agenttesla | 51e70e3292e217da70cfcb15c86a2141256c54cbeb34d0ad662dd6462ddffb70

General

Target

056c3769a51cbae4e0d61d89f45a857b.exe
Size

759KB
MD5

056c3769a51cbae4e0d61d89f45a857b
SHA1

03c65baab74eac7c8ed2d43ff6c928c1e8d4f411
SHA256

51e70e3292e217da70cfcb15c86a2141256c54cbeb34d0ad662dd6462ddffb70
SHA512

e4e65a617e0558b748531c2731956d96371d20fd16f8a9dba8b142ad51dc63b0e18a3ebe627693a560ad87e1f31af57950a086e03adcb90e22eed33d34f7efcf
SSDEEP

12288:efIkfVnlb8uYhkOH7hooLFo0DGy6RIq/hlJ:efI4Vlb853WoLC0DGZ5V

Score

10^/10

agenttesla agilenet keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Heaven11

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/4936-18-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

pid	Process
4936	InstallUtil.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/5080-7-0x0000000006C30000-0x0000000006C58000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5080 set thread context of 4936	5080	056c3769a51cbae4e0d61d89f45a857b.exe	102

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5080	056c3769a51cbae4e0d61d89f45a857b.exe
5080	056c3769a51cbae4e0d61d89f45a857b.exe
5080	056c3769a51cbae4e0d61d89f45a857b.exe
4936	InstallUtil.exe
4936	InstallUtil.exe
4936	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5080	056c3769a51cbae4e0d61d89f45a857b.exe
Token: SeDebugPrivilege	4936	InstallUtil.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4936	5080	056c3769a51cbae4e0d61d89f45a857b.exe	102
PID 5080 wrote to memory of 4936	5080	056c3769a51cbae4e0d61d89f45a857b.exe	102
PID 5080 wrote to memory of 4936	5080	056c3769a51cbae4e0d61d89f45a857b.exe	102
PID 5080 wrote to memory of 4936	5080	056c3769a51cbae4e0d61d89f45a857b.exe	102
PID 5080 wrote to memory of 4936	5080	056c3769a51cbae4e0d61d89f45a857b.exe	102
PID 5080 wrote to memory of 4936	5080	056c3769a51cbae4e0d61d89f45a857b.exe	102
PID 5080 wrote to memory of 4936	5080	056c3769a51cbae4e0d61d89f45a857b.exe	102
PID 5080 wrote to memory of 4936	5080	056c3769a51cbae4e0d61d89f45a857b.exe	102

C:\Users\Admin\AppData\Local\Temp\056c3769a51cbae4e0d61d89f45a857b.exe
"C:\Users\Admin\AppData\Local\Temp\056c3769a51cbae4e0d61d89f45a857b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
37KB

MD5
ee11e7c74155139dfb635b73d28c1b87

SHA1
6946fa1a74fb0679a24982562415dd90ea74451d

SHA256
c04a3f9598a739deff474387d69cd8091dc35952eea775cf5dcbaed24adb70d0

SHA512
e93272b23bd1dd7e6e421ac96b3190e8d5ad4298930c47a6c23f1b54bbd413ea0e276196a8e960830907183fa4515a5e4c4b663f6d3856c3649e163c31b31a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
memory/4936-23-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/4936-29-0x00000000063C0000-0x00000000063CA000-memory.dmp

Filesize
40KB

Download
memory/4936-30-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/4936-28-0x00000000065B0000-0x0000000006600000-memory.dmp

Filesize
320KB

Download
memory/4936-27-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/4936-26-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/4936-25-0x00000000053C0000-0x00000000053D8000-memory.dmp

Filesize
96KB

Download
memory/4936-18-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4936-24-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/5080-9-0x0000000006CB0000-0x0000000006CD2000-memory.dmp

Filesize
136KB

Download
memory/5080-8-0x0000000006CF0000-0x0000000006D56000-memory.dmp

Filesize
408KB

Download
memory/5080-13-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/5080-15-0x0000000007040000-0x0000000007054000-memory.dmp

Filesize
80KB

Download
memory/5080-16-0x0000000007470000-0x0000000007476000-memory.dmp

Filesize
24KB

Download
memory/5080-11-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/5080-7-0x0000000006C30000-0x0000000006C58000-memory.dmp

Filesize
160KB

Download
memory/5080-22-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/5080-10-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/5080-12-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/5080-1-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/5080-0-0x0000000000620000-0x00000000006E4000-memory.dmp

Filesize
784KB

Download
memory/5080-4-0x00000000051D0000-0x0000000005524000-memory.dmp

Filesize
3.3MB

Download
memory/5080-6-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/5080-5-0x0000000005BF0000-0x0000000005C8C000-memory.dmp

Filesize
624KB

Download
memory/5080-3-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/5080-2-0x0000000005640000-0x0000000005BE4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing