agenttesla | 94e4d23e3ede10365bdc9ebcf52fab0428c693b3c8d768d4090139d9607d3f95

General

Target

INVOICE.exe
Size

479KB
MD5

bedc66c12a9045e1d8e89fd47ccd4ebb
SHA1

43be31d907ec599edcd6c64b61a5d464c02a981b
SHA256

94e4d23e3ede10365bdc9ebcf52fab0428c693b3c8d768d4090139d9607d3f95
SHA512

c807e423c21ea4c7d507f3d8f7023acc1863490c6f984762fd146bf64ce2ba92f5df143d4762b91eace2f807029be023bbdd29553e2aa49eafaa4193f8e1e6b6

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/668-17-0x0000000000400000-0x000000000044D000-memory.dmp	family_agenttesla

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

INVOICE.exeINVOICE.exeINVOICE.exeINVOICE.exeINVOICE.exeINVOICE.exeINVOICE.exe

description	pid	process	target process
PID 1668 wrote to memory of 836	1668	INVOICE.exe	INVOICE.exe
PID 1668 wrote to memory of 836	1668	INVOICE.exe	INVOICE.exe
PID 1668 wrote to memory of 836	1668	INVOICE.exe	INVOICE.exe
PID 1668 wrote to memory of 836	1668	INVOICE.exe	INVOICE.exe
PID 836 wrote to memory of 1316	836	INVOICE.exe	INVOICE.exe
PID 836 wrote to memory of 1316	836	INVOICE.exe	INVOICE.exe
PID 836 wrote to memory of 1316	836	INVOICE.exe	INVOICE.exe
PID 836 wrote to memory of 1316	836	INVOICE.exe	INVOICE.exe
PID 1316 wrote to memory of 1376	1316	INVOICE.exe	INVOICE.exe
PID 1316 wrote to memory of 1376	1316	INVOICE.exe	INVOICE.exe
PID 1316 wrote to memory of 1376	1316	INVOICE.exe	INVOICE.exe
PID 1316 wrote to memory of 1376	1316	INVOICE.exe	INVOICE.exe
PID 1376 wrote to memory of 1992	1376	INVOICE.exe	INVOICE.exe
PID 1376 wrote to memory of 1992	1376	INVOICE.exe	INVOICE.exe
PID 1376 wrote to memory of 1992	1376	INVOICE.exe	INVOICE.exe
PID 1376 wrote to memory of 1992	1376	INVOICE.exe	INVOICE.exe
PID 1992 wrote to memory of 1984	1992	INVOICE.exe	INVOICE.exe
PID 1992 wrote to memory of 1984	1992	INVOICE.exe	INVOICE.exe
PID 1992 wrote to memory of 1984	1992	INVOICE.exe	INVOICE.exe
PID 1992 wrote to memory of 1984	1992	INVOICE.exe	INVOICE.exe
PID 1984 wrote to memory of 368	1984	INVOICE.exe	INVOICE.exe
PID 1984 wrote to memory of 368	1984	INVOICE.exe	INVOICE.exe
PID 1984 wrote to memory of 368	1984	INVOICE.exe	INVOICE.exe
PID 1984 wrote to memory of 368	1984	INVOICE.exe	INVOICE.exe
PID 368 wrote to memory of 668	368	INVOICE.exe	INVOICE.exe
PID 368 wrote to memory of 668	368	INVOICE.exe	INVOICE.exe
PID 368 wrote to memory of 668	368	INVOICE.exe	INVOICE.exe
PID 368 wrote to memory of 668	368	INVOICE.exe	INVOICE.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
8⤵
PID:668

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/368-13-0x0000000000000000-mapping.dmp

Download
memory/668-15-0x0000000000000000-mapping.dmp

Download
memory/668-17-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/836-3-0x0000000000000000-mapping.dmp

Download
memory/1316-5-0x0000000000000000-mapping.dmp

Download
memory/1376-7-0x0000000000000000-mapping.dmp

Download
memory/1668-2-0x0000000074B31000-0x0000000074B33000-memory.dmp

Filesize
8KB

Download
memory/1984-11-0x0000000000000000-mapping.dmp

Download
memory/1992-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads