agenttesla | 24e27b79291475c64e5f2a71833ac988a888e66c86d32ad5d5b20be3b7717604

Analysis

Target

RFQ.exe
Size

585KB
MD5

e3fc0a2977f6ace1e8dcc4d170613b6e
SHA1

0fd7d3e125ae5971855a1ba0e204ec5ae0f4829d
SHA256

24e27b79291475c64e5f2a71833ac988a888e66c86d32ad5d5b20be3b7717604
SHA512

1b19a53b46d5a7c2d2ac7c5c3595f775f78da42e5f8ca3babf1e71406c5d990447238aea61be66c28eff0bc620fc7a5858181e4e97b2f38e694cb7b27708bef2

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2288-117-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/2288-118-0x00000000004375AE-mapping.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ.exe

description pid process target process

PID 2508 set thread context of 2288 2508 RFQ.exe RFQ.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dw20.exe

pid process

1184 dw20.exe
1184 dw20.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dw20.exe

description pid process

Token: SeRestorePrivilege 1184 dw20.exe
Token: SeBackupPrivilege 1184 dw20.exe

description	pid	process	target process
PID 2508 set thread context of 2288	2508	RFQ.exe	RFQ.exe

pid	process
1184	dw20.exe
1184	dw20.exe

description	pid	process
Token: SeRestorePrivilege	1184	dw20.exe
Token: SeBackupPrivilege	1184	dw20.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

RFQ.exeRFQ.exe

description	pid	process	target process
PID 2508 wrote to memory of 2288	2508	RFQ.exe	RFQ.exe
PID 2508 wrote to memory of 2288	2508	RFQ.exe	RFQ.exe
PID 2508 wrote to memory of 2288	2508	RFQ.exe	RFQ.exe
PID 2508 wrote to memory of 2288	2508	RFQ.exe	RFQ.exe
PID 2508 wrote to memory of 2288	2508	RFQ.exe	RFQ.exe
PID 2508 wrote to memory of 2288	2508	RFQ.exe	RFQ.exe
PID 2508 wrote to memory of 2288	2508	RFQ.exe	RFQ.exe
PID 2508 wrote to memory of 2288	2508	RFQ.exe	RFQ.exe
PID 2288 wrote to memory of 1184	2288	RFQ.exe	dw20.exe
PID 2288 wrote to memory of 1184	2288	RFQ.exe	dw20.exe
PID 2288 wrote to memory of 1184	2288	RFQ.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RFQ.exe.log
MD5
568e6f2b186c39075772d775e4189f57

SHA1
02f642cfdd1491b1ce69e81925ed336975e2f972

SHA256
d29bbfbb510acd8716133feeade8f914076963ccc38abb4b5a64a8d32bac44e4

SHA512
ef3b7f6d6b355c41ca9abb40d769622ea3f79787d8d2501ad5a135fa5cc78712175190386c8e05ee863a3bc046bc09eee22310555d31e4d57a4652f280283156

Download Submit
memory/1184-120-0x0000000000000000-mapping.dmp

Download
memory/2288-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2288-118-0x00000000004375AE-mapping.dmp

Download
memory/2288-121-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/2508-115-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2508-116-0x0000000002812000-0x0000000002814000-memory.dmp

Filesize
8KB

Download