agenttesla | 5030bc30c14139d9c48dc4cd175de6c966e83a9059035d18af33dda06f2541ab

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231201-en
resource tags

arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
submitted
03-12-2023 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QUOTATIONNOVQTRFA00541PDF.scr.exe
Size

974KB
MD5

83999a2ce0109ea4adbecb3a96744e8c
SHA1

4b94f4b23b157c7ae2df54e251cd4d22c683134d
SHA256

5030bc30c14139d9c48dc4cd175de6c966e83a9059035d18af33dda06f2541ab
SHA512

f4dfe9396a978d942cc5e8857549da838b17099f57a9fa4fc53761ee06bcff37f4100b263fdccff9565de3db40eb9c71694618433d64d41e66d8765a131328ae
SSDEEP

12288:W2BNuP+2ess0NdGRs5N4r8Zjw/KpBf2fLkzGHH1tfU7:J2JAk15N4r+8C72PfU

Score

10^/10

agenttesla purelogs keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
gator3220.hostgator.com
Port:
587
Username:
[email protected]
Password:
28#75@ts76&&p!!@@
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect PureLogs payload 1 IoCs

resource	yara_rule
behavioral1/memory/1208-0-0x00000000002D0000-0x00000000003C8000-memory.dmp	family_purelogs

PureLogs
PureLogs is an infostealer written in C#.
stealer purelogs

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1208 set thread context of 2764	1208	QUOTATIONNOVQTRFA00541PDF.scr.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2764	AppLaunch.exe
2764	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2764	AppLaunch.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 2764	1208	QUOTATIONNOVQTRFA00541PDF.scr.exe	28
PID 1208 wrote to memory of 2764	1208	QUOTATIONNOVQTRFA00541PDF.scr.exe	28
PID 1208 wrote to memory of 2764	1208	QUOTATIONNOVQTRFA00541PDF.scr.exe	28
PID 1208 wrote to memory of 2764	1208	QUOTATIONNOVQTRFA00541PDF.scr.exe	28
PID 1208 wrote to memory of 2764	1208	QUOTATIONNOVQTRFA00541PDF.scr.exe	28
PID 1208 wrote to memory of 2764	1208	QUOTATIONNOVQTRFA00541PDF.scr.exe	28
PID 1208 wrote to memory of 2764	1208	QUOTATIONNOVQTRFA00541PDF.scr.exe	28
PID 1208 wrote to memory of 2764	1208	QUOTATIONNOVQTRFA00541PDF.scr.exe	28
PID 1208 wrote to memory of 2764	1208	QUOTATIONNOVQTRFA00541PDF.scr.exe	28
PID 1208 wrote to memory of 2764	1208	QUOTATIONNOVQTRFA00541PDF.scr.exe	28
PID 1208 wrote to memory of 2764	1208	QUOTATIONNOVQTRFA00541PDF.scr.exe	28
PID 1208 wrote to memory of 2764	1208	QUOTATIONNOVQTRFA00541PDF.scr.exe	28

C:\Users\Admin\AppData\Local\Temp\QUOTATIONNOVQTRFA00541PDF.scr.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATIONNOVQTRFA00541PDF.scr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1208-17-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1208-4-0x00000000041F0000-0x0000000004248000-memory.dmp

Filesize
352KB

Download
memory/1208-0-0x00000000002D0000-0x00000000003C8000-memory.dmp

Filesize
992KB

Download
memory/1208-3-0x0000000002080000-0x00000000020D8000-memory.dmp

Filesize
352KB

Download
memory/1208-1-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1208-5-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1208-6-0x0000000000B70000-0x0000000000BB0000-memory.dmp

Filesize
256KB

Download
memory/1208-7-0x0000000004B90000-0x0000000004BDC000-memory.dmp

Filesize
304KB

Download
memory/1208-8-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1208-9-0x0000000000AD0000-0x0000000000B10000-memory.dmp

Filesize
256KB

Download
memory/1208-2-0x0000000000AD0000-0x0000000000B10000-memory.dmp

Filesize
256KB

Download
memory/2764-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-14-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2764-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-21-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download
memory/2764-22-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download