agenttesla | 36484e70d703243720d4d8170e8bd708c59a879256ff70413b2ab1f7267efd6a

General

Target

Arrival Notice.exe
Size

632KB
MD5

d5551d02842d0bca89645f6d2dcd9425
SHA1

60e703ba9b877189f2a5349cae2512de050bc76c
SHA256

558122a88015bea8cc58d92d22e752167ccf7d837d8d85a3070497471660de3a
SHA512

a30a933775af324a4f6662288fa52ac8336d96cbbf44ca2ff9a40411ec2a4b6e2817b8372337bf1a1c18e476c3304a6e9bb8c8bcb4e7f44664de4af17d5670ae
SSDEEP

12288:knJ+gIaWmooQ9gfWer8oDRGLndvQfaTGXc8YrN7n0x:GU9F9gfl8zBw/YrN7

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.wasstech.com
Port:
587
Username:
[email protected]
Password:
Sunray2700@@
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
4 api.ipify.org
5 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Arrival Notice.exe

description pid process target process

PID 2080 set thread context of 2696 2080 Arrival Notice.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Arrival Notice.exeRegSvcs.exe

pid process

2080 Arrival Notice.exe
2080 Arrival Notice.exe
2080 Arrival Notice.exe
2696 RegSvcs.exe
2696 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Arrival Notice.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 2080 Arrival Notice.exe
Token: SeDebugPrivilege 2696 RegSvcs.exe

flow	ioc
6	ip-api.com
4	api.ipify.org
5	api.ipify.org

description	pid	process	target process
PID 2080 set thread context of 2696	2080	Arrival Notice.exe	RegSvcs.exe

pid	process
2080	Arrival Notice.exe
2080	Arrival Notice.exe
2080	Arrival Notice.exe
2696	RegSvcs.exe
2696	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2080	Arrival Notice.exe
Token: SeDebugPrivilege	2696	RegSvcs.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Arrival Notice.exe

description	pid	process	target process
PID 2080 wrote to memory of 2728	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2728	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2728	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2728	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2728	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2728	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2728	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2696	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2696	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2696	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2696	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2696	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2696	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2696	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2696	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2696	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2696	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2696	2080	Arrival Notice.exe	RegSvcs.exe
PID 2080 wrote to memory of 2696	2080	Arrival Notice.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe
"C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2080-20-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2080-1-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2080-2-0x00000000047E0000-0x0000000004820000-memory.dmp

Filesize
256KB

Download
memory/2080-3-0x00000000003C0000-0x00000000003D4000-memory.dmp

Filesize
80KB

Download
memory/2080-5-0x0000000000A10000-0x0000000000A1C000-memory.dmp

Filesize
48KB

Download
memory/2080-4-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/2080-6-0x0000000004730000-0x00000000047AC000-memory.dmp

Filesize
496KB

Download
memory/2080-0-0x0000000000E10000-0x0000000000EB4000-memory.dmp

Filesize
656KB

Download
memory/2696-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-22-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/2696-21-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2696-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2696-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-23-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/2696-24-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads