Overview

overview

10

Static

static

5

63d74b4d5b...cs.exe

windows7-x64

10

63d74b4d5b...cs.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    12-05-2024 03:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63d74b4d5b18373ba3230ed473922c70_NeikiAnalytics.exe

  • Size

    1.1MB

  • MD5

    63d74b4d5b18373ba3230ed473922c70

  • SHA1

    96dd293df1e4d4f7972d3c2d647195b81a1699d8

  • SHA256

    328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa

  • SHA512

    c43d222acef5f5581ad1923431aa66a39161da2e69a02afc64aeb901e3c7465c392d11bad5d14662b66f79e90adc3ef843e78887591a4794486350aa0ba6f512

  • SSDEEP

    24576:0qDEvCTbMWu7rQYlBQcBiT6rprG8amzNiCDJjKJ7ypNh1:0TvC/MTQYxsWR7amgUJI2

Score
10/10
agentteslazgratkeyloggerpersistenceratspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect ZGRat V1 33 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63d74b4d5b18373ba3230ed473922c70_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\63d74b4d5b18373ba3230ed473922c70_NeikiAnalytics.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\63d74b4d5b18373ba3230ed473922c70_NeikiAnalytics.exe"
      2⤵
        PID:2544
      • C:\Users\Admin\AppData\Local\Temp\63d74b4d5b18373ba3230ed473922c70_NeikiAnalytics.exe
        "C:\Users\Admin\AppData\Local\Temp\63d74b4d5b18373ba3230ed473922c70_NeikiAnalytics.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2016
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Users\Admin\AppData\Local\Temp\63d74b4d5b18373ba3230ed473922c70_NeikiAnalytics.exe"
          3⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1648

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nonhazardousness
      Filesize

      28KB

      MD5

      eafe8751898e0b3c1ea7f59f88dbb724

      SHA1

      3e94472d4b13544dccf63cae2b695b486458f40c

      SHA256

      f6efb701356255d6b13eb6a66d405337a30d1d1b2d1263c382fab079ccc34df9

      SHA512

      575e8c115202394c75910021ffbd7d7c0519f9ffb3777bcf5107179267c02ba3b3aa59a0116d839a3a5aea73e152bd053fccd5b83a421f2a3dc0332c39a1bd28

      Download Submit

    • memory/1432-10-0x00000000001A0000-0x00000000001A4000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1648-72-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-27-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1648-25-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1648-68-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-28-0x0000000000270000-0x00000000002C4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1648-29-0x0000000000C30000-0x0000000000C82000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1648-30-0x0000000073F50000-0x000000007463E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1648-32-0x0000000073F50000-0x000000007463E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1648-31-0x0000000073F50000-0x000000007463E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1648-52-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-70-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-90-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-66-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-84-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-82-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-80-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-78-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-76-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-74-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-23-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1648-92-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-26-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1648-88-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-64-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-62-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-60-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-58-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-56-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-54-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-50-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-48-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-46-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-86-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-44-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-42-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-40-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-38-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-36-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-34-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-33-0x0000000000C30000-0x0000000000C7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1648-1065-0x0000000073F50000-0x000000007463E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1648-1067-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1648-1068-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1648-1069-0x0000000073F50000-0x000000007463E000-memory.dmp

      Filesize

      6.9MB

      Download