agenttesla | c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293

Analysis

max time kernel
117s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 01:06

Target

c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293.exe
Size

1.0MB
MD5

d641167fc5f8757cd9c69e4cb68c7aa6
SHA1

a8fc1b37136888fe10ee2823cee7ec91da5cde11
SHA256

c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293
SHA512

3913067e4d0373bc24dfec293bac2ce19545d7f22158b7b2811a444634b96514d448edac3f1f624de3f7236d76a8c0452f775f8de8fa5a1b2ae495db090a44bf
SSDEEP

24576:CAHnh+eWsN3skA4RV1Hom2KXMmHa2SBRj23IlK5:Fh+ZkldoPK8Ya2Si3

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1716 set thread context of 2500	1716	c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2500	RegSvcs.exe
2500	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1716	c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293.exe
1716	c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1716	c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293.exe
1716	c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1716	c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293.exe
1716	c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2500	1716	c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293.exe	28
PID 1716 wrote to memory of 2500	1716	c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293.exe	28
PID 1716 wrote to memory of 2500	1716	c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293.exe	28
PID 1716 wrote to memory of 2500	1716	c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293.exe	28
PID 1716 wrote to memory of 2500	1716	c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293.exe	28
PID 1716 wrote to memory of 2500	1716	c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293.exe	28
PID 1716 wrote to memory of 2500	1716	c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293.exe	28
PID 1716 wrote to memory of 2500	1716	c506b45752ef4318123b50eb8ca513f6d3cfd828b76f378627b3cc304c090293.exe	28

memory/1716-10-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download
memory/2500-11-0x0000000000090000-0x00000000000D2000-memory.dmp

Filesize
264KB

Download
memory/2500-13-0x0000000000090000-0x00000000000D2000-memory.dmp

Filesize
264KB

Download
memory/2500-17-0x0000000000090000-0x00000000000D2000-memory.dmp

Filesize
264KB

Download
memory/2500-20-0x0000000000090000-0x00000000000D2000-memory.dmp

Filesize
264KB

Download
memory/2500-21-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download
memory/2500-22-0x00000000049E0000-0x0000000004A20000-memory.dmp

Filesize
256KB

Download
memory/2500-23-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download
memory/2500-24-0x00000000049E0000-0x0000000004A20000-memory.dmp

Filesize
256KB

Download