agenttesla | 309dd7ed63e9360abcb589290adda980a24e8a327d0090c6c839e306bada6558

Analysis

max time kernel
211s
max time network
285s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2023, 08:25

Target

Debit Note.exe
Size

685KB
MD5

1a431097afb48954b94defec865d84f5
SHA1

eaafb2d6af27cec988ac6829ff528066771fe736
SHA256

309dd7ed63e9360abcb589290adda980a24e8a327d0090c6c839e306bada6558
SHA512

32685dec6fea0e2c149cfa4ce2828f0a461468fffb4c19ab709fa9e1fc2a5baf3d0812fb55805895a464dba71a896a0011457ab7cc5e30167e27cb06b5be9334
SSDEEP

12288:PuAskehLWn7dfWXeea+wpfXGJAHqvayEgfkxguPZW7z0JIZmDzOOua61A:W9LqYef+MHCGg8xgqZW7z0JIZm36

Score

10^/10

Family

agenttesla

https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4600 set thread context of 3440	4600	Debit Note.exe	78

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4600	Debit Note.exe
Token: SeDebugPrivilege	3440	jsc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 3440	4600	Debit Note.exe	78
PID 4600 wrote to memory of 3440	4600	Debit Note.exe	78
PID 4600 wrote to memory of 3440	4600	Debit Note.exe	78
PID 4600 wrote to memory of 3440	4600	Debit Note.exe	78
PID 4600 wrote to memory of 3440	4600	Debit Note.exe	78
PID 4600 wrote to memory of 3440	4600	Debit Note.exe	78
PID 4600 wrote to memory of 3440	4600	Debit Note.exe	78
PID 4600 wrote to memory of 3440	4600	Debit Note.exe	78

C:\Users\Admin\AppData\Local\Temp\Debit Note.exe
"C:\Users\Admin\AppData\Local\Temp\Debit Note.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3440

memory/3440-135-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3440-138-0x0000000005870000-0x0000000005E14000-memory.dmp

Filesize
5.6MB

Download
memory/3440-139-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/4600-132-0x0000013A60EA0000-0x0000013A60F50000-memory.dmp

Filesize
704KB

Download
memory/4600-133-0x00007FFED99F0000-0x00007FFEDA4B1000-memory.dmp

Filesize
10.8MB

Download
memory/4600-134-0x00007FFED99F0000-0x00007FFEDA4B1000-memory.dmp

Filesize
10.8MB

Download
memory/4600-137-0x00007FFED99F0000-0x00007FFEDA4B1000-memory.dmp

Filesize
10.8MB

Download