agenttesla | d7f4fe4f49d455cf114c05830ee5dbea9b8a37cf0fcd48b834d33e043928665f

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
06-12-2023 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO OAU_NOVQTRFA00541·PDF.scr
Size

813KB
MD5

01117545c435423593adf192c6361730
SHA1

8bfbf242a8980921ebf82f8a1bd64c9313b9715d
SHA256

b1408013b2aafe2fdfc5a240945fce0d2b784862b8343d8297afbf031d02dd33
SHA512

b0c7b610bee518cc520226f23594464a32d166e98959b46c45989a583f78b5b8d3670b1309e632e967e79ed5d8267ee639da49f0b024e5a40c6dc03c129768cf
SSDEEP

12288:eiJUgNlYQginsOnNPkoJlVD5aPI7r4krvby:euUgNldnJhFJl/iI7frvby

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
breijhyswzsjmyqd
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO OAU_NOVQTRFA00541·PDF.scr

description pid process target process

PID 2376 set thread context of 2524 2376 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aspnet_compiler.exe

pid process

2524 aspnet_compiler.exe
2524 aspnet_compiler.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

aspnet_compiler.exe

description pid process

Token: SeDebugPrivilege 2524 aspnet_compiler.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

aspnet_compiler.exe

pid process

2524 aspnet_compiler.exe

description	pid	process	target process
PID 2376 set thread context of 2524	2376	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe

pid	process
2524	aspnet_compiler.exe
2524	aspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	2524	aspnet_compiler.exe

pid	process
2524	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

PO OAU_NOVQTRFA00541·PDF.scr

description	pid	process	target process
PID 2376 wrote to memory of 2524	2376	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2376 wrote to memory of 2524	2376	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2376 wrote to memory of 2524	2376	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2376 wrote to memory of 2524	2376	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2376 wrote to memory of 2524	2376	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2376 wrote to memory of 2524	2376	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2376 wrote to memory of 2524	2376	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2376 wrote to memory of 2524	2376	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2376 wrote to memory of 2524	2376	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\PO OAU_NOVQTRFA00541·PDF.scr
"C:\Users\Admin\AppData\Local\Temp\PO OAU_NOVQTRFA00541·PDF.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2376-0-0x0000000000D40000-0x0000000000E12000-memory.dmp

Filesize
840KB

Download
memory/2376-1-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download
memory/2376-2-0x0000000000A10000-0x0000000000A68000-memory.dmp

Filesize
352KB

Download
memory/2376-3-0x00000000047D0000-0x0000000004810000-memory.dmp

Filesize
256KB

Download
memory/2376-4-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2376-5-0x0000000000A70000-0x0000000000AB0000-memory.dmp

Filesize
256KB

Download
memory/2376-6-0x0000000000B40000-0x0000000000B8C000-memory.dmp

Filesize
304KB

Download
memory/2376-7-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download
memory/2376-8-0x00000000047D0000-0x0000000004810000-memory.dmp

Filesize
256KB

Download
memory/2376-17-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download
memory/2524-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-21-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-22-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

Filesize
256KB

Download
memory/2524-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2524-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-23-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download