x00000000006C0000-0x00000000006C4000-memory.dmp

Filesize
16KB

Download
memory/2572-85-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-75-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-41-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2572-42-0x0000000000300000-0x0000000000354000-memory.dmp

Filesize
336KB

Download
memory/2572-43-0x0000000000BD0000-0x0000000000C22000-memory.dmp

Filesize
328KB

Download
memory/2572-45-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-65-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-91-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-103-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-101-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-99-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-97-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-95-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-93-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-89-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-38-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2572-83-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-81-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-77-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-40-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2572-73-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-71-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-67-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-63-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-61-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-59-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-55-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-53-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-51-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-49-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-47-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-87-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-79-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-69-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-57-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-44-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

Filesize
308KB

Download
memory/2572-1091-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download