agenttesla | ec3b903a30c68853b60ea2f08eeef7f140e0c9b8b0c8deee2bc504ca1c2a1a51

General

Target

PAYMENT SWIFT COPY MT103.exe
Size

819KB
MD5

c4496bf2025faf96c00b63c0b892876f
SHA1

8619a3a581203b3abd1437ab27c2bbde155cbefc
SHA256

ec3b903a30c68853b60ea2f08eeef7f140e0c9b8b0c8deee2bc504ca1c2a1a51
SHA512

4345c8c32c0b359397ca1b4b83c230e741ba1eef9cde3fa9030105aee96ea685f8e5a5ecebe2cc1c6d8b13a2668400e27bd7085d64cb4e30afc0fea64976ea3a

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/804-10-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/804-11-0x000000000043763E-mapping.dmp	family_agenttesla
behavioral1/memory/804-13-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

PAYMENT SWIFT COPY MT103.exe

description pid process target process

PID 1812 set thread context of 804 1812 PAYMENT SWIFT COPY MT103.exe PAYMENT SWIFT COPY MT103.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

PAYMENT SWIFT COPY MT103.exePAYMENT SWIFT COPY MT103.exe

pid process

1812 PAYMENT SWIFT COPY MT103.exe
1812 PAYMENT SWIFT COPY MT103.exe
804 PAYMENT SWIFT COPY MT103.exe
804 PAYMENT SWIFT COPY MT103.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PAYMENT SWIFT COPY MT103.exePAYMENT SWIFT COPY MT103.exe

description pid process

Token: SeDebugPrivilege 1812 PAYMENT SWIFT COPY MT103.exe
Token: SeDebugPrivilege 804 PAYMENT SWIFT COPY MT103.exe

description	pid	process	target process
PID 1812 set thread context of 804	1812	PAYMENT SWIFT COPY MT103.exe	PAYMENT SWIFT COPY MT103.exe

description	pid	process
Token: SeDebugPrivilege	1812	PAYMENT SWIFT COPY MT103.exe
Token: SeDebugPrivilege	804	PAYMENT SWIFT COPY MT103.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

PAYMENT SWIFT COPY MT103.exe

description	pid	process	target process
PID 1812 wrote to memory of 804	1812	PAYMENT SWIFT COPY MT103.exe	PAYMENT SWIFT COPY MT103.exe
PID 1812 wrote to memory of 804	1812	PAYMENT SWIFT COPY MT103.exe	PAYMENT SWIFT COPY MT103.exe
PID 1812 wrote to memory of 804	1812	PAYMENT SWIFT COPY MT103.exe	PAYMENT SWIFT COPY MT103.exe
PID 1812 wrote to memory of 804	1812	PAYMENT SWIFT COPY MT103.exe	PAYMENT SWIFT COPY MT103.exe
PID 1812 wrote to memory of 804	1812	PAYMENT SWIFT COPY MT103.exe	PAYMENT SWIFT COPY MT103.exe
PID 1812 wrote to memory of 804	1812	PAYMENT SWIFT COPY MT103.exe	PAYMENT SWIFT COPY MT103.exe
PID 1812 wrote to memory of 804	1812	PAYMENT SWIFT COPY MT103.exe	PAYMENT SWIFT COPY MT103.exe
PID 1812 wrote to memory of 804	1812	PAYMENT SWIFT COPY MT103.exe	PAYMENT SWIFT COPY MT103.exe
PID 1812 wrote to memory of 804	1812	PAYMENT SWIFT COPY MT103.exe	PAYMENT SWIFT COPY MT103.exe

memory/804-10-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/804-11-0x000000000043763E-mapping.dmp

Download
memory/804-12-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/804-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/804-15-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/1812-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1812-3-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1812-5-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/1812-6-0x0000000000A00000-0x0000000000A04000-memory.dmp

Filesize
16KB

Download
memory/1812-7-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/1812-8-0x0000000005CD0000-0x0000000005D85000-memory.dmp

Filesize
724KB

Download
memory/1812-9-0x00000000050E0000-0x000000000515D000-memory.dmp

Filesize
500KB

Download