agenttesla | ff28bc5da16feadf7f4a6f94ca684b84afafc3da4d62e8154c01d7070041ce74

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Factura2205590821.exe
Size

1.1MB
MD5

63b2c81131687e687e3e7f1c0deb12c8
SHA1

2465347106a89ada6ede41f6ee6f89f3979621a0
SHA256

a609b506672dd6a2da8bd25c0ae4d21688c2ed48c1c205366e6a8c3a323e6671
SHA512

20765196191da86142c415f54f948ab9ec84b2e24d991e81a185d6d5cc3ba77ed6ffa6655e8e927cac73d9ce30b55b1e21565701dbeec91a64fbd9f553cbc3e1
SSDEEP

24576:ZAHnh+eWsN3skA4RV1Hom2KXMmHal2gcNWtf8QL4vd5:gh+ZkldoPK8Yal2pWtf7L4/

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral1/memory/1992-17-0x00000000007A0000-0x00000000007F6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-18-0x0000000002080000-0x00000000020D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-28-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-80-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-78-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-76-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-74-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-72-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-70-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-68-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-66-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-64-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-62-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-60-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-58-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-56-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-54-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-52-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-50-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-48-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-46-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-44-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-42-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-40-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-38-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-36-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-34-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-32-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-30-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-26-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-24-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-22-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1992-21-0x0000000002080000-0x00000000020CE000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2876 set thread context of 1992	2876	Factura2205590821.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1992	RegSvcs.exe
1992	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2876	Factura2205590821.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2876	Factura2205590821.exe
2876	Factura2205590821.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2876	Factura2205590821.exe
2876	Factura2205590821.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 1992	2876	Factura2205590821.exe	28
PID 2876 wrote to memory of 1992	2876	Factura2205590821.exe	28
PID 2876 wrote to memory of 1992	2876	Factura2205590821.exe	28
PID 2876 wrote to memory of 1992	2876	Factura2205590821.exe	28
PID 2876 wrote to memory of 1992	2876	Factura2205590821.exe	28
PID 2876 wrote to memory of 1992	2876	Factura2205590821.exe	28
PID 2876 wrote to memory of 1992	2876	Factura2205590821.exe	28
PID 2876 wrote to memory of 1992	2876	Factura2205590821.exe	28

C:\Users\Admin\AppData\Local\Temp\Factura2205590821.exe
"C:\Users\Admin\AppData\Local\Temp\Factura2205590821.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\Factura2205590821.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\enterogenous

Filesize
263KB

MD5
c106896e1636bcad0a7db38ca474c7d6

SHA1
e24ad475fdcc6149e2c38c20207d95cf436ab5c9

SHA256
cce9e3ef477a8fb34f2e0c0e8d364575e2258850acd5820895ee4ab9b889e1e6

SHA512
5f36a2d7a057663d1aa6e52b8c1e7ee1a7978e5f2a93c2f1df93488cd7afafccfbbebd4138952c7b0ce39426d9bb12f0218aedd66479b3e2e280f939404f61d5

Download Submit
memory/1992-60-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1992-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1992-1068-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-16-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/1992-17-0x00000000007A0000-0x00000000007F6000-memory.dmp

Filesize
344KB

Download
memory/1992-18-0x0000000002080000-0x00000000020D4000-memory.dmp

Filesize
336KB

Download
memory/1992-19-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-20-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-28-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-62-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-80-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-58-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-76-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-74-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-72-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-70-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-68-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-66-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-64-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-86-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-12-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1992-78-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-56-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-1066-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-54-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-52-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-50-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-48-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-46-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-44-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-42-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-40-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-38-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-36-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-34-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-32-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-30-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-26-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-24-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-22-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-21-0x0000000002080000-0x00000000020CE000-memory.dmp

Filesize
312KB

Download
memory/1992-1067-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/2876-11-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download