agenttesla | 4f7824c1dee1a075898e66126a9f6678c41d77507e6510ca88a597ccc8a05b55

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 10:59

Target

cloud.exe
Size

1.1MB
MD5

832eec80b76d70fc68c511965da69ccc
SHA1

9ea0a03a1efb97b3aecc456950af053d813e0afe
SHA256

4f7824c1dee1a075898e66126a9f6678c41d77507e6510ca88a597ccc8a05b55
SHA512

ed6350dc50d935aef423d27506b3e4dc15a4b26b3f5fe7fbbac0ab2c04c0ddb3552f8e04845061ef07fea9fe714d0c2c512bcc42ff561617f94be7c2b0b775cf
SSDEEP

24576:YqDEvCTbMWu7rQYlBQcBiT6rprG8aF83aszMg15alQt3d:YTvC/MTQYxsWR7aFwfMgzK

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

cloud.exe

description pid process target process

PID 2740 set thread context of 4744 2740 cloud.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

4744 RegSvcs.exe
4744 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cloud.exe

pid process

2740 cloud.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 4744 RegSvcs.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

cloud.exe

pid process

2740 cloud.exe
2740 cloud.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

cloud.exe

pid process

2740 cloud.exe
2740 cloud.exe

description	pid	process	target process
PID 2740 set thread context of 4744	2740	cloud.exe	RegSvcs.exe

pid	process
4744	RegSvcs.exe
4744	RegSvcs.exe

pid	process
2740	cloud.exe

description	pid	process
Token: SeDebugPrivilege	4744	RegSvcs.exe

pid	process
2740	cloud.exe
2740	cloud.exe

pid	process
2740	cloud.exe
2740	cloud.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cloud.exe

description	pid	process	target process
PID 2740 wrote to memory of 4744	2740	cloud.exe	RegSvcs.exe
PID 2740 wrote to memory of 4744	2740	cloud.exe	RegSvcs.exe
PID 2740 wrote to memory of 4744	2740	cloud.exe	RegSvcs.exe
PID 2740 wrote to memory of 4744	2740	cloud.exe	RegSvcs.exe

memory/2740-10-0x0000000000F40000-0x0000000000F44000-memory.dmp

Filesize
16KB

Download
memory/4744-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4744-12-0x0000000073860000-0x0000000074010000-memory.dmp

Filesize
7.7MB

Download
memory/4744-13-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download
memory/4744-14-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/4744-15-0x00000000052F0000-0x0000000005356000-memory.dmp

Filesize
408KB

Download
memory/4744-16-0x0000000006220000-0x0000000006270000-memory.dmp

Filesize
320KB

Download
memory/4744-17-0x0000000006310000-0x00000000063A2000-memory.dmp

Filesize
584KB

Download
memory/4744-18-0x0000000006270000-0x000000000627A000-memory.dmp

Filesize
40KB

Download
memory/4744-19-0x0000000073860000-0x0000000074010000-memory.dmp

Filesize
7.7MB

Download
memory/4744-20-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download