agenttesla | 9ada932ad6919b4f21da2eb872e9af9ab1da22a818a13c57ae65b8679c6c7be1

Analysis

max time kernel
150s
max time network
91s
platform
windows7_x64
resource
win7v20201028
submitted
20-01-2021 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

760KB
MD5

c6d1125563f610850f5feb7bb4f04b05
SHA1

4854463499dcba55c6154e90ec74d3c8692760d9
SHA256

9ada932ad6919b4f21da2eb872e9af9ab1da22a818a13c57ae65b8679c6c7be1
SHA512

654ebe45eddfc5b34a65abe82745aef4c9a3bb9084ee8099640ccca96e2dd061421bd7beeb3569c6c6e08fa604174361660df41e6c9f5895b938de1c08b4ee17

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
barclays247.com
Port:
587
Username:
tombag@barclays247.com
Password:
Du_&#[]2y&k*

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/516-8-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/516-9-0x000000000043764E-mapping.dmp	family_agenttesla
behavioral1/memory/516-11-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 1368 set thread context of 516 1368 file.exe file.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

file.exe

pid process

516 file.exe
516 file.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description pid process

Token: SeDebugPrivilege 516 file.exe

description	pid	process	target process
PID 1368 set thread context of 516	1368	file.exe	file.exe

pid	process
516	file.exe
516	file.exe

description	pid	process
Token: SeDebugPrivilege	516	file.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

file.exe

description	pid	process	target process
PID 1368 wrote to memory of 516	1368	file.exe	file.exe
PID 1368 wrote to memory of 516	1368	file.exe	file.exe
PID 1368 wrote to memory of 516	1368	file.exe	file.exe
PID 1368 wrote to memory of 516	1368	file.exe	file.exe
PID 1368 wrote to memory of 516	1368	file.exe	file.exe
PID 1368 wrote to memory of 516	1368	file.exe	file.exe
PID 1368 wrote to memory of 516	1368	file.exe	file.exe
PID 1368 wrote to memory of 516	1368	file.exe	file.exe
PID 1368 wrote to memory of 516	1368	file.exe	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:516

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/516-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/516-9-0x000000000043764E-mapping.dmp

Download
memory/516-10-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/516-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/516-13-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/1368-2-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1368-3-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1368-5-0x0000000000850000-0x0000000000873000-memory.dmp

Filesize
140KB

Download
memory/1368-6-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/1368-7-0x0000000004B60000-0x0000000004BCF000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads