agenttesla | a2b803974fcfb65e21fa1a7690eb2a4822f091a8bdf45786e2085c833871d5a0

General

Target

a6455a248e43686bfda50622f2bd82d2.exe
Size

987KB
MD5

a6455a248e43686bfda50622f2bd82d2
SHA1

de8544085d7969af9c9eda6cc418f26f9b144786
SHA256

a2b803974fcfb65e21fa1a7690eb2a4822f091a8bdf45786e2085c833871d5a0
SHA512

2820d87ffb9b1088dd61da458e4891d8247a3185099fe195e8fb5d2f8a135607eaf013b43718e347c30f0095bfe581a9e6d0b160ccba86d35dec168ea638aa2e
SSDEEP

12288:00QxgjNKY/6sBjn+lkNp6MARWch8k6SFkJkgskKA0kZPiDsRyNX5UrLB/ccOTOKw:00Qxgj8Y3n+lQkg6kZPiARysLBOTO+FG

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.oripam.xyz
Port:
587
Username:
[email protected]
Password:
1yH[0T=asUG?
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

a6455a248e43686bfda50622f2bd82d2.exe

description pid process target process

PID 4188 set thread context of 4700 4188 a6455a248e43686bfda50622f2bd82d2.exe regsvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvcs.exe

pid process

4700 regsvcs.exe
4700 regsvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a6455a248e43686bfda50622f2bd82d2.exeregsvcs.exe

description pid process

Token: SeDebugPrivilege 4188 a6455a248e43686bfda50622f2bd82d2.exe
Token: SeDebugPrivilege 4700 regsvcs.exe

description	pid	process	target process
PID 4188 set thread context of 4700	4188	a6455a248e43686bfda50622f2bd82d2.exe	regsvcs.exe

pid	process
4700	regsvcs.exe
4700	regsvcs.exe

description	pid	process
Token: SeDebugPrivilege	4188	a6455a248e43686bfda50622f2bd82d2.exe
Token: SeDebugPrivilege	4700	regsvcs.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

a6455a248e43686bfda50622f2bd82d2.exe

description	pid	process	target process
PID 4188 wrote to memory of 368	4188	a6455a248e43686bfda50622f2bd82d2.exe	CasPol.exe
PID 4188 wrote to memory of 368	4188	a6455a248e43686bfda50622f2bd82d2.exe	CasPol.exe
PID 4188 wrote to memory of 368	4188	a6455a248e43686bfda50622f2bd82d2.exe	CasPol.exe
PID 4188 wrote to memory of 2756	4188	a6455a248e43686bfda50622f2bd82d2.exe	jsc.exe
PID 4188 wrote to memory of 2756	4188	a6455a248e43686bfda50622f2bd82d2.exe	jsc.exe
PID 4188 wrote to memory of 2756	4188	a6455a248e43686bfda50622f2bd82d2.exe	jsc.exe
PID 4188 wrote to memory of 3248	4188	a6455a248e43686bfda50622f2bd82d2.exe	AddInProcess32.exe
PID 4188 wrote to memory of 3248	4188	a6455a248e43686bfda50622f2bd82d2.exe	AddInProcess32.exe
PID 4188 wrote to memory of 3248	4188	a6455a248e43686bfda50622f2bd82d2.exe	AddInProcess32.exe
PID 4188 wrote to memory of 2880	4188	a6455a248e43686bfda50622f2bd82d2.exe	installutil.exe
PID 4188 wrote to memory of 2880	4188	a6455a248e43686bfda50622f2bd82d2.exe	installutil.exe
PID 4188 wrote to memory of 2880	4188	a6455a248e43686bfda50622f2bd82d2.exe	installutil.exe
PID 4188 wrote to memory of 4700	4188	a6455a248e43686bfda50622f2bd82d2.exe	regsvcs.exe
PID 4188 wrote to memory of 4700	4188	a6455a248e43686bfda50622f2bd82d2.exe	regsvcs.exe
PID 4188 wrote to memory of 4700	4188	a6455a248e43686bfda50622f2bd82d2.exe	regsvcs.exe
PID 4188 wrote to memory of 4700	4188	a6455a248e43686bfda50622f2bd82d2.exe	regsvcs.exe
PID 4188 wrote to memory of 4700	4188	a6455a248e43686bfda50622f2bd82d2.exe	regsvcs.exe
PID 4188 wrote to memory of 4700	4188	a6455a248e43686bfda50622f2bd82d2.exe	regsvcs.exe
PID 4188 wrote to memory of 4700	4188	a6455a248e43686bfda50622f2bd82d2.exe	regsvcs.exe
PID 4188 wrote to memory of 4700	4188	a6455a248e43686bfda50622f2bd82d2.exe	regsvcs.exe
PID 4188 wrote to memory of 4024	4188	a6455a248e43686bfda50622f2bd82d2.exe	regsvcs.exe
PID 4188 wrote to memory of 4024	4188	a6455a248e43686bfda50622f2bd82d2.exe	regsvcs.exe
PID 4188 wrote to memory of 4024	4188	a6455a248e43686bfda50622f2bd82d2.exe	regsvcs.exe

C:\Users\Admin\AppData\Local\Temp\a6455a248e43686bfda50622f2bd82d2.exe
"C:\Users\Admin\AppData\Local\Temp\a6455a248e43686bfda50622f2bd82d2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
2⤵
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
PID:3248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
2⤵
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
2⤵
PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3884 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:1096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4188-6-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp

Filesize
10.8MB

Download
memory/4188-2-0x00000267EAE70000-0x00000267EAE80000-memory.dmp

Filesize
64KB

Download
memory/4188-1-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp

Filesize
10.8MB

Download
memory/4188-3-0x00000267EADC0000-0x00000267EAE56000-memory.dmp

Filesize
600KB

Download
memory/4188-0-0x00000267E8990000-0x00000267E89F8000-memory.dmp

Filesize
416KB

Download
memory/4700-8-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/4700-5-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/4700-7-0x0000000005590000-0x0000000005B34000-memory.dmp

Filesize
5.6MB

Download
memory/4700-4-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4700-9-0x0000000004FE0000-0x0000000005046000-memory.dmp

Filesize
408KB

Download
memory/4700-10-0x0000000005EF0000-0x0000000005F40000-memory.dmp

Filesize
320KB

Download
memory/4700-11-0x0000000005FE0000-0x0000000006072000-memory.dmp

Filesize
584KB

Download
memory/4700-12-0x0000000005F70000-0x0000000005F7A000-memory.dmp

Filesize
40KB

Download
memory/4700-13-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/4700-14-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads