AgentTesla and ZGRat
This report documents a detailed analysis of malware samples identified as part of the AgentTesla and ZGRat families. AgentTesla is a Remote Access Tool (RAT) written in Visual Basic, known for its keylogging, stealing, and spyware capabilities. ZGRat, also identified during the analysis, is a RAT written in C#, designed to perform various malicious activities including data theft and system surveillance.
Sandbox
Platform:
windows10-2004_x64Description:
Windows 10, version 2004 (10 May 2020 Update)
Sample
Malware Family: AgentTesla
SHA-256:
f775de1a4a4b03ed1e4252e4135c5dbea343c6b4b3f9d0baf0bd63b2e91ff20aFile size:
795KBSubmitted: 02/11/2023, 12:02:56
Malware Configuration
The configuration analysis revealed SMTP credentials likely used for exfiltrating data. The SMTP server mail[.]expertsconsultgh[.]co on port 587 and associated email addresses suggest the malware’s capability to send data to an attacker-controlled email address
MITRE ATT&CK
The dynamic analysis yielded several behavioural characteristics aligned to the following MITRE ATT&CK stages:
Execution & Persistence: Utilisation of scheduled tasks (T1053) indicates the malware’s methods for execution and maintaining persistence.
Privilege Escalation: The same technique is used to elevate the malware’s privileges in the system.
Credential Access: Discovery of unsecured credentials (T1552) and credentials stored in files (T1552.001).
Discovery: The malware queries the registry (T1012) and discovers system information (T1082) and peripheral devices (T1120).
Collection: Data is collected from the local system (T1005) and email clients (T1114).
Network Activity
The malware engaged in various network activities, including DNS queries for reverse DNS PTR records and HTTP GET requests to Bing services. These requests could be indicative of command-and-control communication or attempts to disguise malicious traffic as legitimate.
Downloads
Several files were downloaded or accessed, including preferences and state information for the Microsoft Edge browser and various memory dumps. The files’ sizes range from 152 bytes to 7MB, with detailed hash information provided for each file.
In addition, _PSScriptPolicyTest*.ps1 suggests that PowerShell was likely used, which might be associated with execution policy bypass, modifying preferences and other script-related activities.
Processes
Multiple processes were observed, including the execution of the malware from the Temp directory and PowerShell used to modify Defender preferences, indicating defence evasion techniques. Scheduled tasks were created for persistence, and Microsoft Edge processes were potentially exploited for surveillance activities.
The analysed AgentTesla and ZGRat samples exhibit sophisticated capabilities, including evasion, data theft, and maintaining persistence.
Signatures
AgentTesla
Type: Remote Access Tool (RAT)
Language: Written in Visual Basic
Capabilities:
Keylogger: Records user keystrokes.
Trojan: Misleads users of its true intent.
Stealer: Harvests sensitive data from the infected system.
Spyware: Covertly observes user behaviour and gathers information.
It has been directly linked with indicators of compromise related to ZGRat, suggesting a possible connection or overlap in the tactics used by both malware types. 1 IoC related to Detect ZGRat V1.
ZGRat
Type: Remote Access Trojan (RAT)
Language: Written in C#
Capabilities:
Checks computer location settings, potentially for geofencing, with 2 Techniques, Tactics, and Procedures (TTPs) and 1 IoC identified.
Reads data files stored by FTP clients, such as FileZilla configuration files, with 2 TTPs observed. Targets local email client data, with 2 TTPs identified.
Accesses user/profile data from web browsers to extract credentials, with 2 TTPs observed. Interacts with Microsoft Outlook profiles, with 1 TTP and 3 IoCs detected.
Suspicious Activities:
Use of SetThreadContext, with 1 IoC observed.
Enumerates physical storage devices and interacts with storage/optical drives, with 1 TTP identified.
Checks SCSI registry keys and processor information in the registry to detect sandbox environments, with 3 TTPs and 3 IoCs for SCSI checks, and 2 TTPs and 2 IoCs for processor checks.
Creates scheduled tasks for persistence or post-infection execution, with 1 TTP and 1 IoC noted.
Persistence Mechanisms and Suspicious Activities:
Enumerates system info in the registry with 2 TTPs and 3 IoCs.
Exhibits suspicious behaviour by enumerating processes, with 64 IoCs noted.
Uses NtCreateUserProcess to block non-Microsoft binaries, with 4 IoCs observed. Suspicious use of AdjustPrivilegeToken, with 7 IoCs noted.
Finds and interacts with the Shell Tray Window, with 64 IoCs observed.
Uses SendNotifyMessage in a potentially suspicious manner, with 64 IoCs noted.
Writes to the memory of another process (WriteProcessMemory), with 64 IoCs observed.
Specific references to paths used by Outlook, with 1 IoC for
outlook_office_pathand 1 IoC foroutlook_win_path.
Both AgentTesla and ZGRat are sophisticated pieces of malware with capabilities that include stealth, data theft, and persistent access, with a focus on evading detection and maintaining a foothold on compromised systems.
Indicator of Compromise (IoC)
Below are the IoCs obtained from the analysis, categorised by type and modified to prevent direct exploitation. These files are likely used for various purposes such as storing configurations, logging data, or executing malicious scripts.
AgentTesla Related Files:
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datSHA256:
4f3db63d7fb486a9af5ae2de005a23040d4edb2067439fff25de8ab41b120035
ZGRat Related Files:
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateSHA256: 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
Common to Both Malware Families:
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesSHA256:
3b1c14df5eddd3ccbe04ad76bd16b9094a6686173507d8d229e07329973213e71e7273b627e47c6ebcb104f31f519f4899b3c4e9f14413de6c0832abca63ff43
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesSHA256:
e25c91ffeeee88c35da3b596ac742d7d2e5ea4a5d460a12c1885973006ae69dd
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateSHA256:
172794fa65254783ad165d378fe3444fe93378231ca4b8cd46406e08fd48a0d9
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1SHA256:
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
C:\Users\Admin\AppData\Local\Temp__PSScriptPolicyTest_gzucciuv.qjt.ps1SHA256:
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
C:\Users\Admin\AppData\Local\Temp\tmp6FCC.tmpSHA256:
5a2a04a9704c64a162a09d74be7b461dac6595e387dd9f05defcd5ada99e1fb9
Network Signatures:
DNS Queries:
17[.]160[.]190[.]20[.]in-addr[.]arpa95[.]221[.]229[.]192[.]in-addr[.]arpa208[.]194[.]73[.]20[.]in-addr[.]arpa121[.]252[.]72[.]23[.]in-addr[.]arpa241[.]154[.]82[.]20[.]in-addr[.]arpa39[.]142[.]81[.]104[.]in-addr[.]arpa43[.]58[.]199[.]20[.]in-addr[.]arpa200[.]197[.]79[.]204[.]in-addr[.]arpa2[.]136[.]104[.]51[.]in-addr[.]arpa (noted as multiple queries)26[.]165[.]165[.]52[.]in-addr[.]arpa171[.]39[.]242[.]20[.]in-addr[.]arpa163[.]252[.]72[.]23[.]in-addr[.]arpa88[.]156[.]103[.]20[.]in-addr[.]arpag[.]bing[.]comtse1[.]mm[.]bing[.]net
HTTP Requests
https[:]//g[.]bing[.]com/neg/0?action=...https[:]//tse1[.]mm[.]bing[.]net/th?id=...
Email Transaction Details:
SMTP Server:
mail[.]expertsconsultgh[.]coUser:
oppong@expertsconsultgh[.]coPassword:
Oppong.2012Recipient Address:
wisdombig57@gmail[.]com
Misc
A collection of memory dump files from various processes named like
memory/1256-*-memory.dmpIdentified patterns for scheduled tasks used for execution and maintenance of persistence named “Updates*”.
The IoCs provided in this report should be integrated into security information and event management (SIEM) systems, threat intelligence platforms, and used to enhance intrusion detection systems (IDS) and intrusion prevention systems (IPS).
Last updated