agenttesla | 0b98910cd666d6c596b28611acb69f06ba1fee9bcc8af37103772ee1db7dd167

General

Target

GSO-1367-27072020112017.exe
Size

611KB
MD5

2d04103bda6d755fd47c94d6773574c1
SHA1

41cc7cde2fff3f79a7124545e5a449bd42db4e14
SHA256

8f93c794e02fbd006a5a7d2f929042819d7d5666ccb976ff248eef4dc6d2591e
SHA512

feb803979827b575b40b73710164cb2be368cf5800e253b1260f1afbf0eaf21b6dcb95456b1857ef7d4101dd6917a43362427bfe43765b242659958048c10e8d

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
%kHFH^!4

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4432-138-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

GSO-1367-27072020112017.exe

description pid process target process

PID 1996 set thread context of 4432 1996 GSO-1367-27072020112017.exe GSO-1367-27072020112017.exe

description	pid	process	target process
PID 1996 set thread context of 4432	1996	GSO-1367-27072020112017.exe	GSO-1367-27072020112017.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

GSO-1367-27072020112017.exeGSO-1367-27072020112017.exe

pid	process
1996	GSO-1367-27072020112017.exe
1996	GSO-1367-27072020112017.exe
1996	GSO-1367-27072020112017.exe
1996	GSO-1367-27072020112017.exe
1996	GSO-1367-27072020112017.exe
1996	GSO-1367-27072020112017.exe
1996	GSO-1367-27072020112017.exe
1996	GSO-1367-27072020112017.exe
4432	GSO-1367-27072020112017.exe
4432	GSO-1367-27072020112017.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

GSO-1367-27072020112017.exeGSO-1367-27072020112017.exe

description pid process

Token: SeDebugPrivilege 1996 GSO-1367-27072020112017.exe
Token: SeDebugPrivilege 4432 GSO-1367-27072020112017.exe

description	pid	process
Token: SeDebugPrivilege	1996	GSO-1367-27072020112017.exe
Token: SeDebugPrivilege	4432	GSO-1367-27072020112017.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

GSO-1367-27072020112017.exe

description	pid	process	target process
PID 1996 wrote to memory of 2576	1996	GSO-1367-27072020112017.exe	GSO-1367-27072020112017.exe
PID 1996 wrote to memory of 2576	1996	GSO-1367-27072020112017.exe	GSO-1367-27072020112017.exe
PID 1996 wrote to memory of 2576	1996	GSO-1367-27072020112017.exe	GSO-1367-27072020112017.exe
PID 1996 wrote to memory of 3792	1996	GSO-1367-27072020112017.exe	GSO-1367-27072020112017.exe
PID 1996 wrote to memory of 3792	1996	GSO-1367-27072020112017.exe	GSO-1367-27072020112017.exe
PID 1996 wrote to memory of 3792	1996	GSO-1367-27072020112017.exe	GSO-1367-27072020112017.exe
PID 1996 wrote to memory of 4432	1996	GSO-1367-27072020112017.exe	GSO-1367-27072020112017.exe
PID 1996 wrote to memory of 4432	1996	GSO-1367-27072020112017.exe	GSO-1367-27072020112017.exe
PID 1996 wrote to memory of 4432	1996	GSO-1367-27072020112017.exe	GSO-1367-27072020112017.exe
PID 1996 wrote to memory of 4432	1996	GSO-1367-27072020112017.exe	GSO-1367-27072020112017.exe
PID 1996 wrote to memory of 4432	1996	GSO-1367-27072020112017.exe	GSO-1367-27072020112017.exe
PID 1996 wrote to memory of 4432	1996	GSO-1367-27072020112017.exe	GSO-1367-27072020112017.exe
PID 1996 wrote to memory of 4432	1996	GSO-1367-27072020112017.exe	GSO-1367-27072020112017.exe
PID 1996 wrote to memory of 4432	1996	GSO-1367-27072020112017.exe	GSO-1367-27072020112017.exe

C:\Users\Admin\AppData\Local\Temp\GSO-1367-27072020112017.exe
"C:\Users\Admin\AppData\Local\Temp\GSO-1367-27072020112017.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\GSO-1367-27072020112017.exe
"{path}"
2⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\GSO-1367-27072020112017.exe
"{path}"
2⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\GSO-1367-27072020112017.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1996-130-0x00000000007C0000-0x000000000085E000-memory.dmp

Filesize
632KB

Download
memory/1996-131-0x00000000057D0000-0x0000000005D74000-memory.dmp

Filesize
5.6MB

Download
memory/1996-132-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/1996-133-0x00000000051F0000-0x00000000051FA000-memory.dmp

Filesize
40KB

Download
memory/1996-134-0x000000000E5E0000-0x000000000E67C000-memory.dmp

Filesize
624KB

Download
memory/2576-135-0x0000000000000000-mapping.dmp

Download
memory/3792-136-0x0000000000000000-mapping.dmp

Download
memory/4432-137-0x0000000000000000-mapping.dmp

Download
memory/4432-138-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4432-139-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads