agenttesla | fa248ec2c76556f7e9c71cc5979bea9f3cce8f565a44398b0e7fae3005f0b13a

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO3452302659 pdf.exe
Size

1.5MB
MD5

fae4e4923fdb5a9079e873477bf92911
SHA1

99dea9162447750cdd502fc0eb16f2ca7c54ea33
SHA256

fa248ec2c76556f7e9c71cc5979bea9f3cce8f565a44398b0e7fae3005f0b13a
SHA512

126f372bc4431ad7a899f85c2f1f6d095966ed1eba8fc4cf3e6166514eb03a538bc6c29eae675330c811f6b62f2cb3cc17af1d6fbc8085ff84a6e7743efd8836
SSDEEP

24576:iWaS+JEfphxW553sSntC6s+6qbU0saooQaPSMdLAWqY8fWFEIJ3VUPvymws5IgZs:eS+axysYC6syUkoPaPS2AJNyxUP+Mk

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.ionos.fr
Port:
587
Username:
[email protected]
Password:
qualite77

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.ionos.fr
Port:
587
Username:
[email protected]
Password:
qualite77
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO3452302659 pdf.exe

description pid process target process

PID 4772 set thread context of 4324 4772 PO3452302659 pdf.exe CasPol.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

CasPol.exe

pid process

4324 CasPol.exe
4324 CasPol.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO3452302659 pdf.exeCasPol.exe

description pid process

Token: SeDebugPrivilege 4772 PO3452302659 pdf.exe
Token: SeDebugPrivilege 4324 CasPol.exe

description	pid	process	target process
PID 4772 set thread context of 4324	4772	PO3452302659 pdf.exe	CasPol.exe

pid	process
4324	CasPol.exe
4324	CasPol.exe

description	pid	process
Token: SeDebugPrivilege	4772	PO3452302659 pdf.exe
Token: SeDebugPrivilege	4324	CasPol.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

PO3452302659 pdf.exe

description	pid	process	target process
PID 4772 wrote to memory of 4324	4772	PO3452302659 pdf.exe	CasPol.exe
PID 4772 wrote to memory of 4324	4772	PO3452302659 pdf.exe	CasPol.exe
PID 4772 wrote to memory of 4324	4772	PO3452302659 pdf.exe	CasPol.exe
PID 4772 wrote to memory of 4324	4772	PO3452302659 pdf.exe	CasPol.exe
PID 4772 wrote to memory of 4324	4772	PO3452302659 pdf.exe	CasPol.exe
PID 4772 wrote to memory of 4324	4772	PO3452302659 pdf.exe	CasPol.exe
PID 4772 wrote to memory of 4324	4772	PO3452302659 pdf.exe	CasPol.exe
PID 4772 wrote to memory of 4324	4772	PO3452302659 pdf.exe	CasPol.exe

C:\Users\Admin\AppData\Local\Temp\PO3452302659 pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PO3452302659 pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4324-236-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4772-0-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/4772-1-0x0000000000830000-0x00000000009C0000-memory.dmp

Filesize
1.6MB

Download
memory/4772-2-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/4772-3-0x0000000001420000-0x0000000001428000-memory.dmp

Filesize
32KB

Download
memory/4772-4-0x0000000005310000-0x000000000532A000-memory.dmp

Filesize
104KB

Download
memory/4772-7-0x00000000053A0000-0x00000000053AA000-memory.dmp

Filesize
40KB

Download
memory/4772-6-0x00000000054A0000-0x0000000005532000-memory.dmp

Filesize
584KB

Download
memory/4772-5-0x00000000059B0000-0x0000000005F54000-memory.dmp

Filesize
5.6MB

Download
memory/4772-9-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/4772-8-0x0000000005440000-0x0000000005458000-memory.dmp

Filesize
96KB

Download
memory/4772-10-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/4772-11-0x0000000005570000-0x0000000005588000-memory.dmp

Filesize
96KB

Download
memory/4772-12-0x0000000005710000-0x000000000586A000-memory.dmp

Filesize
1.4MB

Download
memory/4772-14-0x00000000055B0000-0x00000000055CA000-memory.dmp

Filesize
104KB

Download
memory/4772-15-0x00000000060C0000-0x00000000061E2000-memory.dmp

Filesize
1.1MB

Download
memory/4772-16-0x0000000005640000-0x0000000005684000-memory.dmp

Filesize
272KB

Download
memory/4772-17-0x00000000057C0000-0x0000000005836000-memory.dmp

Filesize
472KB

Download
memory/4772-19-0x0000000005630000-0x0000000005660000-memory.dmp

Filesize
192KB

Download
memory/4772-21-0x00000000057C0000-0x0000000005820000-memory.dmp

Filesize
384KB

Download
memory/4772-22-0x0000000005610000-0x0000000005630000-memory.dmp

Filesize
128KB

Download
memory/4772-20-0x00000000060C0000-0x000000000617A000-memory.dmp

Filesize
744KB

Download
memory/4772-23-0x00000000063E0000-0x00000000066A4000-memory.dmp

Filesize
2.8MB

Download
memory/4772-24-0x00000000057E0000-0x00000000057FE000-memory.dmp

Filesize
120KB

Download
memory/4772-25-0x00000000060C0000-0x000000000613C000-memory.dmp

Filesize
496KB

Download
memory/4772-18-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/4772-13-0x0000000005660000-0x0000000005704000-memory.dmp

Filesize
656KB

Download
memory/4772-27-0x00000000057F0000-0x00000000057F8000-memory.dmp

Filesize
32KB

Download
memory/4772-26-0x0000000006480000-0x000000000651C000-memory.dmp

Filesize
624KB

Download
memory/4772-30-0x0000000005960000-0x0000000005982000-memory.dmp

Filesize
136KB

Download
memory/4772-29-0x00000000057F0000-0x00000000057F8000-memory.dmp

Filesize
32KB

Download
memory/4772-28-0x00000000057F0000-0x00000000057FE000-memory.dmp

Filesize
56KB

Download
memory/4772-31-0x0000000006EF0000-0x000000000745C000-memory.dmp

Filesize
5.4MB

Download
memory/4772-32-0x0000000005930000-0x0000000005942000-memory.dmp

Filesize
72KB

Download
memory/4772-33-0x0000000005930000-0x0000000005950000-memory.dmp

Filesize
128KB

Download
memory/4772-34-0x0000000006490000-0x0000000006540000-memory.dmp

Filesize
704KB

Download
memory/4772-36-0x00000000061C0000-0x00000000061E2000-memory.dmp

Filesize
136KB

Download
memory/4772-37-0x0000000006F40000-0x000000000714A000-memory.dmp

Filesize
2.0MB

Download
memory/4772-35-0x0000000006A30000-0x0000000006BA6000-memory.dmp

Filesize
1.5MB

Download
memory/4772-39-0x0000000006410000-0x000000000643A000-memory.dmp

Filesize
168KB

Download
memory/4772-41-0x0000000006100000-0x0000000006108000-memory.dmp

Filesize
32KB

Download
memory/4772-46-0x0000000006A30000-0x0000000006A7A000-memory.dmp

Filesize
296KB

Download
memory/4772-50-0x0000000006580000-0x0000000006588000-memory.dmp

Filesize
32KB

Download
memory/4772-51-0x0000000006580000-0x0000000006588000-memory.dmp

Filesize
32KB

Download
memory/4772-49-0x00000000061D0000-0x00000000061D8000-memory.dmp

Filesize
32KB

Download
memory/4772-53-0x0000000006B40000-0x0000000006BA6000-memory.dmp

Filesize
408KB

Download
memory/4772-55-0x0000000006580000-0x0000000006588000-memory.dmp

Filesize
32KB

Download
memory/4772-58-0x0000000006AF0000-0x0000000006B02000-memory.dmp

Filesize
72KB

Download
memory/4772-57-0x00000000066A0000-0x00000000066A8000-memory.dmp

Filesize
32KB

Download
memory/4772-56-0x0000000006EB0000-0x000000000702C000-memory.dmp

Filesize
1.5MB

Download
memory/4772-59-0x0000000006D30000-0x0000000007084000-memory.dmp

Filesize
3.3MB

Download
memory/4772-54-0x0000000006A30000-0x0000000006A4A000-memory.dmp

Filesize
104KB

Download
memory/4772-52-0x0000000006580000-0x0000000006588000-memory.dmp

Filesize
32KB

Download
memory/4772-48-0x0000000006590000-0x00000000065B0000-memory.dmp

Filesize
128KB

Download
memory/4772-47-0x00000000061D0000-0x00000000061E0000-memory.dmp

Filesize
64KB

Download
memory/4772-60-0x0000000006E40000-0x0000000006F4A000-memory.dmp

Filesize
1.0MB

Download
memory/4772-45-0x00000000061D0000-0x00000000061D8000-memory.dmp

Filesize
32KB

Download
memory/4772-44-0x00000000061D0000-0x00000000061D8000-memory.dmp

Filesize
32KB

Download
memory/4772-61-0x0000000007AA0000-0x0000000007E7A000-memory.dmp

Filesize
3.9MB

Download
memory/4772-43-0x00000000061D0000-0x00000000061D8000-memory.dmp

Filesize
32KB

Download
memory/4772-62-0x0000000006DE0000-0x0000000006E8A000-memory.dmp

Filesize
680KB

Download
memory/4772-63-0x0000000006B30000-0x0000000006BAD000-memory.dmp

Filesize
500KB

Download
memory/4772-42-0x0000000006100000-0x0000000006108000-memory.dmp

Filesize
32KB

Download
memory/4772-40-0x0000000006100000-0x0000000006108000-memory.dmp

Filesize
32KB

Download
memory/4772-38-0x0000000006100000-0x0000000006110000-memory.dmp

Filesize
64KB

Download
memory/4772-245-0x0000000071860000-0x0000000071867000-memory.dmp

Filesize
28KB

Download
memory/4772-270-0x0000000071380000-0x00000000714C6000-memory.dmp

Filesize
1.3MB

Download
memory/4772-271-0x00000000713A0000-0x00000000714C4000-memory.dmp

Filesize
1.1MB

Download
memory/4772-272-0x0000000006470000-0x00000000064FD000-memory.dmp

Filesize
564KB

Download
memory/4772-273-0x00000000057F0000-0x00000000057F6000-memory.dmp

Filesize
24KB

Download
memory/4772-274-0x00000000714B0000-0x00000000714C6000-memory.dmp

Filesize
88KB

Download
memory/4772-288-0x00000000714B0000-0x00000000714C5000-memory.dmp

Filesize
84KB

Download
memory/4772-291-0x00000000707A0000-0x00000000707B9000-memory.dmp

Filesize
100KB

Download
memory/4772-301-0x000000006F9C0000-0x000000006F9D5000-memory.dmp

Filesize
84KB

Download
memory/4772-296-0x00000000095C0000-0x00000000095C7000-memory.dmp

Filesize
28KB

Download
memory/4772-295-0x000000006F9D0000-0x000000006F9D7000-memory.dmp

Filesize
28KB

Download
memory/4772-289-0x00000000714C0000-0x00000000714C8000-memory.dmp

Filesize
32KB

Download
memory/4772-287-0x00000000057F0000-0x00000000057F3000-memory.dmp

Filesize
12KB

Download
memory/4772-286-0x00000000714C0000-0x00000000714C5000-memory.dmp

Filesize
20KB

Download
memory/4772-282-0x0000000071490000-0x00000000714C6000-memory.dmp

Filesize
216KB

Download
memory/4772-280-0x0000000071450000-0x00000000714C1000-memory.dmp

Filesize
452KB

Download
memory/4772-279-0x00000000714C0000-0x00000000714C7000-memory.dmp

Filesize
28KB

Download
memory/4772-275-0x00000000714A0000-0x00000000714C7000-memory.dmp

Filesize
156KB

Download