agenttesla | 4179d8fb0428a4de8a32d90e394f34540e2003b397523a062e27ed37902dafa5 | Triage

Analysis

max time kernel
151s
max time network
91s
platform
windows7_x64
resource
win7v20201028
submitted
18-01-2021 18:26

Sharing

Report Analysis Logs

General

Target

RECEIPT.exe
Size

647KB
MD5

ef9873675db5ead478d4df49e58db6d5
SHA1

21420c8d117c1ab188949ccaf024d6ad3f226d5d
SHA256

4179d8fb0428a4de8a32d90e394f34540e2003b397523a062e27ed37902dafa5
SHA512

06b8a0a40e2acee58957a273d16f1ad678df85be94668c88e5a356f9d3763e9ae09a9a4d21d6791eb014ccbc04e7a8ecc0bb1d7516132d222776c2dd64768a47

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1720-9-0x0000000000400000-0x000000000044D000-memory.dmp	family_agenttesla

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

RECEIPT.exeRECEIPT.exeRECEIPT.exe

description	pid	process	target process
PID 1096 wrote to memory of 1128	1096	RECEIPT.exe	RECEIPT.exe
PID 1096 wrote to memory of 1128	1096	RECEIPT.exe	RECEIPT.exe
PID 1096 wrote to memory of 1128	1096	RECEIPT.exe	RECEIPT.exe
PID 1096 wrote to memory of 1128	1096	RECEIPT.exe	RECEIPT.exe
PID 1128 wrote to memory of 1724	1128	RECEIPT.exe	RECEIPT.exe
PID 1128 wrote to memory of 1724	1128	RECEIPT.exe	RECEIPT.exe
PID 1128 wrote to memory of 1724	1128	RECEIPT.exe	RECEIPT.exe
PID 1128 wrote to memory of 1724	1128	RECEIPT.exe	RECEIPT.exe
PID 1724 wrote to memory of 1720	1724	RECEIPT.exe	RECEIPT.exe
PID 1724 wrote to memory of 1720	1724	RECEIPT.exe	RECEIPT.exe
PID 1724 wrote to memory of 1720	1724	RECEIPT.exe	RECEIPT.exe
PID 1724 wrote to memory of 1720	1724	RECEIPT.exe	RECEIPT.exe

C:\Users\Admin\AppData\Local\Temp\RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\RECEIPT.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\RECEIPT.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Admin\AppData\Local\Temp\RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\RECEIPT.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\RECEIPT.exe"
4⤵
PID:1720

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1096-2-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1128-3-0x0000000000000000-mapping.dmp

Download
memory/1720-7-0x0000000000000000-mapping.dmp

Download
memory/1720-9-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1724-5-0x0000000000000000-mapping.dmp

Download