agenttesla | 43d66102096b171d791582ce4ad7881c68946594a91fa9c4931e9fae6b70e806

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31-03-2023 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

455KB
MD5

e47210accd809054f50bb4f1c765004e
SHA1

a37d125ebe7641fd00addf211083cafe08335f06
SHA256

43d66102096b171d791582ce4ad7881c68946594a91fa9c4931e9fae6b70e806
SHA512

78a402c688b230fb5fdcdb41de13d5e4b4712be0bc55b71d2275cb6072c0734a3aef172d72088ade88d308b6337c1b928ebea5cfe8079b43dcb0e45775fc0252
SSDEEP

12288:ZjXTfWDjZOeitDtLlP547QTbIbjGV3u3Cj3YE2:J7WfZOfllIbjIeScD

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1200 set thread context of 672 1200 tmp.exe SetupUtility.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

332 672 WerFault.exe SetupUtility.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

tmp.exe

pid process

1200 tmp.exe
1200 tmp.exe
1200 tmp.exe
1200 tmp.exe
1200 tmp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmp.exe

description pid process

Token: SeDebugPrivilege 1200 tmp.exe

description	pid	process	target process
PID 1200 set thread context of 672	1200	tmp.exe	SetupUtility.exe

pid	pid_target	process	target process
332	672	WerFault.exe	SetupUtility.exe

pid	process
1200	tmp.exe
1200	tmp.exe
1200	tmp.exe
1200	tmp.exe
1200	tmp.exe

description	pid	process
Token: SeDebugPrivilege	1200	tmp.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

tmp.exeSetupUtility.exe

description	pid	process	target process
PID 1200 wrote to memory of 1372	1200	tmp.exe	mscorsvw.exe
PID 1200 wrote to memory of 1372	1200	tmp.exe	mscorsvw.exe
PID 1200 wrote to memory of 1372	1200	tmp.exe	mscorsvw.exe
PID 1200 wrote to memory of 1500	1200	tmp.exe	InstallUtil.exe
PID 1200 wrote to memory of 1500	1200	tmp.exe	InstallUtil.exe
PID 1200 wrote to memory of 1500	1200	tmp.exe	InstallUtil.exe
PID 1200 wrote to memory of 1028	1200	tmp.exe	RegAsm.exe
PID 1200 wrote to memory of 1028	1200	tmp.exe	RegAsm.exe
PID 1200 wrote to memory of 1028	1200	tmp.exe	RegAsm.exe
PID 1200 wrote to memory of 1032	1200	tmp.exe	ilasm.exe
PID 1200 wrote to memory of 1032	1200	tmp.exe	ilasm.exe
PID 1200 wrote to memory of 1032	1200	tmp.exe	ilasm.exe
PID 1200 wrote to memory of 1512	1200	tmp.exe	aspnet_state.exe
PID 1200 wrote to memory of 1512	1200	tmp.exe	aspnet_state.exe
PID 1200 wrote to memory of 1512	1200	tmp.exe	aspnet_state.exe
PID 1200 wrote to memory of 672	1200	tmp.exe	SetupUtility.exe
PID 1200 wrote to memory of 672	1200	tmp.exe	SetupUtility.exe
PID 1200 wrote to memory of 672	1200	tmp.exe	SetupUtility.exe
PID 1200 wrote to memory of 672	1200	tmp.exe	SetupUtility.exe
PID 1200 wrote to memory of 672	1200	tmp.exe	SetupUtility.exe
PID 1200 wrote to memory of 672	1200	tmp.exe	SetupUtility.exe
PID 1200 wrote to memory of 672	1200	tmp.exe	SetupUtility.exe
PID 1200 wrote to memory of 672	1200	tmp.exe	SetupUtility.exe
PID 1200 wrote to memory of 672	1200	tmp.exe	SetupUtility.exe
PID 1200 wrote to memory of 672	1200	tmp.exe	SetupUtility.exe
PID 1200 wrote to memory of 672	1200	tmp.exe	SetupUtility.exe
PID 1200 wrote to memory of 672	1200	tmp.exe	SetupUtility.exe
PID 672 wrote to memory of 332	672	SetupUtility.exe	WerFault.exe
PID 672 wrote to memory of 332	672	SetupUtility.exe	WerFault.exe
PID 672 wrote to memory of 332	672	SetupUtility.exe	WerFault.exe
PID 672 wrote to memory of 332	672	SetupUtility.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
2⤵
PID:1372

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
PID:1500

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
2⤵
PID:1028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
2⤵
PID:1032

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
2⤵
PID:1512

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 168
3⤵
- Program crash
PID:332

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/672-57-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1200-54-0x0000000000C30000-0x0000000000CA6000-memory.dmp

Filesize
472KB

Download
memory/1200-55-0x000000001AC00000-0x000000001AC80000-memory.dmp

Filesize
512KB

Download
memory/1200-56-0x000000001B2E0000-0x000000001B350000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads