agenttesla | 014c63995ab8a581d36147558e3952078075055ccfd3fc3608c9601131b2ee37

General

Target

JEA_567432.exe
Size

1.3MB
MD5

8611f136427ea738e84f352699d9d02d
SHA1

40ab3916078fe48612287874753790bf57aaf0d8
SHA256

014c63995ab8a581d36147558e3952078075055ccfd3fc3608c9601131b2ee37
SHA512

1ba99eb64935cf7683cfdf6e8c054ad4466e196db653dfb0688d11fb1c1a5b0fabb6800f259dc4cf11d2fcce2989e2a4bba7c2c55b77cf8f217cb81c404b8fa2

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
goksal.sir@prosoftelektrik.com
Password:
Wm^kN*!7

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1560-0-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1560-1-0x00000000004469FE-mapping.dmp	family_agenttesla
behavioral1/memory/1560-2-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Drops startup file 1 IoCs

Processes:

JEA_567432.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nslookup.url	JEA_567432.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

JEA_567432.exe

description pid process target process

PID 1496 set thread context of 1560 1496 JEA_567432.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSBuild.exe

pid process

1560 MSBuild.exe
1560 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1560 MSBuild.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

JEA_567432.exe

pid process

1496 JEA_567432.exe
1496 JEA_567432.exe
1496 JEA_567432.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

JEA_567432.exe

pid process

1496 JEA_567432.exe
1496 JEA_567432.exe
1496 JEA_567432.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

1560 MSBuild.exe

description	pid	process	target process
PID 1496 set thread context of 1560	1496	JEA_567432.exe	MSBuild.exe

pid	process
1560	MSBuild.exe
1560	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1560	MSBuild.exe

pid	process
1496	JEA_567432.exe
1496	JEA_567432.exe
1496	JEA_567432.exe

pid	process
1496	JEA_567432.exe
1496	JEA_567432.exe
1496	JEA_567432.exe

pid	process
1560	MSBuild.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

JEA_567432.exe

description	pid	process	target process
PID 1496 wrote to memory of 1560	1496	JEA_567432.exe	MSBuild.exe
PID 1496 wrote to memory of 1560	1496	JEA_567432.exe	MSBuild.exe
PID 1496 wrote to memory of 1560	1496	JEA_567432.exe	MSBuild.exe
PID 1496 wrote to memory of 1560	1496	JEA_567432.exe	MSBuild.exe
PID 1496 wrote to memory of 1560	1496	JEA_567432.exe	MSBuild.exe
PID 1496 wrote to memory of 1560	1496	JEA_567432.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\JEA_567432.exe
"C:\Users\Admin\AppData\Local\Temp\JEA_567432.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1560

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1560-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1560-1-0x00000000004469FE-mapping.dmp

Download
memory/1560-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads