Overview

overview

10

Static

static

5

Factura Pr...07.exe

windows7-x64

10

Factura Pr...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Factura Proforma Nº 2024000107.exe

  • Size

    1.2MB

  • MD5

    b1a93c951334dd187af4ab129e2729fc

  • SHA1

    031ae853bb236ce49cf2db417e54d6b1cf994c79

  • SHA256

    00fd3a2a4eb0b43e1b4c897cd57306ec6d3219d2241972350a211362ae33e5aa

  • SHA512

    475eab0dfefb0575ab26b1c8c4ba3abbcc97854df45207f73ed2f4b9a224418afad1cfdccf0d95ef88c69311282516931808b9caccd2e0c6e64d7c3f07acbd7a

  • SSDEEP

    24576:1qDEvCTbMWu7rQYlBQcBiT6rprG8aMsYQWACbIXiZy5NlD:1TvC/MTQYxsWR7aMYW8iw5z

Score
10/10
agentteslazgratkeyloggerratspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect ZGRat V1 33 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Factura Proforma Nº 2024000107.exe
    "C:\Users\Admin\AppData\Local\Temp\Factura Proforma Nº 2024000107.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\Factura Proforma Nº 2024000107.exe"
      2⤵
        PID:2028
      • C:\Users\Admin\AppData\Local\Temp\Factura Proforma Nº 2024000107.exe
        "C:\Users\Admin\AppData\Local\Temp\Factura Proforma Nº 2024000107.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Users\Admin\AppData\Local\Temp\Factura Proforma Nº 2024000107.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2624

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\caulds
      Filesize

      263KB

      MD5

      6cf3c765268057401b03eca327aa2d87

      SHA1

      4cc0f1c03bc77f5a7612adb0bb7f04ba3de8ec8b

      SHA256

      455c788c58930a02e8d465d9639df8e55ebdeb839af4981d4c82fdc8949d04a8

      SHA512

      a92084c528b3a6d9d03a05ce383f4a51d3745f85a852c9f7e32165f31234eefe6d6a9216fc8e15d2da40b75436a21b62616f47a7313c91dd96d21c53db5b4c84

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\caulds
      Filesize

      263KB

      MD5

      ff69e5b87fc95975f561a198436ff13d

      SHA1

      c7530be06a74881045428e4d8bf42b05205445d2

      SHA256

      f943793eadc0fb8f6966cc9c1514f3d68ff194f387fb50290ae64d05db9aa423

      SHA512

      2e5ffa05f06a056c138823726822a3c469ccd1aad29906c20e40c85d0194a99f081f4ecfe2ac73d54fdd2282f8b3b95b4b9fa47c950f3045a36fd862e19da723

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\chiffons
      Filesize

      28KB

      MD5

      d150336a77fcd72be6e703391461755d

      SHA1

      d1dd9861ea6295faa178312fdddf85504de531a1

      SHA256

      7c55f821158f3f2ce3608f5f6001b907cd3ce93dbe12c9d296577c00cf41a2b5

      SHA512

      814099f8f991d4c04b3aeb5b24ad778230622991f9198ae0cc31317838bb5217f30fa777f522d873014744c1e84e051bf740baefa7c115da66604a5ac27072ee

      Download Submit
    • memory/2400-11-0x0000000000120000-0x0000000000124000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2624-1079-0x0000000073E50000-0x000000007453E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2624-29-0x0000000073E5E000-0x0000000073E5F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2624-28-0x0000000000400000-0x0000000000446000-memory.dmp
      Filesize

      280KB

      Download
    • memory/2624-63-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-30-0x0000000000370000-0x00000000003C6000-memory.dmp
      Filesize

      344KB

      Download
    • memory/2624-31-0x0000000000C70000-0x0000000000CC4000-memory.dmp
      Filesize

      336KB

      Download
    • memory/2624-32-0x0000000073E50000-0x000000007453E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2624-33-0x0000000073E50000-0x000000007453E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2624-65-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-57-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-25-0x0000000000400000-0x0000000000446000-memory.dmp
      Filesize

      280KB

      Download
    • memory/2624-249-0x0000000073E50000-0x000000007453E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2624-61-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-89-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-87-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-85-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-83-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-71-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-69-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-67-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-93-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-27-0x0000000000400000-0x0000000000446000-memory.dmp
      Filesize

      280KB

      Download
    • memory/2624-92-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-59-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-55-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-53-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-51-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-49-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-45-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-43-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-41-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-39-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-37-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-36-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-34-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-82-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-79-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-77-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-75-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-73-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-47-0x0000000000C70000-0x0000000000CBE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2624-1080-0x0000000000400000-0x0000000000446000-memory.dmp
      Filesize

      280KB

      Download
    • memory/2624-1081-0x0000000073E5E000-0x0000000073E5F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2624-1082-0x0000000073E50000-0x000000007453E000-memory.dmp
      Filesize

      6.9MB

      Download