agenttesla | c1b10ca7aac50af11c80df17d6beb69b36b6b468b8ae79d33e60b77e66f4183c

General

Target

Hqjtehdep.exe
Size

4.4MB
MD5

dcbe06e2f3054aa9126691eaa33f03f2
SHA1

9716dc37e885de30efb8319f3653782c25712db2
SHA256

6e93b0e461b5098a0b9f61b10199135452cf93e54fd2d4fa37b9df909591be2b
SHA512

4ed52f2783ad6813526f0e3dd6fb4c1648aa5883f1beca5cd8f12cd50828d2c52ad782133bd8e4a57348fdc7b089b62e222550b146dab6447ca46c15f0e50b88
SSDEEP

24576:ENrJDheOmsfxYFB6YST9YaCjWbOCixQel8vBw+/m6hWsmQvd6KqcR3PPwf:E

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.spia-indonesia.org
Port:
587
Username:
[email protected]
Password:
Looloo123@#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2772-2-0x0000000006CF0000-0x0000000006F22000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-10-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-6-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-16-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-28-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-40-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-58-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-66-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-64-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-62-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-60-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-68-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-56-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-54-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-46-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-44-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-42-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-38-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-36-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-34-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-52-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-50-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-48-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-32-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-30-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-20-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-14-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-12-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-8-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-26-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-24-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-22-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-18-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-5-0x0000000006CF0000-0x0000000006F1B000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

aspnet_compiler.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MvQHOaQ = "C:\\Users\\Admin\\AppData\\Roaming\\MvQHOaQ\\MvQHOaQ.exe"	aspnet_compiler.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

54 api.ipify.org
53 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Hqjtehdep.exe

description pid process target process

PID 2772 set thread context of 4672 2772 Hqjtehdep.exe aspnet_compiler.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aspnet_compiler.exe

pid process

4672 aspnet_compiler.exe
4672 aspnet_compiler.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Hqjtehdep.exeaspnet_compiler.exe

description pid process

Token: SeDebugPrivilege 2772 Hqjtehdep.exe
Token: SeDebugPrivilege 2772 Hqjtehdep.exe
Token: SeDebugPrivilege 4672 aspnet_compiler.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

aspnet_compiler.exe

pid process

4672 aspnet_compiler.exe

flow	ioc
54	api.ipify.org
53	api.ipify.org

description	pid	process	target process
PID 2772 set thread context of 4672	2772	Hqjtehdep.exe	aspnet_compiler.exe

pid	process
4672	aspnet_compiler.exe
4672	aspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	2772	Hqjtehdep.exe
Token: SeDebugPrivilege	2772	Hqjtehdep.exe
Token: SeDebugPrivilege	4672	aspnet_compiler.exe

pid	process
4672	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Hqjtehdep.exe

description	pid	process	target process
PID 2772 wrote to memory of 4672	2772	Hqjtehdep.exe	aspnet_compiler.exe
PID 2772 wrote to memory of 4672	2772	Hqjtehdep.exe	aspnet_compiler.exe
PID 2772 wrote to memory of 4672	2772	Hqjtehdep.exe	aspnet_compiler.exe
PID 2772 wrote to memory of 4672	2772	Hqjtehdep.exe	aspnet_compiler.exe
PID 2772 wrote to memory of 4672	2772	Hqjtehdep.exe	aspnet_compiler.exe
PID 2772 wrote to memory of 4672	2772	Hqjtehdep.exe	aspnet_compiler.exe
PID 2772 wrote to memory of 4672	2772	Hqjtehdep.exe	aspnet_compiler.exe
PID 2772 wrote to memory of 4672	2772	Hqjtehdep.exe	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\Hqjtehdep.exe
"C:\Users\Admin\AppData\Local\Temp\Hqjtehdep.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2772-0-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/2772-1-0x0000000000C30000-0x00000000010A6000-memory.dmp

Filesize
4.5MB

Download
memory/2772-2-0x0000000006CF0000-0x0000000006F22000-memory.dmp

Filesize
2.2MB

Download
memory/2772-3-0x00000000074D0000-0x0000000007A74000-memory.dmp

Filesize
5.6MB

Download
memory/2772-4-0x0000000006FC0000-0x0000000007052000-memory.dmp

Filesize
584KB

Download
memory/2772-10-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-6-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-16-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-28-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-40-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-58-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-66-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-64-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-62-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-60-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-68-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-56-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-54-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-46-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-44-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-42-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-38-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-36-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-34-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-52-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-50-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-48-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-32-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-30-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-20-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-14-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-12-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-8-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-26-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-24-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-22-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-18-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-5-0x0000000006CF0000-0x0000000006F1B000-memory.dmp

Filesize
2.2MB

Download
memory/2772-4885-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-4886-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-4887-0x0000000007080000-0x00000000070EC000-memory.dmp

Filesize
432KB

Download
memory/2772-4888-0x00000000070F0000-0x000000000713C000-memory.dmp

Filesize
304KB

Download
memory/2772-4889-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/2772-4890-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-4891-0x0000000001970000-0x00000000019C4000-memory.dmp

Filesize
336KB

Download
memory/2772-4893-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4672-4894-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4672-4895-0x0000000000800000-0x0000000000842000-memory.dmp

Filesize
264KB

Download
memory/4672-4896-0x0000000004EE0000-0x0000000004F46000-memory.dmp

Filesize
408KB

Download
memory/4672-4897-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4672-4899-0x0000000006130000-0x0000000006180000-memory.dmp

Filesize
320KB

Download
memory/4672-4900-0x00000000063D0000-0x00000000063DA000-memory.dmp

Filesize
40KB

Download
memory/4672-4901-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads