agenttesla | 2ccaa6433590b5f135f49de557167dd9bae9e2a80f5550a6379da77e336a0296

General

Target

10f4301b2a3ae07b38c8153179a42e10.exe
Size

507KB
MD5

10f4301b2a3ae07b38c8153179a42e10
SHA1

660432ba5598a91b4123a8296c5801dc21aaaf91
SHA256

2ccaa6433590b5f135f49de557167dd9bae9e2a80f5550a6379da77e336a0296
SHA512

93fef9ac5e4d241db79a917e1e9115b9f50195028cd6e344816092aa6aadeb0b5f3ee48ab4b6af590f156c9c884efa879aa343a84b5bff00446a0247c93dd785

Score

10^/10

Family

agenttesla

C2

https://api.telegram.org/bot1846829589:AAHSsEDTKvDOQ17YrNRY5_FXv5z4mpfGRIc/sendDocument

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/764-70-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/764-71-0x000000000043774E-mapping.dmp	family_agenttesla
behavioral1/memory/764-72-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

10f4301b2a3ae07b38c8153179a42e10.exe

description pid process target process

PID 592 set thread context of 764 592 10f4301b2a3ae07b38c8153179a42e10.exe 10f4301b2a3ae07b38c8153179a42e10.exe

description	pid	process	target process
PID 592 set thread context of 764	592	10f4301b2a3ae07b38c8153179a42e10.exe	10f4301b2a3ae07b38c8153179a42e10.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

10f4301b2a3ae07b38c8153179a42e10.exe10f4301b2a3ae07b38c8153179a42e10.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

10f4301b2a3ae07b38c8153179a42e10.exe10f4301b2a3ae07b38c8153179a42e10.exe

description pid process

Token: SeDebugPrivilege 592 10f4301b2a3ae07b38c8153179a42e10.exe
Token: SeDebugPrivilege 764 10f4301b2a3ae07b38c8153179a42e10.exe

description	pid	process
Token: SeDebugPrivilege	592	10f4301b2a3ae07b38c8153179a42e10.exe
Token: SeDebugPrivilege	764	10f4301b2a3ae07b38c8153179a42e10.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

10f4301b2a3ae07b38c8153179a42e10.exe

description	pid	process	target process
PID 592 wrote to memory of 764	592	10f4301b2a3ae07b38c8153179a42e10.exe	10f4301b2a3ae07b38c8153179a42e10.exe
PID 592 wrote to memory of 764	592	10f4301b2a3ae07b38c8153179a42e10.exe	10f4301b2a3ae07b38c8153179a42e10.exe
PID 592 wrote to memory of 764	592	10f4301b2a3ae07b38c8153179a42e10.exe	10f4301b2a3ae07b38c8153179a42e10.exe
PID 592 wrote to memory of 764	592	10f4301b2a3ae07b38c8153179a42e10.exe	10f4301b2a3ae07b38c8153179a42e10.exe
PID 592 wrote to memory of 764	592	10f4301b2a3ae07b38c8153179a42e10.exe	10f4301b2a3ae07b38c8153179a42e10.exe
PID 592 wrote to memory of 764	592	10f4301b2a3ae07b38c8153179a42e10.exe	10f4301b2a3ae07b38c8153179a42e10.exe
PID 592 wrote to memory of 764	592	10f4301b2a3ae07b38c8153179a42e10.exe	10f4301b2a3ae07b38c8153179a42e10.exe
PID 592 wrote to memory of 764	592	10f4301b2a3ae07b38c8153179a42e10.exe	10f4301b2a3ae07b38c8153179a42e10.exe
PID 592 wrote to memory of 764	592	10f4301b2a3ae07b38c8153179a42e10.exe	10f4301b2a3ae07b38c8153179a42e10.exe

memory/592-60-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/592-62-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/592-63-0x00000000006C0000-0x0000000000717000-memory.dmp

Filesize
348KB

Download
memory/592-68-0x00000000059B0000-0x0000000005A22000-memory.dmp

Filesize
456KB

Download
memory/592-69-0x0000000004CC5000-0x0000000004CD6000-memory.dmp

Filesize
68KB

Download
memory/764-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/764-71-0x000000000043774E-mapping.dmp

Download
memory/764-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/764-74-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download