agenttesla | 9056ce7204055bf8c63576ada609f9c1a226c1042bd8a976611ee742abd29117

Analysis

max time kernel
147s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-10-2022 11:04

Target

896f0504815376a58575d3c4cba7292e.exe
Size

896KB
MD5

896f0504815376a58575d3c4cba7292e
SHA1

49262a18d97a0a08b7caeede0ebc17b6cce944a8
SHA256

9056ce7204055bf8c63576ada609f9c1a226c1042bd8a976611ee742abd29117
SHA512

ac0dd486d125cbd163029183071c9108c5c5dd617e8070691293918bad79396f7024fb8ae4c7205f9fce15b1fd0c6e6af85f161d99afac5d35051dd297802537
SSDEEP

12288:sR/4veq4AqH6zZn5Mnd4lhu3V6UEmSH7klA5XN0L2J59zRXoYWLz61biBEuukjME:O4veaqH6V5GSl6w7D5XNzLkzCi/njM

Score

10^/10

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1284 set thread context of 756	1284	896f0504815376a58575d3c4cba7292e.exe	27

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
756	896f0504815376a58575d3c4cba7292e.exe
756	896f0504815376a58575d3c4cba7292e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	756	896f0504815376a58575d3c4cba7292e.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 756	1284	896f0504815376a58575d3c4cba7292e.exe	27
PID 1284 wrote to memory of 756	1284	896f0504815376a58575d3c4cba7292e.exe	27
PID 1284 wrote to memory of 756	1284	896f0504815376a58575d3c4cba7292e.exe	27
PID 1284 wrote to memory of 756	1284	896f0504815376a58575d3c4cba7292e.exe	27
PID 1284 wrote to memory of 756	1284	896f0504815376a58575d3c4cba7292e.exe	27
PID 1284 wrote to memory of 756	1284	896f0504815376a58575d3c4cba7292e.exe	27
PID 1284 wrote to memory of 756	1284	896f0504815376a58575d3c4cba7292e.exe	27
PID 1284 wrote to memory of 756	1284	896f0504815376a58575d3c4cba7292e.exe	27
PID 1284 wrote to memory of 756	1284	896f0504815376a58575d3c4cba7292e.exe	27

memory/756-65-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/756-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/756-70-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/756-68-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/756-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/756-61-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/756-66-0x0000000000435A2E-mapping.dmp

Download
memory/756-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1284-55-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1284-54-0x0000000000DF0000-0x0000000000ED6000-memory.dmp

Filesize
920KB

Download
memory/1284-59-0x00000000008D0000-0x000000000090A000-memory.dmp

Filesize
232KB

Download
memory/1284-58-0x00000000057A0000-0x0000000005834000-memory.dmp

Filesize
592KB

Download
memory/1284-57-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/1284-56-0x0000000000480000-0x000000000049C000-memory.dmp

Filesize
112KB

Download