agenttesla | a609b506672dd6a2da8bd25c0ae4d21688c2ed48c1c205366e6a8c3a323e6671

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.exe
Size

1.1MB
MD5

63b2c81131687e687e3e7f1c0deb12c8
SHA1

2465347106a89ada6ede41f6ee6f89f3979621a0
SHA256

a609b506672dd6a2da8bd25c0ae4d21688c2ed48c1c205366e6a8c3a323e6671
SHA512

20765196191da86142c415f54f948ab9ec84b2e24d991e81a185d6d5cc3ba77ed6ffa6655e8e927cac73d9ce30b55b1e21565701dbeec91a64fbd9f553cbc3e1
SSDEEP

24576:ZAHnh+eWsN3skA4RV1Hom2KXMmHal2gcNWtf8QL4vd5:gh+ZkldoPK8Yal2pWtf7L4/

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral1/memory/2716-30-0x0000000000DD0000-0x0000000000E26000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-31-0x0000000000E70000-0x0000000000EC4000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-65-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-93-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-91-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-89-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-87-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-85-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-83-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-81-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-79-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-77-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-75-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-73-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-71-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-69-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-67-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-63-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-61-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-59-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-57-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-55-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-53-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-51-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-49-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-47-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-45-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-43-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-41-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-39-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-37-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-35-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-34-0x0000000000E70000-0x0000000000EBE000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 2716	1636	2.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2716	RegSvcs.exe
2716	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2236	2.exe
1636	2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2236	2.exe
2236	2.exe
1636	2.exe
1636	2.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2236	2.exe
2236	2.exe
1636	2.exe
1636	2.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2264	2236	2.exe	28
PID 2236 wrote to memory of 2264	2236	2.exe	28
PID 2236 wrote to memory of 2264	2236	2.exe	28
PID 2236 wrote to memory of 2264	2236	2.exe	28
PID 2236 wrote to memory of 2264	2236	2.exe	28
PID 2236 wrote to memory of 2264	2236	2.exe	28
PID 2236 wrote to memory of 2264	2236	2.exe	28
PID 2236 wrote to memory of 1636	2236	2.exe	29
PID 2236 wrote to memory of 1636	2236	2.exe	29
PID 2236 wrote to memory of 1636	2236	2.exe	29
PID 2236 wrote to memory of 1636	2236	2.exe	29
PID 1636 wrote to memory of 2716	1636	2.exe	30
PID 1636 wrote to memory of 2716	1636	2.exe	30
PID 1636 wrote to memory of 2716	1636	2.exe	30
PID 1636 wrote to memory of 2716	1636	2.exe	30
PID 1636 wrote to memory of 2716	1636	2.exe	30
PID 1636 wrote to memory of 2716	1636	2.exe	30
PID 1636 wrote to memory of 2716	1636	2.exe	30
PID 1636 wrote to memory of 2716	1636	2.exe	30

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  PID:2264
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\enterogenous

Filesize
263KB

MD5
f5205acc2270c8bfc1cf04f8810148f5

SHA1
9d68b6c8e4da2f60315f399fbb32aa7d1c2ccd96

SHA256
ce371ddaf4068feeb9b82ea34e8ee9b756669f5fda9ed320676fa1d5b64096c8

SHA512
7a7bffbde0957bc09c26eca6ee74d5efdddfa75357b4d2f62590474a9a2b68f220b9001a2577b4a4facd88f5e1d626d80b326bd1cb033734846a8b123fb17df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\enterogenous

Filesize
263KB

MD5
c106896e1636bcad0a7db38ca474c7d6

SHA1
e24ad475fdcc6149e2c38c20207d95cf436ab5c9

SHA256
cce9e3ef477a8fb34f2e0c0e8d364575e2258850acd5820895ee4ab9b889e1e6

SHA512
5f36a2d7a057663d1aa6e52b8c1e7ee1a7978e5f2a93c2f1df93488cd7afafccfbbebd4138952c7b0ce39426d9bb12f0218aedd66479b3e2e280f939404f61d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\thixophobia

Filesize
29KB

MD5
d2c46d43067bde1c232dd27487ef8f18

SHA1
e91023851a5521b5c12402ed522df81e74fe9594

SHA256
10f518b16d9aad70fde8365266e9ca55294f0fe9b6dd98bf6fa64d27c8fd5ef0

SHA512
07daf6ceeac2e173104b83f5e64ee127797b80359e47147e9a6133c176fe62e7ea53b81ba8ccadaef6877450bb45701fa8e49d4649d22c0daf14647fbc87d32f

Download Submit
memory/2236-11-0x0000000000380000-0x0000000000384000-memory.dmp

Filesize
16KB

Download
memory/2716-75-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-67-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-27-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2716-29-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/2716-30-0x0000000000DD0000-0x0000000000E26000-memory.dmp

Filesize
344KB

Download
memory/2716-31-0x0000000000E70000-0x0000000000EC4000-memory.dmp

Filesize
336KB

Download
memory/2716-32-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2716-33-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2716-65-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-93-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-91-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-89-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-87-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-85-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-83-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-81-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-79-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-69-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-25-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2716-73-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-28-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2716-71-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-77-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-63-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-61-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-59-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-57-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-55-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-53-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-51-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-49-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-47-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-45-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-43-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-41-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-39-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-37-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-35-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-34-0x0000000000E70000-0x0000000000EBE000-memory.dmp

Filesize
312KB

Download
memory/2716-1078-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2716-1079-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2716-1080-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/2716-1081-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download