agenttesla | fec036825e0ca6e23d0b7f0faafc0e9a4daf0e20ef0ef2886fc2190f90aff28c

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-01-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ödeme makbuzu.exe
Size

856KB
MD5

1a15eb648c16a856f617993feb94e399
SHA1

ce2e40f968d7636f853e5278ef964ba4c5a70c9b
SHA256

fec036825e0ca6e23d0b7f0faafc0e9a4daf0e20ef0ef2886fc2190f90aff28c
SHA512

151804ef9e85bda17f7c037d5f8f1bc43e06693e0602f00138924750f0260d992fe00c50000e550fcd17bd2ba631e905c3c946bd48bea6e09ca9f464544b0b2e
SSDEEP

24576:CTvDyK4nrFuXSrTb/bqQlt/GR4lHKg6Qsil+G6ByR3zaSWwf:CbuKYFuXkcssil+8R7Wwf

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://eu-west-1.sftpcloud.io
Port:
21
Username:
7657be08759d4b44b239e4cac7da4d75
Password:
YInxt3TgodFyRdOovcLPYB719hs411A1

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3064 set thread context of 2584	3064	ödeme makbuzu.exe	28

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3064	ödeme makbuzu.exe
3064	ödeme makbuzu.exe
2584	InstallUtil.exe
2584	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	ödeme makbuzu.exe
Token: SeDebugPrivilege	2584	InstallUtil.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2584	3064	ödeme makbuzu.exe	28
PID 3064 wrote to memory of 2584	3064	ödeme makbuzu.exe	28
PID 3064 wrote to memory of 2584	3064	ödeme makbuzu.exe	28
PID 3064 wrote to memory of 2584	3064	ödeme makbuzu.exe	28
PID 3064 wrote to memory of 2584	3064	ödeme makbuzu.exe	28
PID 3064 wrote to memory of 2584	3064	ödeme makbuzu.exe	28
PID 3064 wrote to memory of 2584	3064	ödeme makbuzu.exe	28
PID 3064 wrote to memory of 2584	3064	ödeme makbuzu.exe	28
PID 3064 wrote to memory of 2584	3064	ödeme makbuzu.exe	28
PID 3064 wrote to memory of 2584	3064	ödeme makbuzu.exe	28
PID 3064 wrote to memory of 2584	3064	ödeme makbuzu.exe	28
PID 3064 wrote to memory of 2584	3064	ödeme makbuzu.exe	28

C:\Users\Admin\AppData\Local\Temp\ödeme makbuzu.exe
"C:\Users\Admin\AppData\Local\Temp\ödeme makbuzu.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2584-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-25-0x0000000001020000-0x0000000001060000-memory.dmp

Filesize
256KB

Download
memory/2584-24-0x0000000074D70000-0x000000007545E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-23-0x0000000074D70000-0x000000007545E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-6-0x0000000004150000-0x000000000416A000-memory.dmp

Filesize
104KB

Download
memory/3064-3-0x00000000041B0000-0x00000000041F4000-memory.dmp

Filesize
272KB

Download
memory/3064-4-0x0000000074D70000-0x000000007545E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-2-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/3064-0-0x00000000001F0000-0x00000000002CC000-memory.dmp

Filesize
880KB

Download
memory/3064-8-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/3064-22-0x0000000074D70000-0x000000007545E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-7-0x0000000000970000-0x0000000000976000-memory.dmp

Filesize
24KB

Download
memory/3064-1-0x0000000074D70000-0x000000007545E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-5-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download