agenttesla | e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89

General

Target

e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
Size

653KB
MD5

049e5298dee90a234db7ff0336e42361
SHA1

af7026ba790d977e066ca6e5f158196583127cee
SHA256

e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89
SHA512

74150316ccd7d0ea5a86c3ccfe8dfdc28bbf2c30c8f1cf4fa84cc3c148976e71c32327782db898434ccb8ac4cf66377d7778ce990a8f417e8696e536bad2327e
SSDEEP

12288:V45+po2DRiWedT4GE8diPROQnv0vJj6OiieLA14th+CQkcVNBpk1gP3oCWbD:g+pJUWcTJy5OQv0xmieG4T+cclqCP4Cs

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6488735902:AAFjq98r8SzTcc0BHWZQiLUk749fQ78ULos/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

69 ip-api.com

flow	ioc
69	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe

description	pid	process	target process
PID 2168 set thread context of 3500	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exee909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe

pid	process
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
3500	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
3500	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exee909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe

description	pid	process
Token: SeDebugPrivilege	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
Token: SeDebugPrivilege	3500	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe

C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
"C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
"C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
"C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe"
2⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
"C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe"
2⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
"C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe"
2⤵
PID:2124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe.log

Filesize
2KB

MD5
93d52c1bc7c38d958583ebbd3dc09cd4

SHA1
4c5ee6f9c9ae190c9a0cccb91fa2257ddcb8b0d5

SHA256
2905f3a06dd8907ddbcbe64389cffcc8a5273d1822e25f8bea385bdd01653c76

SHA512
dfc55c3247d7734c5a531fb5a3de689e8bb823e82c14ad6cab16923d50d51e03e5e86165a7d65b3059a66b67968b611368b010a6d9f755916b01ef7b67c5228e

Download Submit
memory/2168-12-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2168-7-0x00000000051C0000-0x00000000051C8000-memory.dmp

Filesize
32KB

Download
memory/2168-11-0x00000000062C0000-0x000000000635C000-memory.dmp

Filesize
624KB

Download
memory/2168-4-0x0000000005070000-0x0000000005102000-memory.dmp

Filesize
584KB

Download
memory/2168-6-0x0000000005180000-0x0000000005198000-memory.dmp

Filesize
96KB

Download
memory/2168-5-0x0000000005170000-0x000000000517A000-memory.dmp

Filesize
40KB

Download
memory/2168-8-0x00000000051D0000-0x00000000051DA000-memory.dmp

Filesize
40KB

Download
memory/2168-18-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2168-9-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/2168-13-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/2168-3-0x0000000005570000-0x0000000005B14000-memory.dmp

Filesize
5.6MB

Download
memory/2168-2-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/2168-10-0x0000000006430000-0x00000000064AE000-memory.dmp

Filesize
504KB

Download
memory/2168-14-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/2168-0-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2168-1-0x0000000000410000-0x00000000004BA000-memory.dmp

Filesize
680KB

Download
memory/3500-24-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/3500-20-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/3500-21-0x00000000052F0000-0x0000000005356000-memory.dmp

Filesize
408KB

Download
memory/3500-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3500-22-0x0000000006850000-0x00000000068A0000-memory.dmp

Filesize
320KB

Download
memory/3500-23-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/3500-19-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download

description	pid	process	target process
PID 2168 wrote to memory of 2124	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
PID 2168 wrote to memory of 2124	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
PID 2168 wrote to memory of 2124	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
PID 2168 wrote to memory of 3220	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
PID 2168 wrote to memory of 3220	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
PID 2168 wrote to memory of 3220	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
PID 2168 wrote to memory of 4268	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
PID 2168 wrote to memory of 4268	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
PID 2168 wrote to memory of 4268	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
PID 2168 wrote to memory of 3500	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
PID 2168 wrote to memory of 3500	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
PID 2168 wrote to memory of 3500	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
PID 2168 wrote to memory of 3500	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
PID 2168 wrote to memory of 3500	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
PID 2168 wrote to memory of 3500	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
PID 2168 wrote to memory of 3500	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
PID 2168 wrote to memory of 3500	2168	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe	e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads