agenttesla | 9621554c8727d49421880fb2870af9ba1073cfc93340a3b67a9aafa4ccac401e

General

Target

DHL DOCUMENTS.exe
Size

747KB
MD5

d6e6a2b12de21b77970256e539a11b20
SHA1

bc2d1fd49e6c8f39be63e8f9aea10faee4fa9804
SHA256

9621554c8727d49421880fb2870af9ba1073cfc93340a3b67a9aafa4ccac401e
SHA512

5459cebf51e4603d4b3395c08a02c03b96a237e11f748c7b4116f16304413f41cee79a287089edab6150bf1cd00b666ca8dd1cf0a98c326bc25df0262904ac84

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/520-58-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/520-59-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/520-61-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/520-62-0x000000000043751E-mapping.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL DOCUMENTS.exe

description pid process target process

PID 1148 set thread context of 520 1148 DHL DOCUMENTS.exe DHL DOCUMENTS.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DHL DOCUMENTS.exe

pid process

520 DHL DOCUMENTS.exe
520 DHL DOCUMENTS.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dw20.exe

pid process

1472 dw20.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DHL DOCUMENTS.exe

description pid process

Token: SeDebugPrivilege 520 DHL DOCUMENTS.exe

description	pid	process	target process
PID 1148 set thread context of 520	1148	DHL DOCUMENTS.exe	DHL DOCUMENTS.exe

pid	process
520	DHL DOCUMENTS.exe
520	DHL DOCUMENTS.exe

pid	process
1472	dw20.exe

description	pid	process
Token: SeDebugPrivilege	520	DHL DOCUMENTS.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

DHL DOCUMENTS.exeDHL DOCUMENTS.exe

description	pid	process	target process
PID 1148 wrote to memory of 520	1148	DHL DOCUMENTS.exe	DHL DOCUMENTS.exe
PID 1148 wrote to memory of 520	1148	DHL DOCUMENTS.exe	DHL DOCUMENTS.exe
PID 1148 wrote to memory of 520	1148	DHL DOCUMENTS.exe	DHL DOCUMENTS.exe
PID 1148 wrote to memory of 520	1148	DHL DOCUMENTS.exe	DHL DOCUMENTS.exe
PID 1148 wrote to memory of 520	1148	DHL DOCUMENTS.exe	DHL DOCUMENTS.exe
PID 1148 wrote to memory of 520	1148	DHL DOCUMENTS.exe	DHL DOCUMENTS.exe
PID 1148 wrote to memory of 520	1148	DHL DOCUMENTS.exe	DHL DOCUMENTS.exe
PID 1148 wrote to memory of 520	1148	DHL DOCUMENTS.exe	DHL DOCUMENTS.exe
PID 1148 wrote to memory of 520	1148	DHL DOCUMENTS.exe	DHL DOCUMENTS.exe
PID 520 wrote to memory of 1472	520	DHL DOCUMENTS.exe	dw20.exe
PID 520 wrote to memory of 1472	520	DHL DOCUMENTS.exe	dw20.exe
PID 520 wrote to memory of 1472	520	DHL DOCUMENTS.exe	dw20.exe
PID 520 wrote to memory of 1472	520	DHL DOCUMENTS.exe	dw20.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 520
3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1472

memory/520-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/520-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/520-58-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/520-59-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/520-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/520-62-0x000000000043751E-mapping.dmp

Download
memory/520-64-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/1148-54-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/1148-55-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1148-60-0x00000000020D1000-0x00000000020D2000-memory.dmp

Filesize
4KB

Download
memory/1472-65-0x0000000000000000-mapping.dmp

Download
memory/1472-67-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download