agenttesla | 53873190e732fcbe931729aadb3d4f878d74bd17dc64c282b4efa1f87d021b43

Analysis

max time kernel
57s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29-03-2023 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

p004575839574947.exe
Size

1.1MB
MD5

f90d87222db82285ce87a988b372524a
SHA1

b4a571be12134d9ff6c91fc8fc46b8f53ba3d176
SHA256

53873190e732fcbe931729aadb3d4f878d74bd17dc64c282b4efa1f87d021b43
SHA512

299c35d9c16ce2479b104787d04f50f644db735f540a148d07cef32a78f01343d15b9c7610ebd88482eec76e600c80f4b33152228d4af69cf43c29aa72a4e116
SSDEEP

12288:00ZeZOUnaKuQdJFUbDLYqid+3eo9geDCknIfblyi7uDvOI8fpXVNLhc5LiJMUZCp:9KgoYi3ImgiSs/1cNQz9oG

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.focuzpartsmart.com
Port:
587
Username:
[email protected]
Password:
FpmJhn@2023
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1416 set thread context of 1316	1416	p004575839574947.exe	33

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1208	1316	WerFault.exe	33

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1416	p004575839574947.exe
1416	p004575839574947.exe
1416	p004575839574947.exe
1416	p004575839574947.exe
1416	p004575839574947.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	p004575839574947.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1440	1416	p004575839574947.exe	28
PID 1416 wrote to memory of 1440	1416	p004575839574947.exe	28
PID 1416 wrote to memory of 1440	1416	p004575839574947.exe	28
PID 1416 wrote to memory of 1116	1416	p004575839574947.exe	29
PID 1416 wrote to memory of 1116	1416	p004575839574947.exe	29
PID 1416 wrote to memory of 1116	1416	p004575839574947.exe	29
PID 1416 wrote to memory of 900	1416	p004575839574947.exe	30
PID 1416 wrote to memory of 900	1416	p004575839574947.exe	30
PID 1416 wrote to memory of 900	1416	p004575839574947.exe	30
PID 1416 wrote to memory of 1400	1416	p004575839574947.exe	31
PID 1416 wrote to memory of 1400	1416	p004575839574947.exe	31
PID 1416 wrote to memory of 1400	1416	p004575839574947.exe	31
PID 1416 wrote to memory of 1664	1416	p004575839574947.exe	32
PID 1416 wrote to memory of 1664	1416	p004575839574947.exe	32
PID 1416 wrote to memory of 1664	1416	p004575839574947.exe	32
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	33
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	33
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	33
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	33
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	33
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	33
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	33
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	33
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	33
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	33
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	33
PID 1416 wrote to memory of 1316	1416	p004575839574947.exe	33
PID 1316 wrote to memory of 1208	1316	Setup.exe	34
PID 1316 wrote to memory of 1208	1316	Setup.exe	34
PID 1316 wrote to memory of 1208	1316	Setup.exe	34
PID 1316 wrote to memory of 1208	1316	Setup.exe	34

C:\Users\Admin\AppData\Local\Temp\p004575839574947.exe
"C:\Users\Admin\AppData\Local\Temp\p004575839574947.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
  2⤵
  PID:1440
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"
  2⤵
  PID:1116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
  2⤵
  PID:1400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 304
    3⤵
    - Program crash
    PID:1208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1316-57-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1416-54-0x0000000000AD0000-0x0000000000BF6000-memory.dmp

Filesize
1.1MB

Download
memory/1416-55-0x000000001AFF0000-0x000000001B070000-memory.dmp

Filesize
512KB

Download
memory/1416-56-0x00000000022E0000-0x0000000002350000-memory.dmp

Filesize
448KB

Download