agenttesla | 824d9e9082e27b16c7bff8e0c02321c69abde54bcbc160a17f68ad4eba21170f

General

Target

New order. December.exe
Size

971KB
MD5

42289a23f33d793b5213979021fe021f
SHA1

387ba991a7fbc49d8b5371bb410abac55dd82b2d
SHA256

824d9e9082e27b16c7bff8e0c02321c69abde54bcbc160a17f68ad4eba21170f
SHA512

3ee8761c8f07856f3daaa31b141450ddf28ee00a73053e6767a6ec28448b942364138e9ca02dcbd582e4c7fa29ad7f83a2dd29e4eb47cb049f24da77d9621a36

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1612-4-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1612-5-0x00000000004373EE-mapping.dmp	family_agenttesla
behavioral1/memory/1612-6-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1612-7-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

New order. December.exe

description pid process target process

PID 748 set thread context of 1612 748 New order. December.exe New order. December.exe
Drops file in Windows directory 1 IoCs

Processes:

New order. December.exe

description ioc process

File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new New order. December.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

New order. December.exe

pid process

1612 New order. December.exe
1612 New order. December.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

New order. December.exe

description pid process

Token: SeDebugPrivilege 1612 New order. December.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

New order. December.exe

pid process

1612 New order. December.exe

description	pid	process	target process
PID 748 set thread context of 1612	748	New order. December.exe	New order. December.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	New order. December.exe

pid	process
1612	New order. December.exe
1612	New order. December.exe

description	pid	process
Token: SeDebugPrivilege	1612	New order. December.exe

pid	process
1612	New order. December.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

New order. December.exe

description	pid	process	target process
PID 748 wrote to memory of 1612	748	New order. December.exe	New order. December.exe
PID 748 wrote to memory of 1612	748	New order. December.exe	New order. December.exe
PID 748 wrote to memory of 1612	748	New order. December.exe	New order. December.exe
PID 748 wrote to memory of 1612	748	New order. December.exe	New order. December.exe
PID 748 wrote to memory of 1612	748	New order. December.exe	New order. December.exe
PID 748 wrote to memory of 1612	748	New order. December.exe	New order. December.exe
PID 748 wrote to memory of 1612	748	New order. December.exe	New order. December.exe
PID 748 wrote to memory of 1612	748	New order. December.exe	New order. December.exe
PID 748 wrote to memory of 1612	748	New order. December.exe	New order. December.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
MD5
4fb607c4a561123249ee58454fbe84e2

SHA1
f7c662c932898baaeda898684b4a3005a50ff276

SHA256
187df610c0e5b9839894cd01c776c20e6cedc04f4aa2f8718bbb5513bb357f0c

SHA512
987eb0c4e212360e4706f605e78328a848c21b11e1c5e252a90aa77985a1b58c876a815ea4837e6dc14b4b99b0b9a0abc32aa8e464984b07c8c31dc9990785c1

Download Submit
memory/1612-4-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1612-5-0x00000000004373EE-mapping.dmp

Download
memory/1612-6-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1612-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download