agenttesla | eeb031ac5970b9792deb66aab1245c7b2dc682d72942d43c335a849d75c224f3

General

Target

Shipping Invoice.exe
Size

853KB
MD5

2a6aa0a5026ba0cb75c6a6c475b58da4
SHA1

01f3140e506a6b11bf9bd52bd3c49a8883d60690
SHA256

5f4e2a1354cd895b7deccd1e0e702bff02eee8aee5a388f98526b6e203ea131b
SHA512

e1a6530ddc0b8bb436d0104dc0b6c08f58ac20d1fa6029e1c2fcca5ed1fbfc34a49368412a609237f6180f2f4edd404d91b482d70cef3c71d321fb5601de3988

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/744-115-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/744-116-0x00000000004374BE-mapping.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

Shipping Invoice.exe

description pid process target process

PID 1504 set thread context of 744 1504 Shipping Invoice.exe Shipping Invoice.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Shipping Invoice.exeShipping Invoice.exe

pid process

1504 Shipping Invoice.exe
1504 Shipping Invoice.exe
1504 Shipping Invoice.exe
744 Shipping Invoice.exe
744 Shipping Invoice.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Shipping Invoice.exeShipping Invoice.exe

description pid process

Token: SeDebugPrivilege 1504 Shipping Invoice.exe
Token: SeDebugPrivilege 744 Shipping Invoice.exe

description	pid	process	target process
PID 1504 set thread context of 744	1504	Shipping Invoice.exe	Shipping Invoice.exe

description	pid	process
Token: SeDebugPrivilege	1504	Shipping Invoice.exe
Token: SeDebugPrivilege	744	Shipping Invoice.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Shipping Invoice.exe

description	pid	process	target process
PID 1504 wrote to memory of 744	1504	Shipping Invoice.exe	Shipping Invoice.exe
PID 1504 wrote to memory of 744	1504	Shipping Invoice.exe	Shipping Invoice.exe
PID 1504 wrote to memory of 744	1504	Shipping Invoice.exe	Shipping Invoice.exe
PID 1504 wrote to memory of 744	1504	Shipping Invoice.exe	Shipping Invoice.exe
PID 1504 wrote to memory of 744	1504	Shipping Invoice.exe	Shipping Invoice.exe
PID 1504 wrote to memory of 744	1504	Shipping Invoice.exe	Shipping Invoice.exe
PID 1504 wrote to memory of 744	1504	Shipping Invoice.exe	Shipping Invoice.exe
PID 1504 wrote to memory of 744	1504	Shipping Invoice.exe	Shipping Invoice.exe

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Shipping Invoice.exe.log
MD5
568e6f2b186c39075772d775e4189f57

SHA1
02f642cfdd1491b1ce69e81925ed336975e2f972

SHA256
d29bbfbb510acd8716133feeade8f914076963ccc38abb4b5a64a8d32bac44e4

SHA512
ef3b7f6d6b355c41ca9abb40d769622ea3f79787d8d2501ad5a135fa5cc78712175190386c8e05ee863a3bc046bc09eee22310555d31e4d57a4652f280283156

Download Submit
memory/744-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/744-116-0x00000000004374BE-mapping.dmp

Download
memory/744-118-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/744-119-0x0000000002941000-0x0000000002942000-memory.dmp

Filesize
4KB

Download
memory/1504-114-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download