agenttesla | 363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943

General

Target

363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe
Size

1.0MB
MD5

fbedfb3f7b3972064e89527e731dc60a
SHA1

6f6a87a2308d265418ca853e745c1fa3d7e2dbfb
SHA256

363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943
SHA512

6b06c16cc73f9f008105d12036525a51e7c779bdf52656fd319c13b0518dc345c2760a2ebf221ed6a5f61c3b201a155fa03326ec3c6c27dbf8cb191d300ddf70
SSDEEP

24576:OATWl5H0A6qxOKVU3yV2MUdLKZIif+yGtHKqL7oEkGQ6S2:hsyv0R5VFo+ZR8lKgVQ6/

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7118535710:AAHHi1K0M2ND5qzM9aJbrZmPPPlbIjWi1Gc/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe

description	pid	process	target process
PID 3148 set thread context of 2788	3148	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	regsvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvcs.exe

pid process

2788 regsvcs.exe
2788 regsvcs.exe

pid	process
2788	regsvcs.exe
2788	regsvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exeregsvcs.exe

description	pid	process
Token: SeDebugPrivilege	3148	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe
Token: SeDebugPrivilege	2788	regsvcs.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.execsc.exe

description	pid	process	target process
PID 3148 wrote to memory of 2600	3148	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	csc.exe
PID 3148 wrote to memory of 2600	3148	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	csc.exe
PID 2600 wrote to memory of 3436	2600	csc.exe	cvtres.exe
PID 2600 wrote to memory of 3436	2600	csc.exe	cvtres.exe
PID 3148 wrote to memory of 2788	3148	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	regsvcs.exe
PID 3148 wrote to memory of 2788	3148	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	regsvcs.exe
PID 3148 wrote to memory of 2788	3148	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	regsvcs.exe
PID 3148 wrote to memory of 2788	3148	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	regsvcs.exe
PID 3148 wrote to memory of 2788	3148	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	regsvcs.exe
PID 3148 wrote to memory of 2788	3148	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	regsvcs.exe
PID 3148 wrote to memory of 2788	3148	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	regsvcs.exe
PID 3148 wrote to memory of 2788	3148	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	regsvcs.exe
PID 3148 wrote to memory of 3284	3148	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	regsvcs.exe
PID 3148 wrote to memory of 3284	3148	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	regsvcs.exe
PID 3148 wrote to memory of 3284	3148	363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe	regsvcs.exe

C:\Users\Admin\AppData\Local\Temp\363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe
"C:\Users\Admin\AppData\Local\Temp\363a0caf3081cf2e884e78477b6d29375caa9b11209c2a0713c0640ce57e0943.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\evkd1pqn\evkd1pqn.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4798.tmp" "c:\Users\Admin\AppData\Local\Temp\evkd1pqn\CSC7A77A1D9F30842FD93CDC4FE05E7DAD.TMP"
3⤵
PID:3436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
2⤵
PID:3284

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4798.tmp
Filesize
1KB

MD5
ad3a9506182136c4d748f6f48258586d

SHA1
7905e27381046ce174e99ec379b45fe4332971a5

SHA256
4e545e5237eab7c607683789cc84246f38fab084557bc314d59a3bba520fb855

SHA512
3320746906d7edd8538eeb6aaab474505a25e23092a2ac1cca314e7bfb6f7e8b29be3caaca5f911acdef607694a60190058f16e4fdd1e8b5ed74f16ca004bfb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\evkd1pqn\evkd1pqn.dll
Filesize
6KB

MD5
f7d1033cf584dbaa5dad581011a11bd6

SHA1
3c4993bae92ca505594d8ba2fb3fe84cfefe45ee

SHA256
9dc95cfad2a4f4ffb01b441fa52f5628d30a347a1c0833f69f61e348f67b00b6

SHA512
3b7a0c3f7afe0c3660b15acef324ce92dc5cf0ab94efe0cb4ebd8a822afc2b07a6ff2a90b8fbc87abed526a1c88fd6f8b993da05a58dc7d91adf05f5e47503a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evkd1pqn\CSC7A77A1D9F30842FD93CDC4FE05E7DAD.TMP
Filesize
652B

MD5
d66752115824b24121421800a84096b8

SHA1
65309275b0041619909c59135725a875eb3176db

SHA256
1304ff8e94450b06453145db79b62c551f18954888d61b332ded4b7de697ff9b

SHA512
9852267d98388afe1cee81a9c49f650b29ebd4751091e16b0cecd067806788741b963ba8592005cb3c2ff985d48da46865f46092736d9ce75e80ce6ff21cc4d6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evkd1pqn\evkd1pqn.0.cs
Filesize
4KB

MD5
d784666bd143ad91647f8e799749e071

SHA1
706389c04825f2e12a24d00f67ea7140cdccf4ef

SHA256
3bd5920de953fb49e0aec7994f20bcd50d304acf5a3f4f3b23d7408a6cb41ac6

SHA512
c5a4c8817e19df8ad88aae8b9caa243235b23c31bf493704cddcb46e88df203b5fc5b03b535b06bade9816782828b7ba8c5fe247384c344677e570a15bcd07ac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evkd1pqn\evkd1pqn.cmdline
Filesize
366B

MD5
b1ed6fcc3ff28d3983ccd1ebd2bc7deb

SHA1
4ac1a3dfab2b3f1e2bef1147d69416e3ea1199d3

SHA256
2472b260536332844023e26dfd5e7bd8eb7145950145982002d6798d40a5754f

SHA512
a12f9dcce702e6195ad7810b03f6e8aeba29d11c53710c95cbca6dbb1d59256c68523cd0feaded306d9df5a30601ffa29bb5085040dda95e251bb399e7724dc1

Download Submit
memory/2788-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2788-24-0x00000000061E0000-0x0000000006230000-memory.dmp

Filesize
320KB

Download
memory/2788-28-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/2788-27-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/2788-26-0x0000000006260000-0x000000000626A000-memory.dmp

Filesize
40KB

Download
memory/2788-25-0x00000000062D0000-0x0000000006362000-memory.dmp

Filesize
584KB

Download
memory/2788-19-0x00000000750F0000-0x00000000758A0000-memory.dmp

Filesize
7.7MB

Download
memory/2788-20-0x00000000057B0000-0x0000000005D54000-memory.dmp

Filesize
5.6MB

Download
memory/2788-21-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/2788-22-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/3148-17-0x0000022B397F0000-0x0000022B39884000-memory.dmp

Filesize
592KB

Download
memory/3148-23-0x00007FFF27C80000-0x00007FFF28741000-memory.dmp

Filesize
10.8MB

Download
memory/3148-0-0x0000022B39360000-0x0000022B393DE000-memory.dmp

Filesize
504KB

Download
memory/3148-2-0x0000022B53A80000-0x0000022B53A90000-memory.dmp

Filesize
64KB

Download
memory/3148-1-0x00007FFF27C80000-0x00007FFF28741000-memory.dmp

Filesize
10.8MB

Download
memory/3148-15-0x0000022B397B0000-0x0000022B397B8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads