agenttesla | 2b7d52cff6d8153c70e007f4b88b38788b6205144cb65c60b76272dc838acc8b

General

Target

URGENT REQUEST.exe
Size

64KB
MD5

3031228682ee992a8c75b0b7e767b794
SHA1

c0beabc62747ee62fbb05eb35284cc382a9a25fe
SHA256

2b7d52cff6d8153c70e007f4b88b38788b6205144cb65c60b76272dc838acc8b
SHA512

4fbadca7a43b04946afab52fd39e7de1ce34677d93316ff1f471105331af29e9787979fd6a6c3be2e1d6be0253fbd2b67c6f5963b618ebdeec030a77e49254aa
SSDEEP

768:EkOyF9AKzI19Nn7cx4vn+vEqMtpYYkhN40LO6dusn04eF:xOe9AA49Nn7cxgMEqMt8N40ymuL3F

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

URGENT REQUEST.exe

description pid process target process

PID 1476 set thread context of 1820 1476 URGENT REQUEST.exe SetupUtility.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

652 1820 WerFault.exe SetupUtility.exe

description	pid	process	target process
PID 1476 set thread context of 1820	1476	URGENT REQUEST.exe	SetupUtility.exe

pid	pid_target	process	target process
652	1820	WerFault.exe	SetupUtility.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

URGENT REQUEST.exe

pid	process
1476	URGENT REQUEST.exe
1476	URGENT REQUEST.exe
1476	URGENT REQUEST.exe
1476	URGENT REQUEST.exe
1476	URGENT REQUEST.exe
1476	URGENT REQUEST.exe
1476	URGENT REQUEST.exe
1476	URGENT REQUEST.exe
1476	URGENT REQUEST.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

URGENT REQUEST.exe

description pid process

Token: SeDebugPrivilege 1476 URGENT REQUEST.exe

description	pid	process
Token: SeDebugPrivilege	1476	URGENT REQUEST.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

URGENT REQUEST.exeSetupUtility.exe

description	pid	process	target process
PID 1476 wrote to memory of 1680	1476	URGENT REQUEST.exe	aspnet_compiler.exe
PID 1476 wrote to memory of 1680	1476	URGENT REQUEST.exe	aspnet_compiler.exe
PID 1476 wrote to memory of 1680	1476	URGENT REQUEST.exe	aspnet_compiler.exe
PID 1476 wrote to memory of 1764	1476	URGENT REQUEST.exe	CasPol.exe
PID 1476 wrote to memory of 1764	1476	URGENT REQUEST.exe	CasPol.exe
PID 1476 wrote to memory of 1764	1476	URGENT REQUEST.exe	CasPol.exe
PID 1476 wrote to memory of 952	1476	URGENT REQUEST.exe	aspnet_regsql.exe
PID 1476 wrote to memory of 952	1476	URGENT REQUEST.exe	aspnet_regsql.exe
PID 1476 wrote to memory of 952	1476	URGENT REQUEST.exe	aspnet_regsql.exe
PID 1476 wrote to memory of 968	1476	URGENT REQUEST.exe	dfsvc.exe
PID 1476 wrote to memory of 968	1476	URGENT REQUEST.exe	dfsvc.exe
PID 1476 wrote to memory of 968	1476	URGENT REQUEST.exe	dfsvc.exe
PID 1476 wrote to memory of 1660	1476	URGENT REQUEST.exe	aspnet_state.exe
PID 1476 wrote to memory of 1660	1476	URGENT REQUEST.exe	aspnet_state.exe
PID 1476 wrote to memory of 1660	1476	URGENT REQUEST.exe	aspnet_state.exe
PID 1476 wrote to memory of 1704	1476	URGENT REQUEST.exe	cvtres.exe
PID 1476 wrote to memory of 1704	1476	URGENT REQUEST.exe	cvtres.exe
PID 1476 wrote to memory of 1704	1476	URGENT REQUEST.exe	cvtres.exe
PID 1476 wrote to memory of 1984	1476	URGENT REQUEST.exe	regtlibv12.exe
PID 1476 wrote to memory of 1984	1476	URGENT REQUEST.exe	regtlibv12.exe
PID 1476 wrote to memory of 1984	1476	URGENT REQUEST.exe	regtlibv12.exe
PID 1476 wrote to memory of 984	1476	URGENT REQUEST.exe	WsatConfig.exe
PID 1476 wrote to memory of 984	1476	URGENT REQUEST.exe	WsatConfig.exe
PID 1476 wrote to memory of 984	1476	URGENT REQUEST.exe	WsatConfig.exe
PID 1476 wrote to memory of 1200	1476	URGENT REQUEST.exe	ComSvcConfig.exe
PID 1476 wrote to memory of 1200	1476	URGENT REQUEST.exe	ComSvcConfig.exe
PID 1476 wrote to memory of 1200	1476	URGENT REQUEST.exe	ComSvcConfig.exe
PID 1476 wrote to memory of 1820	1476	URGENT REQUEST.exe	SetupUtility.exe
PID 1476 wrote to memory of 1820	1476	URGENT REQUEST.exe	SetupUtility.exe
PID 1476 wrote to memory of 1820	1476	URGENT REQUEST.exe	SetupUtility.exe
PID 1476 wrote to memory of 1820	1476	URGENT REQUEST.exe	SetupUtility.exe
PID 1476 wrote to memory of 1820	1476	URGENT REQUEST.exe	SetupUtility.exe
PID 1476 wrote to memory of 1820	1476	URGENT REQUEST.exe	SetupUtility.exe
PID 1476 wrote to memory of 1820	1476	URGENT REQUEST.exe	SetupUtility.exe
PID 1476 wrote to memory of 1820	1476	URGENT REQUEST.exe	SetupUtility.exe
PID 1476 wrote to memory of 1820	1476	URGENT REQUEST.exe	SetupUtility.exe
PID 1476 wrote to memory of 1820	1476	URGENT REQUEST.exe	SetupUtility.exe
PID 1476 wrote to memory of 1820	1476	URGENT REQUEST.exe	SetupUtility.exe
PID 1476 wrote to memory of 1820	1476	URGENT REQUEST.exe	SetupUtility.exe
PID 1820 wrote to memory of 652	1820	SetupUtility.exe	WerFault.exe
PID 1820 wrote to memory of 652	1820	SetupUtility.exe	WerFault.exe
PID 1820 wrote to memory of 652	1820	SetupUtility.exe	WerFault.exe
PID 1820 wrote to memory of 652	1820	SetupUtility.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST.exe
"C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:1680

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
2⤵
PID:1764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
2⤵
PID:952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
2⤵
PID:968

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
2⤵
PID:1660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
2⤵
PID:1704

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"
2⤵
PID:1984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
2⤵
PID:984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
2⤵
PID:1200

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 168
3⤵
- Program crash
PID:652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-59-0x0000000000000000-mapping.dmp

Download
memory/1476-54-0x00000000013E0000-0x00000000013F4000-memory.dmp

Filesize
80KB

Download
memory/1476-55-0x0000000000B80000-0x0000000000BEE000-memory.dmp

Filesize
440KB

Download
memory/1820-57-0x000000000042A62E-mapping.dmp

Download
memory/1820-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1820-58-0x0000000076701000-0x0000000076703000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads