agenttesla | ccc2705cc016a910af89b39b5beeca2885eedd714cca5ab153b416c201d0ea96

Analysis

max time kernel
44s
max time network
34s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
28-06-2023 07:02

Target

c4df006e39809b6857f3cc9117fa2088.exe
Size

774KB
MD5

c4df006e39809b6857f3cc9117fa2088
SHA1

cd5ae28a1037aa467b507f533a3361383a954cf6
SHA256

ccc2705cc016a910af89b39b5beeca2885eedd714cca5ab153b416c201d0ea96
SHA512

aa175d94622ae6b55b0ea77783b838877a852c4d7884c759eff1bb6b8df55e81d170a4848fc9892e3a3ceaf781bc4a6771e2ff01cf80ae8af6c32389202f5945
SSDEEP

12288:PNnGCF9QcI5Szby9RkQEt1LgYaHxFBF4EllnGFveYp3wvmcC:PFGCocNwRkXMrBiylGFvervs

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 1108	1744	c4df006e39809b6857f3cc9117fa2088.exe	28

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1108	1744	c4df006e39809b6857f3cc9117fa2088.exe	28
PID 1744 wrote to memory of 1108	1744	c4df006e39809b6857f3cc9117fa2088.exe	28
PID 1744 wrote to memory of 1108	1744	c4df006e39809b6857f3cc9117fa2088.exe	28
PID 1744 wrote to memory of 1108	1744	c4df006e39809b6857f3cc9117fa2088.exe	28
PID 1744 wrote to memory of 1108	1744	c4df006e39809b6857f3cc9117fa2088.exe	28
PID 1744 wrote to memory of 1108	1744	c4df006e39809b6857f3cc9117fa2088.exe	28
PID 1744 wrote to memory of 1108	1744	c4df006e39809b6857f3cc9117fa2088.exe	28
PID 1744 wrote to memory of 1108	1744	c4df006e39809b6857f3cc9117fa2088.exe	28
PID 1744 wrote to memory of 1108	1744	c4df006e39809b6857f3cc9117fa2088.exe	28

C:\Users\Admin\AppData\Local\Temp\c4df006e39809b6857f3cc9117fa2088.exe
"C:\Users\Admin\AppData\Local\Temp\c4df006e39809b6857f3cc9117fa2088.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\c4df006e39809b6857f3cc9117fa2088.exe
  "C:\Users\Admin\AppData\Local\Temp\c4df006e39809b6857f3cc9117fa2088.exe"
  2⤵
  PID:1108

memory/1108-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1108-60-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1108-61-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1108-63-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1108-62-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1108-65-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1108-67-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1744-55-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/1744-56-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/1744-57-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/1744-58-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/1744-59-0x0000000004420000-0x000000000448A000-memory.dmp

Filesize
424KB

Download
memory/1744-54-0x0000000000B70000-0x0000000000C36000-memory.dmp

Filesize
792KB

Download