agenttesla | 3baa78c22e5bd5e133c4c434344bb56389c5243fda9a6e97a716611f85871fa5

Analysis

max time kernel
244s
max time network
317s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 15:03

Target

file.exe
Size

793KB
MD5

93b60c04445b04883b154e9cfd45bc5e
SHA1

954271bef99a382fa30eb009bc93992042457f84
SHA256

3baa78c22e5bd5e133c4c434344bb56389c5243fda9a6e97a716611f85871fa5
SHA512

0b9efab4746b14bd7bad0b80f7ed340e306d820cf8cfa0afa04e4b8b15626e0768bf30f51dbedec0390af809d6c66df6a318a003eac99d056bd4b630e6b5403f
SSDEEP

6144:3T9xO8zztdIikXxz4WfN9oVn6neiiTKoEqc7f3ltHTvdAVgjsOS2j/rUa/v3S1NF:3hxh+1uIvltHbdAVSsOS2j/rL/v3eN

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 2104 set thread context of 3100 2104 file.exe Regsvcs.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

file.exeRegsvcs.exe

pid process

2104 file.exe
2104 file.exe
3100 Regsvcs.exe
3100 Regsvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

file.exeRegsvcs.exe

description pid process

Token: SeDebugPrivilege 2104 file.exe
Token: SeDebugPrivilege 3100 Regsvcs.exe

description	pid	process	target process
PID 2104 set thread context of 3100	2104	file.exe	Regsvcs.exe

description	pid	process
Token: SeDebugPrivilege	2104	file.exe
Token: SeDebugPrivilege	3100	Regsvcs.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

file.exe

description	pid	process	target process
PID 2104 wrote to memory of 928	2104	file.exe	Regsvcs.exe
PID 2104 wrote to memory of 928	2104	file.exe	Regsvcs.exe
PID 2104 wrote to memory of 928	2104	file.exe	Regsvcs.exe
PID 2104 wrote to memory of 3100	2104	file.exe	Regsvcs.exe
PID 2104 wrote to memory of 3100	2104	file.exe	Regsvcs.exe
PID 2104 wrote to memory of 3100	2104	file.exe	Regsvcs.exe
PID 2104 wrote to memory of 3100	2104	file.exe	Regsvcs.exe
PID 2104 wrote to memory of 3100	2104	file.exe	Regsvcs.exe
PID 2104 wrote to memory of 3100	2104	file.exe	Regsvcs.exe
PID 2104 wrote to memory of 3100	2104	file.exe	Regsvcs.exe
PID 2104 wrote to memory of 3100	2104	file.exe	Regsvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"
2⤵
PID:928

memory/2104-132-0x0000023C72AC0000-0x0000023C72B8A000-memory.dmp

Filesize
808KB

Download
memory/2104-133-0x00007FF980CE0000-0x00007FF9817A1000-memory.dmp

Filesize
10.8MB

Download
memory/2104-134-0x00007FF980CE0000-0x00007FF9817A1000-memory.dmp

Filesize
10.8MB

Download
memory/2104-137-0x00007FF980CE0000-0x00007FF9817A1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3100-136-0x0000000000435BBE-mapping.dmp

Download
memory/3100-138-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/3100-139-0x0000000005490000-0x000000000552C000-memory.dmp

Filesize
624KB

Download
memory/3100-140-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download