agenttesla | 853b8b5ab3cbde2381a1e4a6721ea06faf392dcab12c955fd908b7da578d6e37

General

Target

DHL-#AWB130501923096.pdf.exe
Size

580KB
MD5

14f101774538a109fb276b133d57cb40
SHA1

525c55f93fb99e1aff4f0ada394eb665f549aa0c
SHA256

853b8b5ab3cbde2381a1e4a6721ea06faf392dcab12c955fd908b7da578d6e37
SHA512

7049c14634a9c56a44512bf2db51a4dd9137ee5b8772861c74686a1c2d26770832c1e5397a76d6aa8c0f75583feb8c5ad37dfd2e05e2c9801cf7198afd99c44c

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/828-0-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/828-1-0x000000000044CB6E-mapping.dmp	family_agenttesla
behavioral1/memory/828-2-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/828-3-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL-#AWB130501923096.pdf.exe

description pid process target process

PID 832 set thread context of 828 832 DHL-#AWB130501923096.pdf.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSBuild.exe

pid process

828 MSBuild.exe
828 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 828 MSBuild.exe

description	pid	process	target process
PID 832 set thread context of 828	832	DHL-#AWB130501923096.pdf.exe	MSBuild.exe

pid	process
828	MSBuild.exe
828	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	828	MSBuild.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

DHL-#AWB130501923096.pdf.exeMSBuild.exe

description	pid	process	target process
PID 832 wrote to memory of 828	832	DHL-#AWB130501923096.pdf.exe	MSBuild.exe
PID 832 wrote to memory of 828	832	DHL-#AWB130501923096.pdf.exe	MSBuild.exe
PID 832 wrote to memory of 828	832	DHL-#AWB130501923096.pdf.exe	MSBuild.exe
PID 832 wrote to memory of 828	832	DHL-#AWB130501923096.pdf.exe	MSBuild.exe
PID 832 wrote to memory of 828	832	DHL-#AWB130501923096.pdf.exe	MSBuild.exe
PID 832 wrote to memory of 828	832	DHL-#AWB130501923096.pdf.exe	MSBuild.exe
PID 832 wrote to memory of 828	832	DHL-#AWB130501923096.pdf.exe	MSBuild.exe
PID 832 wrote to memory of 828	832	DHL-#AWB130501923096.pdf.exe	MSBuild.exe
PID 832 wrote to memory of 828	832	DHL-#AWB130501923096.pdf.exe	MSBuild.exe
PID 828 wrote to memory of 1660	828	MSBuild.exe	netsh.exe
PID 828 wrote to memory of 1660	828	MSBuild.exe	netsh.exe
PID 828 wrote to memory of 1660	828	MSBuild.exe	netsh.exe
PID 828 wrote to memory of 1660	828	MSBuild.exe	netsh.exe

memory/828-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/828-1-0x000000000044CB6E-mapping.dmp

Download
memory/828-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/828-3-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1660-4-0x0000000000000000-mapping.dmp

Download