Overview

overview

10

Static

static

E-DEKONT.exe

windows7_x64

10

E-DEKONT.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-01-2021 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E-DEKONT.exe

  • Size

    317KB

  • MD5

    dc7db0e231db40b8863328dfb87cfca0

  • SHA1

    efeed520e01ec8dcb0bdb9f966dc0734f92a1110

  • SHA256

    d4b61ea46e33b1a7223439e6e31106e92caaf96370ec9e0a53771d4ab121abdd

  • SHA512

    8231ade196b6e65c297d584260c2dc7c41f5a759e0bd3c23c486b002b2719f93afe379e109147718750e07ec25827cd2d31138789b89dfea9091880c96f43408

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe
    "C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe
      "C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe
        "C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1176
        • C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe
          "C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1988
          • C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe
            "C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1972
            • C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe
              "C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1964
              • C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe
                "C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1796
                • C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe
                  "C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1752
                  • C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe
                    "C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1788
                    • C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe
                      "C:\Users\Admin\AppData\Local\Temp\E-DEKONT.exe"
                      10⤵
                        PID:1804

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/800-2-0x0000000076C21000-0x0000000076C23000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1176-5-0x0000000000000000-mapping.dmp
      Download
    • memory/1752-15-0x0000000000000000-mapping.dmp
      Download
    • memory/1788-17-0x0000000000000000-mapping.dmp
      Download
    • memory/1796-13-0x0000000000000000-mapping.dmp
      Download
    • memory/1804-19-0x0000000000000000-mapping.dmp
      Download
    • memory/1804-21-0x0000000000400000-0x000000000044D000-memory.dmp
      Filesize

      308KB

      Download
    • memory/1964-11-0x0000000000000000-mapping.dmp
      Download
    • memory/1972-9-0x0000000000000000-mapping.dmp
      Download
    • memory/1988-7-0x0000000000000000-mapping.dmp
      Download
    • memory/2028-3-0x0000000000000000-mapping.dmp
      Download