agenttesla | d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 01:03

Target

d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe
Size

636KB
MD5

b9df3bc72171550875457bca5b4f9042
SHA1

1517de29c1c62ecb854c9ae82028a439d6f737cd
SHA256

d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c
SHA512

85c89a984c3ad8d42dc9b4e66cb0495d24fd2fa7d935e2daa019f1af34ebe0ef2562be5fc06a61ed59a78913bdb5d5acbc9c3dcaf62e5b22699b60eac8a06282
SSDEEP

12288:6sRelh9xGjhzYIzn4IOpmKsLesMcNr0dniYgd4tllBEjjEMimCi3:6UyU5YIz4IQ6esMcN2nFI6VEjj5iRC

Score

10^/10

Credentials

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 api.ipify.org
26 api.ipify.org

flow	ioc
24	api.ipify.org
26	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe

description	pid	process	target process
PID 4288 set thread context of 2080	4288	d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe	jsc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jsc.exe

pid process

2080 jsc.exe
2080 jsc.exe

pid	process
2080	jsc.exe
2080	jsc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exejsc.exe

description	pid	process
Token: SeDebugPrivilege	4288	d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe
Token: SeDebugPrivilege	2080	jsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

jsc.exe

pid process

2080 jsc.exe

pid	process
2080	jsc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe

description	pid	process	target process
PID 4288 wrote to memory of 2080	4288	d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe	jsc.exe
PID 4288 wrote to memory of 2080	4288	d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe	jsc.exe
PID 4288 wrote to memory of 2080	4288	d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe	jsc.exe
PID 4288 wrote to memory of 2080	4288	d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe	jsc.exe
PID 4288 wrote to memory of 2080	4288	d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe	jsc.exe
PID 4288 wrote to memory of 2080	4288	d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe	jsc.exe
PID 4288 wrote to memory of 2080	4288	d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe	jsc.exe
PID 4288 wrote to memory of 2080	4288	d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe	jsc.exe
PID 4288 wrote to memory of 1656	4288	d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe	jsc.exe
PID 4288 wrote to memory of 1656	4288	d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe	jsc.exe
PID 4288 wrote to memory of 1656	4288	d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe	jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
2⤵
PID:1656

memory/2080-8-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/2080-10-0x0000000007060000-0x00000000070B0000-memory.dmp

Filesize
320KB

Download
memory/2080-15-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/2080-14-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/2080-13-0x0000000007230000-0x000000000723A000-memory.dmp

Filesize
40KB

Download
memory/2080-5-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/2080-12-0x0000000007290000-0x0000000007322000-memory.dmp

Filesize
584KB

Download
memory/2080-6-0x0000000005F00000-0x00000000064A4000-memory.dmp

Filesize
5.6MB

Download
memory/2080-4-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2080-11-0x0000000007150000-0x00000000071EC000-memory.dmp

Filesize
624KB

Download
memory/2080-7-0x00000000059C0000-0x0000000005A26000-memory.dmp

Filesize
408KB

Download
memory/4288-9-0x00007FFF3F6B0000-0x00007FFF40171000-memory.dmp

Filesize
10.8MB

Download
memory/4288-1-0x00007FFF3F6B0000-0x00007FFF40171000-memory.dmp

Filesize
10.8MB

Download
memory/4288-0-0x000001E2508A0000-0x000001E2508B0000-memory.dmp

Filesize
64KB

Download
memory/4288-3-0x000001E250C70000-0x000001E250D06000-memory.dmp

Filesize
600KB

Download
memory/4288-2-0x000001E26AF40000-0x000001E26AF50000-memory.dmp

Filesize
64KB

Download