agenttesla | cc71aaff5556a4053df2846a191ff63e54b3b10df75b98a3d8d5edc4c02c7d1b

General

Target

remittance advice 7.9.20.exe
Size

889KB
MD5

aa54e572432813a7d322e244339aa7b6
SHA1

dc66aef6d10872755dc4398c2915a5ec97054e17
SHA256

cc71aaff5556a4053df2846a191ff63e54b3b10df75b98a3d8d5edc4c02c7d1b
SHA512

52dbe880edb8cb74c3faef8a235d6e80947bd3ead4e3923a6577c39a467312a02ff99da95a6dafdf16d13e14b850ec1582ab9fe026658acba536f7b3e25280ab

Score

10^/10

agenttesla nanocore keylogger spyware stealer trojan upx

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

AgentTesla Payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1876-1-0x00000000005621E0-mapping.dmp	family_agenttesla
behavioral2/memory/1876-3-0x0000000000400000-0x0000000000564000-memory.dmp	family_agenttesla
behavioral2/memory/1876-4-0x0000000002360000-0x000000000240C000-memory.dmp	family_agenttesla
behavioral2/memory/1876-7-0x00000000005621E0-mapping.dmp	family_agenttesla
behavioral2/memory/1876-8-0x00000000005621E0-mapping.dmp	family_agenttesla
behavioral2/memory/1876-9-0x00000000005621E0-mapping.dmp	family_agenttesla
behavioral2/memory/1876-10-0x00000000005621E0-mapping.dmp	family_agenttesla

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1876-0-0x0000000000400000-0x0000000000564000-memory.dmp	upx
behavioral2/memory/1876-2-0x0000000000400000-0x0000000000564000-memory.dmp	upx
behavioral2/memory/1876-3-0x0000000000400000-0x0000000000564000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

remittance advice 7.9.20.exe

description pid process target process

PID 1740 set thread context of 1876 1740 remittance advice 7.9.20.exe remittance advice 7.9.20.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2196 1876 WerFault.exe remittance advice 7.9.20.exe

description	pid	process	target process
PID 1740 set thread context of 1876	1740	remittance advice 7.9.20.exe	remittance advice 7.9.20.exe

pid	pid_target	process	target process
2196	1876	WerFault.exe	remittance advice 7.9.20.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

remittance advice 7.9.20.exeremittance advice 7.9.20.exeWerFault.exe

pid	process
1740	remittance advice 7.9.20.exe
1740	remittance advice 7.9.20.exe
1876	remittance advice 7.9.20.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

remittance advice 7.9.20.exe

pid process

1740 remittance advice 7.9.20.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

remittance advice 7.9.20.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1876	remittance advice 7.9.20.exe
Token: SeRestorePrivilege	2196	WerFault.exe
Token: SeBackupPrivilege	2196	WerFault.exe
Token: SeDebugPrivilege	2196	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

remittance advice 7.9.20.exe

description	pid	process	target process
PID 1740 wrote to memory of 1876	1740	remittance advice 7.9.20.exe	remittance advice 7.9.20.exe
PID 1740 wrote to memory of 1876	1740	remittance advice 7.9.20.exe	remittance advice 7.9.20.exe
PID 1740 wrote to memory of 1876	1740	remittance advice 7.9.20.exe	remittance advice 7.9.20.exe

C:\Users\Admin\AppData\Local\Temp\remittance advice 7.9.20.exe
"C:\Users\Admin\AppData\Local\Temp\remittance advice 7.9.20.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\remittance advice 7.9.20.exe
"C:\Users\Admin\AppData\Local\Temp\remittance advice 7.9.20.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 1020
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1876-0-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/1876-1-0x00000000005621E0-mapping.dmp

Download
memory/1876-2-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/1876-3-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/1876-4-0x0000000002360000-0x000000000240C000-memory.dmp

Filesize
688KB

Download
memory/1876-5-0x00000000009B2000-0x00000000009B3000-memory.dmp

Filesize
4KB

Download
memory/1876-7-0x00000000005621E0-mapping.dmp

Download
memory/1876-8-0x00000000005621E0-mapping.dmp

Download
memory/1876-9-0x00000000005621E0-mapping.dmp

Download
memory/1876-10-0x00000000005621E0-mapping.dmp

Download
memory/2196-6-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/2196-11-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads