agenttesla | 3da8fe1015271b37d118f7e35569efabc9565031c4b23e0f7e6cc5319ffb2087

General

Target

URGENT QUOTATION.exe
Size

508KB
MD5

dea8833080c88a64a95c32da75770f3f
SHA1

46634b02970ee3b2691c2c77cbd5b166e3c423ef
SHA256

3da8fe1015271b37d118f7e35569efabc9565031c4b23e0f7e6cc5319ffb2087
SHA512

bd0319161d8d509158505acf41116c4d5bb7223eac086e460d4f804102e17a9c94b2778469d06d72e78ae457b3898eda4e12752d642a874f619de855790cc326

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1044-2-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla
behavioral1/memory/1044-3-0x000000000044A09E-mapping.dmp	family_agenttesla
behavioral1/memory/1044-4-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla
behavioral1/memory/1044-5-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

URGENT QUOTATION.exe

description pid process target process

PID 1492 set thread context of 1044 1492 URGENT QUOTATION.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

URGENT QUOTATION.exeRegSvcs.exe

pid process

1492 URGENT QUOTATION.exe
1492 URGENT QUOTATION.exe
1492 URGENT QUOTATION.exe
1044 RegSvcs.exe
1044 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

URGENT QUOTATION.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1492 URGENT QUOTATION.exe
Token: SeDebugPrivilege 1044 RegSvcs.exe

description	pid	process	target process
PID 1492 set thread context of 1044	1492	URGENT QUOTATION.exe	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1492	URGENT QUOTATION.exe
Token: SeDebugPrivilege	1044	RegSvcs.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

URGENT QUOTATION.exe

description	pid	process	target process
PID 1492 wrote to memory of 324	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 324	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 324	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 324	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 324	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 324	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 324	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 1044	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 1044	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 1044	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 1044	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 1044	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 1044	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 1044	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 1044	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 1044	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 1044	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 1044	1492	URGENT QUOTATION.exe	RegSvcs.exe
PID 1492 wrote to memory of 1044	1492	URGENT QUOTATION.exe	RegSvcs.exe

memory/1044-2-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1044-3-0x000000000044A09E-mapping.dmp

Download
memory/1044-4-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1044-5-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1492-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download