agenttesla | d7f4fe4f49d455cf114c05830ee5dbea9b8a37cf0fcd48b834d33e043928665f

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2023 04:07

Target

PO OAU_NOVQTRFA00541·PDF.scr
Size

813KB
MD5

01117545c435423593adf192c6361730
SHA1

8bfbf242a8980921ebf82f8a1bd64c9313b9715d
SHA256

b1408013b2aafe2fdfc5a240945fce0d2b784862b8343d8297afbf031d02dd33
SHA512

b0c7b610bee518cc520226f23594464a32d166e98959b46c45989a583f78b5b8d3670b1309e632e967e79ed5d8267ee639da49f0b024e5a40c6dc03c129768cf
SSDEEP

12288:eiJUgNlYQginsOnNPkoJlVD5aPI7r4krvby:euUgNldnJhFJl/iI7frvby

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO OAU_NOVQTRFA00541·PDF.scr

description pid process target process

PID 4316 set thread context of 4024 4316 PO OAU_NOVQTRFA00541·PDF.scr aspnet_compiler.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3484 4024 WerFault.exe aspnet_compiler.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aspnet_compiler.exe

pid process

4024 aspnet_compiler.exe
4024 aspnet_compiler.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

aspnet_compiler.exe

description pid process

Token: SeDebugPrivilege 4024 aspnet_compiler.exe

description	pid	process	target process
PID 4316 set thread context of 4024	4316	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe

pid	pid_target	process	target process
3484	4024	WerFault.exe	aspnet_compiler.exe

pid	process
4024	aspnet_compiler.exe
4024	aspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	4024	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

PO OAU_NOVQTRFA00541·PDF.scr

description	pid	process	target process
PID 4316 wrote to memory of 4024	4316	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 4316 wrote to memory of 4024	4316	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 4316 wrote to memory of 4024	4316	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 4316 wrote to memory of 4024	4316	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 4316 wrote to memory of 4024	4316	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 4316 wrote to memory of 4024	4316	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 4316 wrote to memory of 4024	4316	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 4316 wrote to memory of 4024	4316	PO OAU_NOVQTRFA00541·PDF.scr	aspnet_compiler.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1404
3⤵
- Program crash
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4024 -ip 4024
1⤵
PID:732

memory/4024-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4024-16-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4024-15-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/4024-14-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/4024-13-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4316-4-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/4316-6-0x0000000004B60000-0x0000000004BAC000-memory.dmp

Filesize
304KB

Download
memory/4316-7-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4316-8-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4316-9-0x0000000005440000-0x00000000059E4000-memory.dmp

Filesize
5.6MB

Download
memory/4316-5-0x0000000004B20000-0x0000000004B60000-memory.dmp

Filesize
256KB

Download
memory/4316-12-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4316-0-0x0000000000010000-0x00000000000E2000-memory.dmp

Filesize
840KB

Download
memory/4316-3-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4316-2-0x0000000004AA0000-0x0000000004AF8000-memory.dmp

Filesize
352KB

Download
memory/4316-1-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download