agenttesla | 773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93

General

Target

773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe
Size

1.1MB
MD5

dbdcdd2c51d923aa30293e14be7a829e
SHA1

9466254f55f04134118f1f6b616007bb86d95f2e
SHA256

773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93
SHA512

04326eae48128dbae077f31c2150519ce789592f215b5725ca366ecf8ba34f28ca353ae967235b69224ee3e9f80dd1e725f6f719d10f776452a70f80fd2d183b
SSDEEP

12288:uiL+7/wHM6gCqCcT3ylTBkmLWSQsQqghyGEoofi+0UkoMGh5cfa1ZR2w:5L+d6gCqiPhxQsdg4GEpfi+soMcQ6

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://eu-west-1.sftpcloud.io
Port:
21
Username:
c075574a2af448809808296ff839567f
Password:
UTLc1SID7Y5LpcuIWt3ttrUfI4LcuCLY

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2492 set thread context of 4380	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	103

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe
2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe
2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe
2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe
2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe
2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe
4380	InstallUtil.exe
4380	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe
Token: SeDebugPrivilege	4380	InstallUtil.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 4540	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	100
PID 2492 wrote to memory of 4540	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	100
PID 2492 wrote to memory of 4540	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	100
PID 2492 wrote to memory of 4540	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	100
PID 2492 wrote to memory of 4540	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	100
PID 2492 wrote to memory of 4540	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	100
PID 2492 wrote to memory of 4540	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	100
PID 2492 wrote to memory of 4540	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	100
PID 2492 wrote to memory of 1892	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	101
PID 2492 wrote to memory of 1892	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	101
PID 2492 wrote to memory of 1892	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	101
PID 2492 wrote to memory of 1892	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	101
PID 2492 wrote to memory of 1892	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	101
PID 2492 wrote to memory of 1892	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	101
PID 2492 wrote to memory of 1892	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	101
PID 2492 wrote to memory of 1892	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	101
PID 2492 wrote to memory of 4380	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	103
PID 2492 wrote to memory of 4380	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	103
PID 2492 wrote to memory of 4380	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	103
PID 2492 wrote to memory of 4380	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	103
PID 2492 wrote to memory of 4380	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	103
PID 2492 wrote to memory of 4380	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	103
PID 2492 wrote to memory of 4380	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	103
PID 2492 wrote to memory of 4380	2492	773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe	103

C:\Users\Admin\AppData\Local\Temp\773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe
"C:\Users\Admin\AppData\Local\Temp\773c087317d4fd8dc2f92144f6dda8929a829edcf7a7e80847d38fec09c88d93.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:4540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2492-10-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/2492-11-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/2492-2-0x0000000005370000-0x0000000005914000-memory.dmp

Filesize
5.6MB

Download
memory/2492-3-0x0000000004DC0000-0x0000000004E52000-memory.dmp

Filesize
584KB

Download
memory/2492-4-0x0000000004E60000-0x0000000004EFC000-memory.dmp

Filesize
624KB

Download
memory/2492-5-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/2492-6-0x0000000004FB0000-0x0000000004FF4000-memory.dmp

Filesize
272KB

Download
memory/2492-7-0x0000000005360000-0x000000000536A000-memory.dmp

Filesize
40KB

Download
memory/2492-8-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/2492-12-0x00000000068F0000-0x000000000690A000-memory.dmp

Filesize
104KB

Download
memory/2492-1-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/2492-0-0x00000000002A0000-0x00000000003C6000-memory.dmp

Filesize
1.1MB

Download
memory/2492-9-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/2492-13-0x0000000006A80000-0x0000000006A86000-memory.dmp

Filesize
24KB

Download
memory/2492-16-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/4380-17-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/4380-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4380-18-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/4380-19-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/4380-20-0x0000000006870000-0x00000000068C0000-memory.dmp

Filesize
320KB

Download
memory/4380-21-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/4380-22-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing