agenttesla | 816ba0410d3765fad3ab66a6a1b9656e8c0c84a3387611f491be6ac7bad99ed1

General

Target

SCAN#DHL-PDF1822.exe
Size

544KB
MD5

96212af51809372d313ce7fb9d650ccd
SHA1

38a781f245fbc5d4d4962fe69afbf81b0ea1f212
SHA256

816ba0410d3765fad3ab66a6a1b9656e8c0c84a3387611f491be6ac7bad99ed1
SHA512

7b2c87d2e22ce284180fa50c9ff35580a1c96f940668452605dc05294ad1d013ff20c87a33b1f5ec63ce9ef011c993a09bf2212bb0bf3351de9bc8fcba8174a0

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

resource	yara_rule
behavioral1/memory/1796-2-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1796-3-0x000000000044715E-mapping.dmp	family_agenttesla
behavioral1/memory/1796-4-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1796-5-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1432 set thread context of 1796	1432	SCAN#DHL-PDF1822.exe	27

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	SCAN#DHL-PDF1822.exe
Token: SeDebugPrivilege	1796	RegSvcs.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 1804	1432	SCAN#DHL-PDF1822.exe	26
PID 1432 wrote to memory of 1804	1432	SCAN#DHL-PDF1822.exe	26
PID 1432 wrote to memory of 1804	1432	SCAN#DHL-PDF1822.exe	26
PID 1432 wrote to memory of 1804	1432	SCAN#DHL-PDF1822.exe	26
PID 1432 wrote to memory of 1804	1432	SCAN#DHL-PDF1822.exe	26
PID 1432 wrote to memory of 1804	1432	SCAN#DHL-PDF1822.exe	26
PID 1432 wrote to memory of 1804	1432	SCAN#DHL-PDF1822.exe	26
PID 1432 wrote to memory of 1796	1432	SCAN#DHL-PDF1822.exe	27
PID 1432 wrote to memory of 1796	1432	SCAN#DHL-PDF1822.exe	27
PID 1432 wrote to memory of 1796	1432	SCAN#DHL-PDF1822.exe	27
PID 1432 wrote to memory of 1796	1432	SCAN#DHL-PDF1822.exe	27
PID 1432 wrote to memory of 1796	1432	SCAN#DHL-PDF1822.exe	27
PID 1432 wrote to memory of 1796	1432	SCAN#DHL-PDF1822.exe	27
PID 1432 wrote to memory of 1796	1432	SCAN#DHL-PDF1822.exe	27
PID 1432 wrote to memory of 1796	1432	SCAN#DHL-PDF1822.exe	27
PID 1432 wrote to memory of 1796	1432	SCAN#DHL-PDF1822.exe	27
PID 1432 wrote to memory of 1796	1432	SCAN#DHL-PDF1822.exe	27
PID 1432 wrote to memory of 1796	1432	SCAN#DHL-PDF1822.exe	27
PID 1432 wrote to memory of 1796	1432	SCAN#DHL-PDF1822.exe	27

C:\Users\Admin\AppData\Local\Temp\SCAN#DHL-PDF1822.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN#DHL-PDF1822.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796

memory/1796-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1796-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1796-5-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download