agenttesla | 49bc785cf04abebdb47fc3a0a15ea4d4185e19f83dcd1bda4e1d382a31e3742f

General

Target

JUST1F1CANTE.exe
Size

696KB
MD5

495d57b02cc54aa1b0c3c907891671ad
SHA1

d467d32c1df44c406b362314f88c2e83b31cbf99
SHA256

49bc785cf04abebdb47fc3a0a15ea4d4185e19f83dcd1bda4e1d382a31e3742f
SHA512

52c442b48b0a2148f7f9752a64ef9beefad0a4c3bf689a14a20af16619ee6841eb934274da2294297cc54b72eb700d04bd6d9ec3f8d12f69fa7ffb631d40d8a7

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/788-5-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/788-6-0x00000000004374CE-mapping.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

JUST1F1CANTE.exe

description pid process target process

PID 2008 set thread context of 788 2008 JUST1F1CANTE.exe JUST1F1CANTE.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

JUST1F1CANTE.exe

pid process

788 JUST1F1CANTE.exe
788 JUST1F1CANTE.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

JUST1F1CANTE.exe

description pid process

Token: SeDebugPrivilege 788 JUST1F1CANTE.exe

description	pid	process	target process
PID 2008 set thread context of 788	2008	JUST1F1CANTE.exe	JUST1F1CANTE.exe

pid	process
788	JUST1F1CANTE.exe
788	JUST1F1CANTE.exe

description	pid	process
Token: SeDebugPrivilege	788	JUST1F1CANTE.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

JUST1F1CANTE.exeJUST1F1CANTE.exe

description	pid	process	target process
PID 2008 wrote to memory of 788	2008	JUST1F1CANTE.exe	JUST1F1CANTE.exe
PID 2008 wrote to memory of 788	2008	JUST1F1CANTE.exe	JUST1F1CANTE.exe
PID 2008 wrote to memory of 788	2008	JUST1F1CANTE.exe	JUST1F1CANTE.exe
PID 2008 wrote to memory of 788	2008	JUST1F1CANTE.exe	JUST1F1CANTE.exe
PID 2008 wrote to memory of 788	2008	JUST1F1CANTE.exe	JUST1F1CANTE.exe
PID 2008 wrote to memory of 788	2008	JUST1F1CANTE.exe	JUST1F1CANTE.exe
PID 2008 wrote to memory of 788	2008	JUST1F1CANTE.exe	JUST1F1CANTE.exe
PID 2008 wrote to memory of 788	2008	JUST1F1CANTE.exe	JUST1F1CANTE.exe
PID 2008 wrote to memory of 788	2008	JUST1F1CANTE.exe	JUST1F1CANTE.exe
PID 788 wrote to memory of 412	788	JUST1F1CANTE.exe	dw20.exe
PID 788 wrote to memory of 412	788	JUST1F1CANTE.exe	dw20.exe
PID 788 wrote to memory of 412	788	JUST1F1CANTE.exe	dw20.exe
PID 788 wrote to memory of 412	788	JUST1F1CANTE.exe	dw20.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 520
3⤵
PID:412

memory/412-9-0x0000000000000000-mapping.dmp

Download
memory/412-10-0x0000000001EE0000-0x0000000001EF1000-memory.dmp

Filesize
68KB

Download
memory/412-12-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/788-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/788-6-0x00000000004374CE-mapping.dmp

Download
memory/788-8-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2008-2-0x0000000075EA1000-0x0000000075EA3000-memory.dmp

Filesize
8KB

Download
memory/2008-3-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/2008-4-0x0000000000B51000-0x0000000000B52000-memory.dmp

Filesize
4KB

Download