agenttesla | d55ae0595505278bd448159dba33bde89baaec39a774d76c28cd7caf7eaf00bf

Analysis

Target

INWARD#2671SWIFT.html.exe
Size

379KB
MD5

135f83f86309a790fe91bc93c405caa4
SHA1

25956724f209adc49b5d61d352bc308c1bdca163
SHA256

ec7a0509c47b0fb580fe7f0ea4656c25bdcefeded8c0283fc550d97dcf6859ed
SHA512

48e41ffabf3c7b5394a5e16d5bb4dc4cb084483beef07489cf5484caa48f50741e33f6a9b3dbdbbceb584ea03c6c6366575246ef6404569fdb21ca65c324fc56

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1800-59-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral1/memory/1800-60-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral1/memory/1800-62-0x000000000044817E-mapping.dmp	family_agenttesla
behavioral1/memory/1800-61-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

INWARD#2671SWIFT.html.exe

description pid process target process

PID 1484 set thread context of 1800 1484 INWARD#2671SWIFT.html.exe INWARD#2671SWIFT.html.exe

description	pid	process	target process
PID 1484 set thread context of 1800	1484	INWARD#2671SWIFT.html.exe	INWARD#2671SWIFT.html.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

INWARD#2671SWIFT.html.exe

description	pid	process	target process
PID 1484 wrote to memory of 1800	1484	INWARD#2671SWIFT.html.exe	INWARD#2671SWIFT.html.exe
PID 1484 wrote to memory of 1800	1484	INWARD#2671SWIFT.html.exe	INWARD#2671SWIFT.html.exe
PID 1484 wrote to memory of 1800	1484	INWARD#2671SWIFT.html.exe	INWARD#2671SWIFT.html.exe
PID 1484 wrote to memory of 1800	1484	INWARD#2671SWIFT.html.exe	INWARD#2671SWIFT.html.exe
PID 1484 wrote to memory of 1800	1484	INWARD#2671SWIFT.html.exe	INWARD#2671SWIFT.html.exe
PID 1484 wrote to memory of 1800	1484	INWARD#2671SWIFT.html.exe	INWARD#2671SWIFT.html.exe
PID 1484 wrote to memory of 1800	1484	INWARD#2671SWIFT.html.exe	INWARD#2671SWIFT.html.exe
PID 1484 wrote to memory of 1800	1484	INWARD#2671SWIFT.html.exe	INWARD#2671SWIFT.html.exe
PID 1484 wrote to memory of 1800	1484	INWARD#2671SWIFT.html.exe	INWARD#2671SWIFT.html.exe

C:\Users\Admin\AppData\Local\Temp\INWARD#2671SWIFT.html.exe
"{path}"
2⤵
PID:1800

memory/1484-54-0x0000000076431000-0x0000000076433000-memory.dmp

Filesize
8KB

Download
memory/1484-55-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/1800-56-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1800-57-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1800-59-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1800-60-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1800-62-0x000000000044817E-mapping.dmp

Download
memory/1800-61-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download