agenttesla | d16adb8ef9dec60172b798b74bee440772fe45fd213254481925b7a226ff5fe0

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Factura Proforma Nº 2024000107.exe
Size

1.2MB
MD5

b1a93c951334dd187af4ab129e2729fc
SHA1

031ae853bb236ce49cf2db417e54d6b1cf994c79
SHA256

00fd3a2a4eb0b43e1b4c897cd57306ec6d3219d2241972350a211362ae33e5aa
SHA512

475eab0dfefb0575ab26b1c8c4ba3abbcc97854df45207f73ed2f4b9a224418afad1cfdccf0d95ef88c69311282516931808b9caccd2e0c6e64d7c3f07acbd7a
SSDEEP

24576:1qDEvCTbMWu7rQYlBQcBiT6rprG8aMsYQWACbIXiZy5NlD:1TvC/MTQYxsWR7aMYW8iw5z

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5152-18-0x00000000031B0000-0x0000000003206000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-22-0x00000000056D0000-0x0000000005724000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-41-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-83-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-81-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-79-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-75-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-73-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-71-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-69-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-67-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-63-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-61-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-59-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-57-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-55-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-51-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-49-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-47-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-45-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-43-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-39-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-37-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-35-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-33-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-31-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-29-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-27-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-25-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-24-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-77-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-65-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1
behavioral2/memory/5152-53-0x00000000056D0000-0x000000000571E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
23	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

Factura Proforma Nº 2024000107.exe

description	pid	Process	procid_target
PID 2888 set thread context of 5152	2888	Factura Proforma Nº 2024000107.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid	Process
5152	RegSvcs.exe
5152	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Factura Proforma Nº 2024000107.exe

pid	Process
2888	Factura Proforma Nº 2024000107.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description	pid	Process
Token: SeDebugPrivilege	5152	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Factura Proforma Nº 2024000107.exe

pid	Process
2888	Factura Proforma Nº 2024000107.exe
2888	Factura Proforma Nº 2024000107.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Factura Proforma Nº 2024000107.exe

pid	Process
2888	Factura Proforma Nº 2024000107.exe
2888	Factura Proforma Nº 2024000107.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Factura Proforma Nº 2024000107.exe

description	pid	Process	procid_target
PID 2888 wrote to memory of 5152	2888	Factura Proforma Nº 2024000107.exe	85
PID 2888 wrote to memory of 5152	2888	Factura Proforma Nº 2024000107.exe	85
PID 2888 wrote to memory of 5152	2888	Factura Proforma Nº 2024000107.exe	85
PID 2888 wrote to memory of 5152	2888	Factura Proforma Nº 2024000107.exe	85

C:\Users\Admin\AppData\Local\Temp\Factura Proforma Nº 2024000107.exe
"C:\Users\Admin\AppData\Local\Temp\Factura Proforma Nº 2024000107.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\Factura Proforma Nº 2024000107.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut3180.tmp

Filesize
263KB

MD5
ff69e5b87fc95975f561a198436ff13d

SHA1
c7530be06a74881045428e4d8bf42b05205445d2

SHA256
f943793eadc0fb8f6966cc9c1514f3d68ff194f387fb50290ae64d05db9aa423

SHA512
2e5ffa05f06a056c138823726822a3c469ccd1aad29906c20e40c85d0194a99f081f4ecfe2ac73d54fdd2282f8b3b95b4b9fa47c950f3045a36fd862e19da723

Download Submit
memory/2888-12-0x0000000002920000-0x0000000002924000-memory.dmp

Filesize
16KB

Download
memory/5152-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5152-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5152-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5152-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5152-17-0x000000007496E000-0x000000007496F000-memory.dmp

Filesize
4KB

Download
memory/5152-18-0x00000000031B0000-0x0000000003206000-memory.dmp

Filesize
344KB

Download
memory/5152-19-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/5152-20-0x0000000005E20000-0x00000000063C4000-memory.dmp

Filesize
5.6MB

Download
memory/5152-21-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/5152-23-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/5152-22-0x00000000056D0000-0x0000000005724000-memory.dmp

Filesize
336KB

Download
memory/5152-41-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-83-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-81-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-79-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-75-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-73-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-71-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-69-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-67-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-63-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-61-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-59-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-57-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-55-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-51-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-49-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-47-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-45-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-43-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-39-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-37-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-35-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-33-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-31-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-29-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-27-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-25-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-24-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-77-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-65-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-53-0x00000000056D0000-0x000000000571E000-memory.dmp

Filesize
312KB

Download
memory/5152-1068-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/5152-1069-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/5152-1070-0x0000000006BF0000-0x0000000006C40000-memory.dmp

Filesize
320KB

Download
memory/5152-1071-0x0000000006CE0000-0x0000000006D72000-memory.dmp

Filesize
584KB

Download
memory/5152-1072-0x0000000006C70000-0x0000000006C7A000-memory.dmp

Filesize
40KB

Download
memory/5152-1073-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5152-1074-0x000000007496E000-0x000000007496F000-memory.dmp

Filesize
4KB

Download
memory/5152-1075-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download