agenttesla | e49f212d6e5f137cf1394c1bce43b0d84c1a982b0a52e43d27d8cd45692764b7

General

Target

Payment slip.exe
Size

664KB
MD5

da1c1f2acf3ceaf318b88595c6fcd3e2
SHA1

c1b33299ce801bdf1ec02e5125dcb018a751c0e8
SHA256

e49f212d6e5f137cf1394c1bce43b0d84c1a982b0a52e43d27d8cd45692764b7
SHA512

21ba66ae3eb417f53a140a600dea660cdc6e951cac372a6993ebdde62ec61acecfa44589b9d9e4ecc61eefe87bb05c3fdee29e1dfec44ba45f39ea5a69b860c9

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1528-59-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1528-60-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1528-61-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1528-62-0x0000000000436D3E-mapping.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment slip.exe

description pid process target process

PID 852 set thread context of 1528 852 Payment slip.exe Payment slip.exe

description	pid	process	target process
PID 852 set thread context of 1528	852	Payment slip.exe	Payment slip.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Payment slip.exePayment slip.exe

description	pid	process	target process
PID 852 wrote to memory of 1528	852	Payment slip.exe	Payment slip.exe
PID 852 wrote to memory of 1528	852	Payment slip.exe	Payment slip.exe
PID 852 wrote to memory of 1528	852	Payment slip.exe	Payment slip.exe
PID 852 wrote to memory of 1528	852	Payment slip.exe	Payment slip.exe
PID 852 wrote to memory of 1528	852	Payment slip.exe	Payment slip.exe
PID 852 wrote to memory of 1528	852	Payment slip.exe	Payment slip.exe
PID 852 wrote to memory of 1528	852	Payment slip.exe	Payment slip.exe
PID 852 wrote to memory of 1528	852	Payment slip.exe	Payment slip.exe
PID 852 wrote to memory of 1528	852	Payment slip.exe	Payment slip.exe
PID 1528 wrote to memory of 1372	1528	Payment slip.exe	dw20.exe
PID 1528 wrote to memory of 1372	1528	Payment slip.exe	dw20.exe
PID 1528 wrote to memory of 1372	1528	Payment slip.exe	dw20.exe
PID 1528 wrote to memory of 1372	1528	Payment slip.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\Payment slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 396
3⤵
PID:1372

memory/852-54-0x0000000075331000-0x0000000075333000-memory.dmp

Filesize
8KB

Download
memory/852-55-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/852-56-0x00000000001B1000-0x00000000001B2000-memory.dmp

Filesize
4KB

Download
memory/1372-64-0x0000000000000000-mapping.dmp

Download
memory/1372-67-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/1528-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1528-58-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1528-59-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1528-60-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1528-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1528-62-0x0000000000436D3E-mapping.dmp

Download
memory/1528-66-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download