agenttesla | 53873190e732fcbe931729aadb3d4f878d74bd17dc64c282b4efa1f87d021b43

General

Target

p004575839574947.exe
Size

1.1MB
MD5

f90d87222db82285ce87a988b372524a
SHA1

b4a571be12134d9ff6c91fc8fc46b8f53ba3d176
SHA256

53873190e732fcbe931729aadb3d4f878d74bd17dc64c282b4efa1f87d021b43
SHA512

299c35d9c16ce2479b104787d04f50f644db735f540a148d07cef32a78f01343d15b9c7610ebd88482eec76e600c80f4b33152228d4af69cf43c29aa72a4e116
SSDEEP

12288:00ZeZOUnaKuQdJFUbDLYqid+3eo9geDCknIfblyi7uDvOI8fpXVNLhc5LiJMUZCp:9KgoYi3ImgiSs/1cNQz9oG

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.focuzpartsmart.com
Port:
587
Username:
johnsonpc@focuzpartsmart.com
Password:
FpmJhn@2023
Email To:
jinhux31@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

p004575839574947.exe

description pid process target process

PID 1416 set thread context of 1316 1416 p004575839574947.exe Setup.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1208 1316 WerFault.exe Setup.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

p004575839574947.exe

pid process

1416 p004575839574947.exe
1416 p004575839574947.exe
1416 p004575839574947.exe
1416 p004575839574947.exe
1416 p004575839574947.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

p004575839574947.exe

description pid process

Token: SeDebugPrivilege 1416 p004575839574947.exe

description	pid	process	target process
PID 1416 set thread context of 1316	1416	p004575839574947.exe	Setup.exe

pid	pid_target	process	target process
1208	1316	WerFault.exe	Setup.exe

pid	process
1416	p004575839574947.exe
1416	p004575839574947.exe
1416	p004575839574947.exe
1416	p004575839574947.exe
1416	p004575839574947.exe

description	pid	process
Token: SeDebugPrivilege	1416	p004575839574947.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

p004575839574947.exeSetup.exe

description	pid	process	target process
PID 1416 wrote to memory of 1440	1416	p004575839574947.exe	AddInUtil.exe
PID 1416 wrote to memory of 1440	1416	p004575839574947.exe	AddInUtil.exe
PID 1416 wrote to memory of 1440	1416	p004575839574947.exe	AddInUtil.exe
PID 1416 wrote to memory of 1116	1416	p004575839574947.exe	regtlibv12.exe
PID 1416 wrote to memory of 1116	1416	p004575839574947.exe	regtlibv12.exe
PID 1416 wrote to memory of 1116	1416	p004575839574947.exe	regtlibv12.exe
PID 1416 wrote to memory of 900	1416	p004575839574947.exe	aspnet_state.exe
PID 1416 wrote to memory of 900	1416	p004575839574947.exe	aspnet_state.exe
PID 1416 wrote to memory of 900	1416	p004575839574947.exe	aspnet_state.exe
PID 1416 wrote to memory of 1400	1416	p004575839574947.exe	cvtres.exe
PID 1416 wrote to memory of 1400	1416	p004575839574947.exe	cvtres.exe
PID 1416 wrote to memory of 1400	1416	p004575839574947.exe	cvtres.exe
PID 1416 wrote to memory of 1664	1416	p004575839574947.exe	WsatConfig.exe
PID 1416 wrote to memory of 1664	1416	p004575839574947.exe	WsatConfig.exe
PID 1416 wrote to memory of 1664	1416	p004575839574947.exe	WsatConfig.exe
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	Setup.exe
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	Setup.exe
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	Setup.exe
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	Setup.exe
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	Setup.exe
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	Setup.exe
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	Setup.exe
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	Setup.exe
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	Setup.exe
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	Setup.exe
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	Setup.exe
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	Setup.exe
PID 1316 wrote to memory of 1208	1316	Setup.exe	WerFault.exe
PID 1316 wrote to memory of 1208	1316	Setup.exe	WerFault.exe
PID 1316 wrote to memory of 1208	1316	Setup.exe	WerFault.exe
PID 1316 wrote to memory of 1208	1316	Setup.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\p004575839574947.exe
"C:\Users\Admin\AppData\Local\Temp\p004575839574947.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
2⤵
PID:1440

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"
2⤵
PID:1116

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
2⤵
PID:900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
2⤵
PID:1400

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
2⤵
PID:1664

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 304
3⤵
- Program crash
PID:1208

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1316-57-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1416-54-0x0000000000AD0000-0x0000000000BF6000-memory.dmp

Filesize
1.1MB

Download
memory/1416-55-0x000000001AFF0000-0x000000001B070000-memory.dmp

Filesize
512KB

Download
memory/1416-56-0x00000000022E0000-0x0000000002350000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads