agenttesla | 93a14ff6939402cf7f901e957af60c6cde36fc18c0e3b20493c12c5177d04523

General

Target

DHL DOCS.exe
Size

317KB
MD5

6e4118c7371981515f696082234c7915
SHA1

bf560e28cd6d9f5854b3e334d82db9d80815560c
SHA256

93a14ff6939402cf7f901e957af60c6cde36fc18c0e3b20493c12c5177d04523
SHA512

53079ee352d7411fa4311d8465a871cb062642163b42dc8bbc1ccb662068f94b3c4e5dfcfa8533ce104783d174ddb3f3a85276e4c367c627fb072370f4f60a0e

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1068-37-0x0000000000400000-0x000000000044D000-memory.dmp	family_agenttesla

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DHL DOCS.exeDHL DOCS.exeDHL DOCS.exeDHL DOCS.exeDHL DOCS.exeDHL DOCS.exeDHL DOCS.exeDHL DOCS.exeDHL DOCS.exeDHL DOCS.exeDHL DOCS.exeDHL DOCS.exeDHL DOCS.exeDHL DOCS.exeDHL DOCS.exeDHL DOCS.exe

description	pid	process	target process
PID 1924 wrote to memory of 1992	1924	DHL DOCS.exe	DHL DOCS.exe
PID 1924 wrote to memory of 1992	1924	DHL DOCS.exe	DHL DOCS.exe
PID 1924 wrote to memory of 1992	1924	DHL DOCS.exe	DHL DOCS.exe
PID 1924 wrote to memory of 1992	1924	DHL DOCS.exe	DHL DOCS.exe
PID 1992 wrote to memory of 1984	1992	DHL DOCS.exe	DHL DOCS.exe
PID 1992 wrote to memory of 1984	1992	DHL DOCS.exe	DHL DOCS.exe
PID 1992 wrote to memory of 1984	1992	DHL DOCS.exe	DHL DOCS.exe
PID 1992 wrote to memory of 1984	1992	DHL DOCS.exe	DHL DOCS.exe
PID 1984 wrote to memory of 1548	1984	DHL DOCS.exe	DHL DOCS.exe
PID 1984 wrote to memory of 1548	1984	DHL DOCS.exe	DHL DOCS.exe
PID 1984 wrote to memory of 1548	1984	DHL DOCS.exe	DHL DOCS.exe
PID 1984 wrote to memory of 1548	1984	DHL DOCS.exe	DHL DOCS.exe
PID 1548 wrote to memory of 1612	1548	DHL DOCS.exe	DHL DOCS.exe
PID 1548 wrote to memory of 1612	1548	DHL DOCS.exe	DHL DOCS.exe
PID 1548 wrote to memory of 1612	1548	DHL DOCS.exe	DHL DOCS.exe
PID 1548 wrote to memory of 1612	1548	DHL DOCS.exe	DHL DOCS.exe
PID 1612 wrote to memory of 1728	1612	DHL DOCS.exe	DHL DOCS.exe
PID 1612 wrote to memory of 1728	1612	DHL DOCS.exe	DHL DOCS.exe
PID 1612 wrote to memory of 1728	1612	DHL DOCS.exe	DHL DOCS.exe
PID 1612 wrote to memory of 1728	1612	DHL DOCS.exe	DHL DOCS.exe
PID 1728 wrote to memory of 1752	1728	DHL DOCS.exe	DHL DOCS.exe
PID 1728 wrote to memory of 1752	1728	DHL DOCS.exe	DHL DOCS.exe
PID 1728 wrote to memory of 1752	1728	DHL DOCS.exe	DHL DOCS.exe
PID 1728 wrote to memory of 1752	1728	DHL DOCS.exe	DHL DOCS.exe
PID 1752 wrote to memory of 1772	1752	DHL DOCS.exe	DHL DOCS.exe
PID 1752 wrote to memory of 1772	1752	DHL DOCS.exe	DHL DOCS.exe
PID 1752 wrote to memory of 1772	1752	DHL DOCS.exe	DHL DOCS.exe
PID 1752 wrote to memory of 1772	1752	DHL DOCS.exe	DHL DOCS.exe
PID 1772 wrote to memory of 1720	1772	DHL DOCS.exe	DHL DOCS.exe
PID 1772 wrote to memory of 1720	1772	DHL DOCS.exe	DHL DOCS.exe
PID 1772 wrote to memory of 1720	1772	DHL DOCS.exe	DHL DOCS.exe
PID 1772 wrote to memory of 1720	1772	DHL DOCS.exe	DHL DOCS.exe
PID 1720 wrote to memory of 1768	1720	DHL DOCS.exe	DHL DOCS.exe
PID 1720 wrote to memory of 1768	1720	DHL DOCS.exe	DHL DOCS.exe
PID 1720 wrote to memory of 1768	1720	DHL DOCS.exe	DHL DOCS.exe
PID 1720 wrote to memory of 1768	1720	DHL DOCS.exe	DHL DOCS.exe
PID 1768 wrote to memory of 1636	1768	DHL DOCS.exe	DHL DOCS.exe
PID 1768 wrote to memory of 1636	1768	DHL DOCS.exe	DHL DOCS.exe
PID 1768 wrote to memory of 1636	1768	DHL DOCS.exe	DHL DOCS.exe
PID 1768 wrote to memory of 1636	1768	DHL DOCS.exe	DHL DOCS.exe
PID 1636 wrote to memory of 316	1636	DHL DOCS.exe	DHL DOCS.exe
PID 1636 wrote to memory of 316	1636	DHL DOCS.exe	DHL DOCS.exe
PID 1636 wrote to memory of 316	1636	DHL DOCS.exe	DHL DOCS.exe
PID 1636 wrote to memory of 316	1636	DHL DOCS.exe	DHL DOCS.exe
PID 316 wrote to memory of 300	316	DHL DOCS.exe	DHL DOCS.exe
PID 316 wrote to memory of 300	316	DHL DOCS.exe	DHL DOCS.exe
PID 316 wrote to memory of 300	316	DHL DOCS.exe	DHL DOCS.exe
PID 316 wrote to memory of 300	316	DHL DOCS.exe	DHL DOCS.exe
PID 300 wrote to memory of 324	300	DHL DOCS.exe	DHL DOCS.exe
PID 300 wrote to memory of 324	300	DHL DOCS.exe	DHL DOCS.exe
PID 300 wrote to memory of 324	300	DHL DOCS.exe	DHL DOCS.exe
PID 300 wrote to memory of 324	300	DHL DOCS.exe	DHL DOCS.exe
PID 324 wrote to memory of 1760	324	DHL DOCS.exe	DHL DOCS.exe
PID 324 wrote to memory of 1760	324	DHL DOCS.exe	DHL DOCS.exe
PID 324 wrote to memory of 1760	324	DHL DOCS.exe	DHL DOCS.exe
PID 324 wrote to memory of 1760	324	DHL DOCS.exe	DHL DOCS.exe
PID 1760 wrote to memory of 1700	1760	DHL DOCS.exe	DHL DOCS.exe
PID 1760 wrote to memory of 1700	1760	DHL DOCS.exe	DHL DOCS.exe
PID 1760 wrote to memory of 1700	1760	DHL DOCS.exe	DHL DOCS.exe
PID 1760 wrote to memory of 1700	1760	DHL DOCS.exe	DHL DOCS.exe
PID 1700 wrote to memory of 1664	1700	DHL DOCS.exe	DHL DOCS.exe
PID 1700 wrote to memory of 1664	1700	DHL DOCS.exe	DHL DOCS.exe
PID 1700 wrote to memory of 1664	1700	DHL DOCS.exe	DHL DOCS.exe
PID 1700 wrote to memory of 1664	1700	DHL DOCS.exe	DHL DOCS.exe

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
8⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
9⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
10⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
11⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
12⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
13⤵
- Suspicious use of WriteProcessMemory
PID:300

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
14⤵
- Suspicious use of WriteProcessMemory
PID:324

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
15⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
16⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
17⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL DOCS.exe"
18⤵
PID:1068

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/300-25-0x0000000000000000-mapping.dmp

Download
memory/316-23-0x0000000000000000-mapping.dmp

Download
memory/324-27-0x0000000000000000-mapping.dmp

Download
memory/1068-37-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1068-35-0x0000000000000000-mapping.dmp

Download
memory/1548-7-0x0000000000000000-mapping.dmp

Download
memory/1612-9-0x0000000000000000-mapping.dmp

Download
memory/1636-21-0x0000000000000000-mapping.dmp

Download
memory/1664-33-0x0000000000000000-mapping.dmp

Download
memory/1700-31-0x0000000000000000-mapping.dmp

Download
memory/1720-17-0x0000000000000000-mapping.dmp

Download
memory/1728-11-0x0000000000000000-mapping.dmp

Download
memory/1752-13-0x0000000000000000-mapping.dmp

Download
memory/1760-29-0x0000000000000000-mapping.dmp

Download
memory/1768-19-0x0000000000000000-mapping.dmp

Download
memory/1772-15-0x0000000000000000-mapping.dmp

Download
memory/1924-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1984-5-0x0000000000000000-mapping.dmp

Download
memory/1992-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing