agenttesla | afbcbab72994419c40210539eb0959b383a0ea11043e672d117f63721ceefd86

Analysis

max time kernel
81s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 08:03

Target

WRONG BANK DETAILS.exe
Size

472KB
MD5

8a286da3928ccde0c1f4d20a88f41b73
SHA1

153935397d81e3f398441ad7382284d2a15ed2e6
SHA256

2c93eddde0467abea46797a3f1df694c1f3f2b9ddd16cd60467fc00f08ad7ec7
SHA512

803589f0a0cc3c392c96fe5927eec2e7199adcc848f1f0b4dadd112cf2f567c49b035a4c71d31397b87e27b16850861fc587bcea57a6e69cdffbfec9a9f37fe9
SSDEEP

6144:QaOHuW0GgcRdBHMlU8LFhI8ZojU9Lu3fwpvj1iu2gAYwWhF6TEjvumnJw6lODNRF:QFufct8LFhbqq2Ogu2gAYh+gnJw6gr

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1984-61-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1984-60-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1984-62-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1984-63-0x0000000000436D3E-mapping.dmp	family_agenttesla
behavioral1/memory/1984-65-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1984-67-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

WRONG BANK DETAILS.exe

description pid process target process

PID 1756 set thread context of 1984 1756 WRONG BANK DETAILS.exe RegSvcs.exe

description	pid	process	target process
PID 1756 set thread context of 1984	1756	WRONG BANK DETAILS.exe	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WRONG BANK DETAILS.exeRegSvcs.exe

description	pid	process	target process
PID 1756 wrote to memory of 1984	1756	WRONG BANK DETAILS.exe	RegSvcs.exe
PID 1756 wrote to memory of 1984	1756	WRONG BANK DETAILS.exe	RegSvcs.exe
PID 1756 wrote to memory of 1984	1756	WRONG BANK DETAILS.exe	RegSvcs.exe
PID 1756 wrote to memory of 1984	1756	WRONG BANK DETAILS.exe	RegSvcs.exe
PID 1756 wrote to memory of 1984	1756	WRONG BANK DETAILS.exe	RegSvcs.exe
PID 1756 wrote to memory of 1984	1756	WRONG BANK DETAILS.exe	RegSvcs.exe
PID 1756 wrote to memory of 1984	1756	WRONG BANK DETAILS.exe	RegSvcs.exe
PID 1756 wrote to memory of 1984	1756	WRONG BANK DETAILS.exe	RegSvcs.exe
PID 1756 wrote to memory of 1984	1756	WRONG BANK DETAILS.exe	RegSvcs.exe
PID 1756 wrote to memory of 1984	1756	WRONG BANK DETAILS.exe	RegSvcs.exe
PID 1756 wrote to memory of 1984	1756	WRONG BANK DETAILS.exe	RegSvcs.exe
PID 1756 wrote to memory of 1984	1756	WRONG BANK DETAILS.exe	RegSvcs.exe
PID 1984 wrote to memory of 1948	1984	RegSvcs.exe	dw20.exe
PID 1984 wrote to memory of 1948	1984	RegSvcs.exe	dw20.exe
PID 1984 wrote to memory of 1948	1984	RegSvcs.exe	dw20.exe
PID 1984 wrote to memory of 1948	1984	RegSvcs.exe	dw20.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 388
3⤵
PID:1948

memory/1756-54-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/1756-55-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-56-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-69-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-70-0x0000000000000000-mapping.dmp

Download
memory/1984-60-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-62-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-63-0x0000000000436D3E-mapping.dmp

Download
memory/1984-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-67-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-58-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-72-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-73-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download