agenttesla | c7e5612eca504249bfde7ecc7bcdb3bb2220e9f0599aa675b6acd939d29e47bb

Analysis

max time kernel
75s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-10-2022 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG-20220926-WA0000000008....exe
Size

882KB
MD5

a5e9194aebaee807a27b58dcc1a9b000
SHA1

94932b210e64a2349f6e824631dcc8298e719e09
SHA256

c7e5612eca504249bfde7ecc7bcdb3bb2220e9f0599aa675b6acd939d29e47bb
SHA512

a9df6bf6dc98d11d89b31d353a7dda6db76906940b2b181961a42fa5f57b1d560e297f4d737bb80f18b43e5d41e8017379ed9acfda4835a5fd80af9e0e945d2c
SSDEEP

12288:V7C+LVFcxr4tlKD9xK4oIl5j0Ne6Oz2NUMfyTiADqjJ5nu9H:BCWVF77WvXoIfoU6KMf7jrk

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.toala.com.mx
Port:
587
Username:
[email protected]
Password:
oceano2012
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1360-63-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1360-64-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1360-65-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1360-66-0x000000000043760E-mapping.dmp	family_agenttesla
behavioral1/memory/1360-68-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1360-70-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

IMG-20220926-WA0000000008....exe

description pid process target process

PID 1492 set thread context of 1360 1492 IMG-20220926-WA0000000008....exe IMG-20220926-WA0000000008....exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

IMG-20220926-WA0000000008....exe

pid process

1360 IMG-20220926-WA0000000008....exe
1360 IMG-20220926-WA0000000008....exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

IMG-20220926-WA0000000008....exe

description pid process

Token: SeDebugPrivilege 1360 IMG-20220926-WA0000000008....exe

description	pid	process	target process
PID 1492 set thread context of 1360	1492	IMG-20220926-WA0000000008....exe	IMG-20220926-WA0000000008....exe

pid	process
1360	IMG-20220926-WA0000000008....exe
1360	IMG-20220926-WA0000000008....exe

description	pid	process
Token: SeDebugPrivilege	1360	IMG-20220926-WA0000000008....exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

IMG-20220926-WA0000000008....exe

description	pid	process	target process
PID 1492 wrote to memory of 1360	1492	IMG-20220926-WA0000000008....exe	IMG-20220926-WA0000000008....exe
PID 1492 wrote to memory of 1360	1492	IMG-20220926-WA0000000008....exe	IMG-20220926-WA0000000008....exe
PID 1492 wrote to memory of 1360	1492	IMG-20220926-WA0000000008....exe	IMG-20220926-WA0000000008....exe
PID 1492 wrote to memory of 1360	1492	IMG-20220926-WA0000000008....exe	IMG-20220926-WA0000000008....exe
PID 1492 wrote to memory of 1360	1492	IMG-20220926-WA0000000008....exe	IMG-20220926-WA0000000008....exe
PID 1492 wrote to memory of 1360	1492	IMG-20220926-WA0000000008....exe	IMG-20220926-WA0000000008....exe
PID 1492 wrote to memory of 1360	1492	IMG-20220926-WA0000000008....exe	IMG-20220926-WA0000000008....exe
PID 1492 wrote to memory of 1360	1492	IMG-20220926-WA0000000008....exe	IMG-20220926-WA0000000008....exe
PID 1492 wrote to memory of 1360	1492	IMG-20220926-WA0000000008....exe	IMG-20220926-WA0000000008....exe

C:\Users\Admin\AppData\Local\Temp\IMG-20220926-WA0000000008....exe
"C:\Users\Admin\AppData\Local\Temp\IMG-20220926-WA0000000008....exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\IMG-20220926-WA0000000008....exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1360-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1360-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1360-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1360-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1360-66-0x000000000043760E-mapping.dmp

Download
memory/1360-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1360-60-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1360-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1492-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1492-54-0x00000000010C0000-0x00000000011A2000-memory.dmp

Filesize
904KB

Download
memory/1492-59-0x0000000000410000-0x000000000044C000-memory.dmp

Filesize
240KB

Download
memory/1492-58-0x0000000005D20000-0x0000000005DA6000-memory.dmp

Filesize
536KB

Download
memory/1492-57-0x0000000004E25000-0x0000000004E36000-memory.dmp

Filesize
68KB

Download
memory/1492-56-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/1492-71-0x0000000004E25000-0x0000000004E36000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads