agenttesla | b38ba88413ce3a2d4519969c92be6cf9f9e6b75c32fc80aa1b5b8336836c23e4

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 19:39

Target

0e2c9248cc88052d8fdd8d4b9399772b.exe
Size

314KB
MD5

0e2c9248cc88052d8fdd8d4b9399772b
SHA1

9846115f79d650bfc25803e7e521259882822d61
SHA256

b38ba88413ce3a2d4519969c92be6cf9f9e6b75c32fc80aa1b5b8336836c23e4
SHA512

0fcccda878b9c5b8c68d77bce2f45fe605c6f71b208e8a0e421d94f7b501c7cd9aba916a18eea4a8ffaff178e7f34f464c1140f51ae8cb421a2b5a67534e9f83
SSDEEP

6144:zLTfGueEAmg+NEo5YS01+7uAz1c0xaDHmI7qY:jfGbEAmDv2S0IIGIt

Score

10^/10

Family

agenttesla

https://api.telegram.org/bot1898788581:AAEbsCzTih-rxVDH11H9U8nZ_h_9VfJgvh4/sendDocument

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 3 IoCs

resource	yara_rule
behavioral1/memory/2144-7-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2144-5-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2144-3-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3028 set thread context of 2144	3028	0e2c9248cc88052d8fdd8d4b9399772b.exe	16

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2144	MSBuild.exe
2144	MSBuild.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3028	0e2c9248cc88052d8fdd8d4b9399772b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2144	3028	0e2c9248cc88052d8fdd8d4b9399772b.exe	16
PID 3028 wrote to memory of 2144	3028	0e2c9248cc88052d8fdd8d4b9399772b.exe	16
PID 3028 wrote to memory of 2144	3028	0e2c9248cc88052d8fdd8d4b9399772b.exe	16
PID 3028 wrote to memory of 2144	3028	0e2c9248cc88052d8fdd8d4b9399772b.exe	16
PID 3028 wrote to memory of 2144	3028	0e2c9248cc88052d8fdd8d4b9399772b.exe	16
PID 2144 wrote to memory of 2700	2144	MSBuild.exe	29
PID 2144 wrote to memory of 2700	2144	MSBuild.exe	29
PID 2144 wrote to memory of 2700	2144	MSBuild.exe	29
PID 2144 wrote to memory of 2700	2144	MSBuild.exe	29

memory/2144-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2144-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2144-3-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2144-9-0x0000000000520000-0x0000000000560000-memory.dmp

Filesize
256KB

Download
memory/2144-10-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2144-8-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2144-12-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/2700-11-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/3028-2-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/3028-1-0x0000000000110000-0x0000000000210000-memory.dmp

Filesize
1024KB

Download