agenttesla | c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198

General

Target

c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe
Size

732KB
MD5

d247e23631ef6278121db80e8bc8c494
SHA1

173efb03f25d8153827047f710dbebd666ba6699
SHA256

c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198
SHA512

9407a2457ee0e8da07aec74b52d7320bfcef0828c3d81e41a082ed77585d4fb8f3566d0ecacf7034dd194271410f19afbbe022ba6fb068097e2b691dae8cfc81
SSDEEP

12288:q+okXGAy4MBZobkP2AqSLhO4dhIUNJ0dsFjQ/ThcYv2tasGHW:qIGAyjB2IP2Aq8hO4dKUNJXQrHutasoW

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.generalbravo.com
Port:
587
Username:
[email protected]
Password:
D^!Ers)9

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1480-61-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1480-62-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1480-64-0x00000000004374AE-mapping.dmp	family_agenttesla
behavioral1/memory/1480-63-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1480-66-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1480-68-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe

description	pid	process	target process
PID 1088 set thread context of 1480	1088	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe

pid	process
1480	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe
1480	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe

description pid process

Token: SeDebugPrivilege 1480 c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe

description	pid	process
Token: SeDebugPrivilege	1480	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe

description	pid	process	target process
PID 1088 wrote to memory of 1480	1088	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe
PID 1088 wrote to memory of 1480	1088	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe
PID 1088 wrote to memory of 1480	1088	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe
PID 1088 wrote to memory of 1480	1088	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe
PID 1088 wrote to memory of 1480	1088	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe
PID 1088 wrote to memory of 1480	1088	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe
PID 1088 wrote to memory of 1480	1088	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe
PID 1088 wrote to memory of 1480	1088	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe
PID 1088 wrote to memory of 1480	1088	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe	c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe

C:\Users\Admin\AppData\Local\Temp\c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe
"C:\Users\Admin\AppData\Local\Temp\c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\c2f11e94a50eab829124056d2f499528c287d7c3c24ec8d0797df2a1e20d5198.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-54-0x00000000013D0000-0x000000000148E000-memory.dmp

Filesize
760KB

Download
memory/1088-55-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1088-56-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/1088-57-0x0000000005FD0000-0x000000000606A000-memory.dmp

Filesize
616KB

Download
memory/1480-58-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1480-59-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1480-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1480-62-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1480-64-0x00000000004374AE-mapping.dmp

Download
memory/1480-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1480-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1480-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads