agenttesla | c0fcec4c3fd4a2655dcc7393fbc9fbdb99f781392fb86ff7ee24541db4bcbb67

Analysis

max time kernel
142s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 01:56

Target

New Order.exe
Size

1015KB
MD5

2e8fb6768bcfd81ea4c43700ea9089b7
SHA1

e093846a0e33b3c2ecc7a0da79c0c7d542547193
SHA256

b39896b2b0106b93025d19dbb891f17f9931548406e3702a431991c4beb8b53f
SHA512

c50ddfb34b14b7d97b3c6819aa5a67db02aaec197dd8f3a14257107cb1774a73017cfb5d240c83336496b58556bb7fa6a9cb0049a1d8877d25d499cf534e4bd9
SSDEEP

24576:tAHnh+eWsN3skA4RV1Hom2KXMmHaJ4EEsPZR5:Mh+ZkldoPK8YaJOsPp

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 api.ipify.org
26 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

New Order.exe

description pid process target process

PID 2684 set thread context of 2796 2684 New Order.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2796 RegSvcs.exe
2796 RegSvcs.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

New Order.exe

pid process

2684 New Order.exe
2684 New Order.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2796 RegSvcs.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

New Order.exe

pid process

2684 New Order.exe
2684 New Order.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

New Order.exe

pid process

2684 New Order.exe
2684 New Order.exe

flow	ioc
25	api.ipify.org
26	api.ipify.org

description	pid	process	target process
PID 2684 set thread context of 2796	2684	New Order.exe	RegSvcs.exe

pid	process
2796	RegSvcs.exe
2796	RegSvcs.exe

pid	process
2684	New Order.exe
2684	New Order.exe

description	pid	process
Token: SeDebugPrivilege	2796	RegSvcs.exe

pid	process
2684	New Order.exe
2684	New Order.exe

pid	process
2684	New Order.exe
2684	New Order.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

New Order.exe

description	pid	process	target process
PID 2684 wrote to memory of 2796	2684	New Order.exe	RegSvcs.exe
PID 2684 wrote to memory of 2796	2684	New Order.exe	RegSvcs.exe
PID 2684 wrote to memory of 2796	2684	New Order.exe	RegSvcs.exe
PID 2684 wrote to memory of 2796	2684	New Order.exe	RegSvcs.exe

memory/2684-10-0x00000000044B0000-0x00000000044B4000-memory.dmp

Filesize
16KB

Download
memory/2796-11-0x0000000000740000-0x0000000000780000-memory.dmp

Filesize
256KB

Download
memory/2796-12-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/2796-13-0x0000000005290000-0x0000000005834000-memory.dmp

Filesize
5.6MB

Download
memory/2796-14-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/2796-15-0x0000000004EC0000-0x0000000004F26000-memory.dmp

Filesize
408KB

Download
memory/2796-16-0x0000000006300000-0x0000000006350000-memory.dmp

Filesize
320KB

Download
memory/2796-17-0x00000000063F0000-0x0000000006482000-memory.dmp

Filesize
584KB

Download
memory/2796-18-0x0000000006370000-0x000000000637A000-memory.dmp

Filesize
40KB

Download
memory/2796-19-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/2796-20-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download