agenttesla | 5030bc30c14139d9c48dc4cd175de6c966e83a9059035d18af33dda06f2541ab

Analysis

max time kernel
139s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2023, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QUOTATIONNOVQTRFA00541PDF.scr.exe
Size

974KB
MD5

83999a2ce0109ea4adbecb3a96744e8c
SHA1

4b94f4b23b157c7ae2df54e251cd4d22c683134d
SHA256

5030bc30c14139d9c48dc4cd175de6c966e83a9059035d18af33dda06f2541ab
SHA512

f4dfe9396a978d942cc5e8857549da838b17099f57a9fa4fc53761ee06bcff37f4100b263fdccff9565de3db40eb9c71694618433d64d41e66d8765a131328ae
SSDEEP

12288:W2BNuP+2ess0NdGRs5N4r8Zjw/KpBf2fLkzGHH1tfU7:J2JAk15N4r+8C72PfU

Score

10^/10

agenttesla purelogs keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
gator3220.hostgator.com
Port:
587
Username:
[email protected]
Password:
28#75@ts76&&p!!@@

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
gator3220.hostgator.com
Port:
587
Username:
[email protected]
Password:
28#75@ts76&&p!!@@
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect PureLogs payload 1 IoCs

resource	yara_rule
behavioral2/memory/4536-0-0x0000000000070000-0x0000000000168000-memory.dmp	family_purelogs

PureLogs
PureLogs is an infostealer written in C#.
stealer purelogs

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4536 set thread context of 396	4536	QUOTATIONNOVQTRFA00541PDF.scr.exe	98

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
396	AppLaunch.exe
396	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	396	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
396	AppLaunch.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 396	4536	QUOTATIONNOVQTRFA00541PDF.scr.exe	98
PID 4536 wrote to memory of 396	4536	QUOTATIONNOVQTRFA00541PDF.scr.exe	98
PID 4536 wrote to memory of 396	4536	QUOTATIONNOVQTRFA00541PDF.scr.exe	98
PID 4536 wrote to memory of 396	4536	QUOTATIONNOVQTRFA00541PDF.scr.exe	98
PID 4536 wrote to memory of 396	4536	QUOTATIONNOVQTRFA00541PDF.scr.exe	98
PID 4536 wrote to memory of 396	4536	QUOTATIONNOVQTRFA00541PDF.scr.exe	98
PID 4536 wrote to memory of 396	4536	QUOTATIONNOVQTRFA00541PDF.scr.exe	98
PID 4536 wrote to memory of 396	4536	QUOTATIONNOVQTRFA00541PDF.scr.exe	98

C:\Users\Admin\AppData\Local\Temp\QUOTATIONNOVQTRFA00541PDF.scr.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATIONNOVQTRFA00541PDF.scr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/396-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-22-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/396-21-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/396-20-0x0000000006490000-0x000000000649A000-memory.dmp

Filesize
40KB

Download
memory/396-19-0x00000000064F0000-0x0000000006582000-memory.dmp

Filesize
584KB

Download
memory/396-18-0x0000000005FF0000-0x000000000608C000-memory.dmp

Filesize
624KB

Download
memory/396-17-0x0000000005F00000-0x0000000005F50000-memory.dmp

Filesize
320KB

Download
memory/396-16-0x0000000005150000-0x00000000051B6000-memory.dmp

Filesize
408KB

Download
memory/396-15-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/396-14-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/4536-4-0x0000000004B40000-0x0000000004B98000-memory.dmp

Filesize
352KB

Download
memory/4536-10-0x0000000005520000-0x0000000005AC4000-memory.dmp

Filesize
5.6MB

Download
memory/4536-9-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4536-13-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/4536-8-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/4536-7-0x0000000004C60000-0x0000000004CAC000-memory.dmp

Filesize
304KB

Download
memory/4536-6-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/4536-0-0x0000000000070000-0x0000000000168000-memory.dmp

Filesize
992KB

Download
memory/4536-5-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

Filesize
256KB

Download
memory/4536-3-0x0000000004AC0000-0x0000000004B18000-memory.dmp

Filesize
352KB

Download
memory/4536-2-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4536-1-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download