agenttesla | e49f212d6e5f137cf1394c1bce43b0d84c1a982b0a52e43d27d8cd45692764b7

General

Target

Payment slip.exe
Size

664KB
MD5

da1c1f2acf3ceaf318b88595c6fcd3e2
SHA1

c1b33299ce801bdf1ec02e5125dcb018a751c0e8
SHA256

e49f212d6e5f137cf1394c1bce43b0d84c1a982b0a52e43d27d8cd45692764b7
SHA512

21ba66ae3eb417f53a140a600dea660cdc6e951cac372a6993ebdde62ec61acecfa44589b9d9e4ecc61eefe87bb05c3fdee29e1dfec44ba45f39ea5a69b860c9

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/352-116-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/352-117-0x0000000000436D3E-mapping.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment slip.exe

description pid process target process

PID 2112 set thread context of 352 2112 Payment slip.exe Payment slip.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Payment slip.exedw20.exe

pid process

2112 Payment slip.exe
2112 Payment slip.exe
2112 Payment slip.exe
2112 Payment slip.exe
1020 dw20.exe
1020 dw20.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Payment slip.exedw20.exe

description pid process

Token: SeDebugPrivilege 2112 Payment slip.exe
Token: SeRestorePrivilege 1020 dw20.exe
Token: SeBackupPrivilege 1020 dw20.exe

description	pid	process	target process
PID 2112 set thread context of 352	2112	Payment slip.exe	Payment slip.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Payment slip.exePayment slip.exe

description	pid	process	target process
PID 2112 wrote to memory of 1864	2112	Payment slip.exe	Payment slip.exe
PID 2112 wrote to memory of 1864	2112	Payment slip.exe	Payment slip.exe
PID 2112 wrote to memory of 1864	2112	Payment slip.exe	Payment slip.exe
PID 2112 wrote to memory of 748	2112	Payment slip.exe	Payment slip.exe
PID 2112 wrote to memory of 748	2112	Payment slip.exe	Payment slip.exe
PID 2112 wrote to memory of 748	2112	Payment slip.exe	Payment slip.exe
PID 2112 wrote to memory of 352	2112	Payment slip.exe	Payment slip.exe
PID 2112 wrote to memory of 352	2112	Payment slip.exe	Payment slip.exe
PID 2112 wrote to memory of 352	2112	Payment slip.exe	Payment slip.exe
PID 2112 wrote to memory of 352	2112	Payment slip.exe	Payment slip.exe
PID 2112 wrote to memory of 352	2112	Payment slip.exe	Payment slip.exe
PID 2112 wrote to memory of 352	2112	Payment slip.exe	Payment slip.exe
PID 2112 wrote to memory of 352	2112	Payment slip.exe	Payment slip.exe
PID 2112 wrote to memory of 352	2112	Payment slip.exe	Payment slip.exe
PID 352 wrote to memory of 1020	352	Payment slip.exe	dw20.exe
PID 352 wrote to memory of 1020	352	Payment slip.exe	dw20.exe
PID 352 wrote to memory of 1020	352	Payment slip.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\Payment slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"
2⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\Payment slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"
2⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\Payment slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:352

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payment slip.exe.log
MD5
ef140ef600b2463c9e7dbf064a104046

SHA1
c08fd1853877be95575ea2e860dd8cafef31f54c

SHA256
ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616

SHA512
bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c

Download Submit
memory/352-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/352-117-0x0000000000436D3E-mapping.dmp

Download
memory/352-120-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/1020-119-0x0000000000000000-mapping.dmp

Download
memory/2112-115-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download