agenttesla | 33a82cfa5ef0f113bfa98be28c2a3d8637423f8e22be91179ee36a907ef808ca

General

Target

AWB & Shipping Documents.exe
Size

880KB
MD5

7c4194af8b96aba768004cf02dc66ff2
SHA1

0316176e546e300c41ab967ed0b671aa843e5298
SHA256

33a82cfa5ef0f113bfa98be28c2a3d8637423f8e22be91179ee36a907ef808ca
SHA512

e2fd5179e9a86cf428ac2c1b2e02479be736e905c9a280c50989b0f7d76dd9966ec9a0284ac07cc5074d01dd9a455e6a5fff396123369b2f027c229cfc6f2c4f

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/456-67-0x000000000043761E-mapping.dmp	family_agenttesla
behavioral1/memory/456-66-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/456-68-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

AWB & Shipping Documents.exe

description pid process target process

PID 1056 set thread context of 456 1056 AWB & Shipping Documents.exe AWB & Shipping Documents.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

AWB & Shipping Documents.exeAWB & Shipping Documents.exe

pid process

1056 AWB & Shipping Documents.exe
456 AWB & Shipping Documents.exe
456 AWB & Shipping Documents.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AWB & Shipping Documents.exeAWB & Shipping Documents.exe

description pid process

Token: SeDebugPrivilege 1056 AWB & Shipping Documents.exe
Token: SeDebugPrivilege 456 AWB & Shipping Documents.exe

description	pid	process	target process
PID 1056 set thread context of 456	1056	AWB & Shipping Documents.exe	AWB & Shipping Documents.exe

description	pid	process
Token: SeDebugPrivilege	1056	AWB & Shipping Documents.exe
Token: SeDebugPrivilege	456	AWB & Shipping Documents.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

AWB & Shipping Documents.exe

description	pid	process	target process
PID 1056 wrote to memory of 456	1056	AWB & Shipping Documents.exe	AWB & Shipping Documents.exe
PID 1056 wrote to memory of 456	1056	AWB & Shipping Documents.exe	AWB & Shipping Documents.exe
PID 1056 wrote to memory of 456	1056	AWB & Shipping Documents.exe	AWB & Shipping Documents.exe
PID 1056 wrote to memory of 456	1056	AWB & Shipping Documents.exe	AWB & Shipping Documents.exe
PID 1056 wrote to memory of 456	1056	AWB & Shipping Documents.exe	AWB & Shipping Documents.exe
PID 1056 wrote to memory of 456	1056	AWB & Shipping Documents.exe	AWB & Shipping Documents.exe
PID 1056 wrote to memory of 456	1056	AWB & Shipping Documents.exe	AWB & Shipping Documents.exe
PID 1056 wrote to memory of 456	1056	AWB & Shipping Documents.exe	AWB & Shipping Documents.exe
PID 1056 wrote to memory of 456	1056	AWB & Shipping Documents.exe	AWB & Shipping Documents.exe

memory/456-67-0x000000000043761E-mapping.dmp

Download
memory/456-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/456-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/456-70-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/1056-60-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/1056-62-0x0000000000210000-0x0000000000226000-memory.dmp

Filesize
88KB

Download
memory/1056-63-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/1056-64-0x0000000004F90000-0x0000000005005000-memory.dmp

Filesize
468KB

Download
memory/1056-65-0x00000000008F0000-0x0000000000940000-memory.dmp

Filesize
320KB

Download