agenttesla | 3584183ec5e40f74913b0c7a89c6e8d2256d51df3743a59f64bef89f5cdefa7e

General

Target

3611d9cefc06c8c111f2e6ffc961e529.exe
Size

1.1MB
MD5

3611d9cefc06c8c111f2e6ffc961e529
SHA1

dbf7420d6f21993ede19e6549a1c6f43541631ab
SHA256

3584183ec5e40f74913b0c7a89c6e8d2256d51df3743a59f64bef89f5cdefa7e
SHA512

714f0faa4d53dc71d40f2c91ffd5a3164b1a4ae4a2ee33643bee1de502523da3ced74e166a4dcf5b2504b66e9e96db73bdfb26c33b53c4d53ffbb026e6016ef7

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocument

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3648-125-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/3648-126-0x000000000043764E-mapping.dmp	family_agenttesla
behavioral2/memory/3648-132-0x0000000004FE0000-0x00000000054DE000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

3611d9cefc06c8c111f2e6ffc961e529.exe

description pid process target process

PID 3912 set thread context of 3648 3912 3611d9cefc06c8c111f2e6ffc961e529.exe 3611d9cefc06c8c111f2e6ffc961e529.exe

description	pid	process	target process
PID 3912 set thread context of 3648	3912	3611d9cefc06c8c111f2e6ffc961e529.exe	3611d9cefc06c8c111f2e6ffc961e529.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

3611d9cefc06c8c111f2e6ffc961e529.exe3611d9cefc06c8c111f2e6ffc961e529.exe

pid	process
3912	3611d9cefc06c8c111f2e6ffc961e529.exe
3912	3611d9cefc06c8c111f2e6ffc961e529.exe
3912	3611d9cefc06c8c111f2e6ffc961e529.exe
3648	3611d9cefc06c8c111f2e6ffc961e529.exe
3648	3611d9cefc06c8c111f2e6ffc961e529.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3611d9cefc06c8c111f2e6ffc961e529.exe3611d9cefc06c8c111f2e6ffc961e529.exe

description pid process

Token: SeDebugPrivilege 3912 3611d9cefc06c8c111f2e6ffc961e529.exe
Token: SeDebugPrivilege 3648 3611d9cefc06c8c111f2e6ffc961e529.exe

description	pid	process
Token: SeDebugPrivilege	3912	3611d9cefc06c8c111f2e6ffc961e529.exe
Token: SeDebugPrivilege	3648	3611d9cefc06c8c111f2e6ffc961e529.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3611d9cefc06c8c111f2e6ffc961e529.exe

description	pid	process	target process
PID 3912 wrote to memory of 3648	3912	3611d9cefc06c8c111f2e6ffc961e529.exe	3611d9cefc06c8c111f2e6ffc961e529.exe
PID 3912 wrote to memory of 3648	3912	3611d9cefc06c8c111f2e6ffc961e529.exe	3611d9cefc06c8c111f2e6ffc961e529.exe
PID 3912 wrote to memory of 3648	3912	3611d9cefc06c8c111f2e6ffc961e529.exe	3611d9cefc06c8c111f2e6ffc961e529.exe
PID 3912 wrote to memory of 3648	3912	3611d9cefc06c8c111f2e6ffc961e529.exe	3611d9cefc06c8c111f2e6ffc961e529.exe
PID 3912 wrote to memory of 3648	3912	3611d9cefc06c8c111f2e6ffc961e529.exe	3611d9cefc06c8c111f2e6ffc961e529.exe
PID 3912 wrote to memory of 3648	3912	3611d9cefc06c8c111f2e6ffc961e529.exe	3611d9cefc06c8c111f2e6ffc961e529.exe
PID 3912 wrote to memory of 3648	3912	3611d9cefc06c8c111f2e6ffc961e529.exe	3611d9cefc06c8c111f2e6ffc961e529.exe
PID 3912 wrote to memory of 3648	3912	3611d9cefc06c8c111f2e6ffc961e529.exe	3611d9cefc06c8c111f2e6ffc961e529.exe

C:\Users\Admin\AppData\Local\Temp\3611d9cefc06c8c111f2e6ffc961e529.exe
"C:\Users\Admin\AppData\Local\Temp\3611d9cefc06c8c111f2e6ffc961e529.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912

C:\Users\Admin\AppData\Local\Temp\3611d9cefc06c8c111f2e6ffc961e529.exe
"C:\Users\Admin\AppData\Local\Temp\3611d9cefc06c8c111f2e6ffc961e529.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3648

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3611d9cefc06c8c111f2e6ffc961e529.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
memory/3648-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3648-134-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/3648-133-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/3648-132-0x0000000004FE0000-0x00000000054DE000-memory.dmp

Filesize
5.0MB

Download
memory/3648-126-0x000000000043764E-mapping.dmp

Download
memory/3912-119-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3912-122-0x0000000004BD0000-0x0000000004BD9000-memory.dmp

Filesize
36KB

Download
memory/3912-123-0x0000000000B00000-0x0000000000B78000-memory.dmp

Filesize
480KB

Download
memory/3912-124-0x0000000007D70000-0x0000000007DAC000-memory.dmp

Filesize
240KB

Download
memory/3912-121-0x0000000004B40000-0x000000000503E000-memory.dmp

Filesize
5.0MB

Download
memory/3912-120-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/3912-114-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/3912-118-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/3912-117-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/3912-116-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads