agenttesla | 70e164d59a87463b0d6ad9e00ad1301079624d765fa12acb1649e9bcbdde1a23

Analysis

max time kernel
53s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2acff62a4747a5bedfd5e917a9e5c68b.exe
Size

681KB
MD5

2acff62a4747a5bedfd5e917a9e5c68b
SHA1

79dcf36cbd19078ce9cae397a3807bcaab31801d
SHA256

70e164d59a87463b0d6ad9e00ad1301079624d765fa12acb1649e9bcbdde1a23
SHA512

395a2ef3b7b8a30ed0c50f1125658d1ecd44fe750424f30b85fed1f6dc91a49c25f29dbc88295e0df428d398c081fd4563735892a5de45044484f31d7466233c
SSDEEP

6144:ZWMIDIIHAKnLuwLyv6eCPLVJ1ggMDcZ5Y3fNf9WlsE0dF3IBWCY:ZAHAKnLuv6pDkDSY3VfcJq2

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.houneywell.com
Port:
587
Username:
[email protected]
Password:
eu%Rjv@+b15Q

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/5092-11-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1220 set thread context of 5092	1220	2acff62a4747a5bedfd5e917a9e5c68b.exe	101

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5092	2acff62a4747a5bedfd5e917a9e5c68b.exe
5092	2acff62a4747a5bedfd5e917a9e5c68b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5092	2acff62a4747a5bedfd5e917a9e5c68b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 5092	1220	2acff62a4747a5bedfd5e917a9e5c68b.exe	101
PID 1220 wrote to memory of 5092	1220	2acff62a4747a5bedfd5e917a9e5c68b.exe	101
PID 1220 wrote to memory of 5092	1220	2acff62a4747a5bedfd5e917a9e5c68b.exe	101
PID 1220 wrote to memory of 5092	1220	2acff62a4747a5bedfd5e917a9e5c68b.exe	101
PID 1220 wrote to memory of 5092	1220	2acff62a4747a5bedfd5e917a9e5c68b.exe	101
PID 1220 wrote to memory of 5092	1220	2acff62a4747a5bedfd5e917a9e5c68b.exe	101
PID 1220 wrote to memory of 5092	1220	2acff62a4747a5bedfd5e917a9e5c68b.exe	101
PID 1220 wrote to memory of 5092	1220	2acff62a4747a5bedfd5e917a9e5c68b.exe	101

C:\Users\Admin\AppData\Local\Temp\2acff62a4747a5bedfd5e917a9e5c68b.exe
"C:\Users\Admin\AppData\Local\Temp\2acff62a4747a5bedfd5e917a9e5c68b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\2acff62a4747a5bedfd5e917a9e5c68b.exe
  "C:\Users\Admin\AppData\Local\Temp\2acff62a4747a5bedfd5e917a9e5c68b.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-10-0x000000000AF10000-0x000000000AF50000-memory.dmp

Filesize
256KB

Download
memory/1220-4-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/1220-1-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/1220-15-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/1220-0-0x0000000000F20000-0x0000000000FD0000-memory.dmp

Filesize
704KB

Download
memory/1220-5-0x00000000059C0000-0x00000000059CA000-memory.dmp

Filesize
40KB

Download
memory/1220-7-0x0000000008760000-0x00000000087FC000-memory.dmp

Filesize
624KB

Download
memory/1220-6-0x0000000005DD0000-0x0000000005DEC000-memory.dmp

Filesize
112KB

Download
memory/1220-8-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/1220-9-0x0000000008800000-0x0000000008864000-memory.dmp

Filesize
400KB

Download
memory/1220-3-0x0000000005A20000-0x0000000005AB2000-memory.dmp

Filesize
584KB

Download
memory/1220-2-0x0000000005FD0000-0x0000000006574000-memory.dmp

Filesize
5.6MB

Download
memory/5092-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5092-16-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/5092-14-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/5092-18-0x00000000067E0000-0x0000000006846000-memory.dmp

Filesize
408KB

Download
memory/5092-17-0x0000000005F40000-0x0000000005F58000-memory.dmp

Filesize
96KB

Download
memory/5092-19-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/5092-20-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/5092-22-0x0000000006D70000-0x0000000006DC0000-memory.dmp

Filesize
320KB

Download
memory/5092-23-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download