agenttesla | 705eeb755944e5ed11114af1a6f01a2955214275fe2ba7c9d1f6b88f6412a8d4

Analysis

max time kernel
93s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2022 06:53

Target

THE NEW ORDER.exe
Size

461KB
MD5

7ab60b99e9c99846321476ba190cffc5
SHA1

c2241c79e46edaa60fdc4afdcbfecad8cf7b57d0
SHA256

705eeb755944e5ed11114af1a6f01a2955214275fe2ba7c9d1f6b88f6412a8d4
SHA512

0d1b77be0958c5dd27ffb1314788e7e0f0818129274f6cd655c353898072d01b6d81a14913c1b9239309f858975c78d32c9f449b85fced98f4759c040b043fa0
SSDEEP

12288:KLyLNm4mk8VV/nixU+x7T+tmPBkjtOceAk5MRVTYw:z0ZVVqnlT+tgBktOc6Cgw

Score

10^/10

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

THE NEW ORDER.exe

description pid process target process

PID 904 set thread context of 2892 904 THE NEW ORDER.exe CasPol.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4944 2892 WerFault.exe CasPol.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

CasPol.exe

pid process

2892 CasPol.exe
2892 CasPol.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

THE NEW ORDER.exeCasPol.exe

description pid process

Token: SeDebugPrivilege 904 THE NEW ORDER.exe
Token: SeDebugPrivilege 2892 CasPol.exe

description	pid	process	target process
PID 904 set thread context of 2892	904	THE NEW ORDER.exe	CasPol.exe

pid	pid_target	process	target process
4944	2892	WerFault.exe	CasPol.exe

pid	process
2892	CasPol.exe
2892	CasPol.exe

description	pid	process
Token: SeDebugPrivilege	904	THE NEW ORDER.exe
Token: SeDebugPrivilege	2892	CasPol.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

THE NEW ORDER.exe

description	pid	process	target process
PID 904 wrote to memory of 2892	904	THE NEW ORDER.exe	CasPol.exe
PID 904 wrote to memory of 2892	904	THE NEW ORDER.exe	CasPol.exe
PID 904 wrote to memory of 2892	904	THE NEW ORDER.exe	CasPol.exe
PID 904 wrote to memory of 2892	904	THE NEW ORDER.exe	CasPol.exe
PID 904 wrote to memory of 2892	904	THE NEW ORDER.exe	CasPol.exe
PID 904 wrote to memory of 2892	904	THE NEW ORDER.exe	CasPol.exe
PID 904 wrote to memory of 2892	904	THE NEW ORDER.exe	CasPol.exe
PID 904 wrote to memory of 2892	904	THE NEW ORDER.exe	CasPol.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2892 -ip 2892
1⤵
PID:1404

memory/904-132-0x000001790B680000-0x000001790B6F8000-memory.dmp

Filesize
480KB

Download
memory/904-133-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/904-134-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/904-137-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/2892-136-0x00000000004325CE-mapping.dmp

Download
memory/2892-135-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2892-138-0x0000000005C80000-0x0000000006224000-memory.dmp

Filesize
5.6MB

Download
memory/2892-139-0x00000000056D0000-0x000000000576C000-memory.dmp

Filesize
624KB

Download