agenttesla | 723b9b35a4589438b1f7b3aa1306762c1a8bbb40e58b721bdb26248cfe5b4817

General

Target

AWL DOCUMENTS.exe
Size

1.1MB
MD5

dc7c594729e403ce1d87f86e3a7b19cf
SHA1

067371590de6f458e54bb34640ee2ef68156cc4e
SHA256

723b9b35a4589438b1f7b3aa1306762c1a8bbb40e58b721bdb26248cfe5b4817
SHA512

42ed8d8cfbb190e908000ca7d65340bc412cf81db81e04105817b78aa2dc88bccd22de43b0e5f2b983433729b3bb2203224fe27b07832ef0b28d6cd4a6a3d504

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1288-66-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1288-67-0x00000000004365BE-mapping.dmp	family_agenttesla
behavioral1/memory/1288-68-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

AWL DOCUMENTS.exe

description pid process target process

PID 1636 set thread context of 1288 1636 AWL DOCUMENTS.exe AWL DOCUMENTS.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AWL DOCUMENTS.exe

pid process

1288 AWL DOCUMENTS.exe
1288 AWL DOCUMENTS.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AWL DOCUMENTS.exe

description pid process

Token: SeDebugPrivilege 1288 AWL DOCUMENTS.exe

description	pid	process	target process
PID 1636 set thread context of 1288	1636	AWL DOCUMENTS.exe	AWL DOCUMENTS.exe

pid	process
1288	AWL DOCUMENTS.exe
1288	AWL DOCUMENTS.exe

description	pid	process
Token: SeDebugPrivilege	1288	AWL DOCUMENTS.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

AWL DOCUMENTS.exe

description	pid	process	target process
PID 1636 wrote to memory of 1288	1636	AWL DOCUMENTS.exe	AWL DOCUMENTS.exe
PID 1636 wrote to memory of 1288	1636	AWL DOCUMENTS.exe	AWL DOCUMENTS.exe
PID 1636 wrote to memory of 1288	1636	AWL DOCUMENTS.exe	AWL DOCUMENTS.exe
PID 1636 wrote to memory of 1288	1636	AWL DOCUMENTS.exe	AWL DOCUMENTS.exe
PID 1636 wrote to memory of 1288	1636	AWL DOCUMENTS.exe	AWL DOCUMENTS.exe
PID 1636 wrote to memory of 1288	1636	AWL DOCUMENTS.exe	AWL DOCUMENTS.exe
PID 1636 wrote to memory of 1288	1636	AWL DOCUMENTS.exe	AWL DOCUMENTS.exe
PID 1636 wrote to memory of 1288	1636	AWL DOCUMENTS.exe	AWL DOCUMENTS.exe
PID 1636 wrote to memory of 1288	1636	AWL DOCUMENTS.exe	AWL DOCUMENTS.exe

memory/1288-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1288-67-0x00000000004365BE-mapping.dmp

Download
memory/1288-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1288-70-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1636-60-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1636-62-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/1636-63-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download
memory/1636-64-0x0000000007E70000-0x0000000007F20000-memory.dmp

Filesize
704KB

Download
memory/1636-65-0x0000000005C30000-0x0000000005CA2000-memory.dmp

Filesize
456KB

Download