agenttesla | 612acf0c105acc126384fff4dfa8a3427151a4ccc0887ca6a5fe3ba140e9805f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 01:25

Target

612acf0c105acc126384fff4dfa8a3427151a4ccc0887ca6a5fe3ba140e9805f.exe
Size

149KB
MD5

bab388aee2cb692d6a36f860fe7c5ddd
SHA1

93e0abef6e3743728e1b7a734930cd371291db35
SHA256

612acf0c105acc126384fff4dfa8a3427151a4ccc0887ca6a5fe3ba140e9805f
SHA512

bcc5b9a9bb7d66bbfba75f77c8134136b0e9b8ed696a17d708708a7b6dcdf937ff0dd533665777a62e51619ac11eb0c0d3a98723f7301417c03fcb87c3c2aeea
SSDEEP

3072:ol7Jvu/ix2NW1xa28uasHblKbPTDk8+PL+KxVj109Y2vB4Z+:ol7Jvu/ix2NWeZ8bQrotzx7MDJ4

Score

10^/10

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3024	2932	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	612acf0c105acc126384fff4dfa8a3427151a4ccc0887ca6a5fe3ba140e9805f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 3024	2932	612acf0c105acc126384fff4dfa8a3427151a4ccc0887ca6a5fe3ba140e9805f.exe	28
PID 2932 wrote to memory of 3024	2932	612acf0c105acc126384fff4dfa8a3427151a4ccc0887ca6a5fe3ba140e9805f.exe	28
PID 2932 wrote to memory of 3024	2932	612acf0c105acc126384fff4dfa8a3427151a4ccc0887ca6a5fe3ba140e9805f.exe	28
PID 2932 wrote to memory of 3024	2932	612acf0c105acc126384fff4dfa8a3427151a4ccc0887ca6a5fe3ba140e9805f.exe	28

C:\Users\Admin\AppData\Local\Temp\612acf0c105acc126384fff4dfa8a3427151a4ccc0887ca6a5fe3ba140e9805f.exe
"C:\Users\Admin\AppData\Local\Temp\612acf0c105acc126384fff4dfa8a3427151a4ccc0887ca6a5fe3ba140e9805f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 616
  2⤵
  - Program crash
  PID:3024

memory/2932-1-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-0-0x0000000000A60000-0x0000000000A8C000-memory.dmp

Filesize
176KB

Download
memory/2932-2-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/2932-3-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-4-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download