agenttesla | 1429363a609282393015df73bb88aea33d19637a0abb82982d1050e56e1b4481

Analysis

max time kernel
138s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 12:58

Target

INV0029382.exe
Size

997KB
MD5

c72150696ac13ac1a2dc8b492c0d5ca3
SHA1

ff72cd015ebfe11c15f331122103fb78c5ad118c
SHA256

1429363a609282393015df73bb88aea33d19637a0abb82982d1050e56e1b4481
SHA512

505dd2c31c2f4e08330239d1a7c4357df8fd1c8aa66a50b5a4e91162b7c800caefb56eef69aa6c66955382a91fcb2997f269eaf280826e647a9491a2f9741c1f
SSDEEP

24576:gsP3GbkmtYXd/f9j91ir4hpKyO7YL3qiA8b2ab6WzXQ9DwYE:gf2Xrj9Qru/kaqFabBQ9sb

Score

10^/10

Family

agenttesla

https://api.telegram.org/bot7017233680:AAEfWTUjfiK5hxLLRkmgitv57SQZuFap4nQ/

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

INV0029382.exe

description pid process target process

PID 3152 set thread context of 4080 3152 INV0029382.exe regsvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvcs.exe

pid process

4080 regsvcs.exe
4080 regsvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

regsvcs.exe

description pid process

Token: SeDebugPrivilege 4080 regsvcs.exe

description	pid	process	target process
PID 3152 set thread context of 4080	3152	INV0029382.exe	regsvcs.exe

pid	process
4080	regsvcs.exe
4080	regsvcs.exe

description	pid	process
Token: SeDebugPrivilege	4080	regsvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

INV0029382.exe

description	pid	process	target process
PID 3152 wrote to memory of 4080	3152	INV0029382.exe	regsvcs.exe
PID 3152 wrote to memory of 4080	3152	INV0029382.exe	regsvcs.exe
PID 3152 wrote to memory of 4080	3152	INV0029382.exe	regsvcs.exe
PID 3152 wrote to memory of 4080	3152	INV0029382.exe	regsvcs.exe
PID 3152 wrote to memory of 4080	3152	INV0029382.exe	regsvcs.exe
PID 3152 wrote to memory of 4080	3152	INV0029382.exe	regsvcs.exe
PID 3152 wrote to memory of 4080	3152	INV0029382.exe	regsvcs.exe
PID 3152 wrote to memory of 4080	3152	INV0029382.exe	regsvcs.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:3288

memory/3152-6-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

Filesize
10.8MB

Download
memory/3152-1-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp

Filesize
10.8MB

Download
memory/3152-2-0x000001295C010000-0x000001295C020000-memory.dmp

Filesize
64KB

Download
memory/3152-3-0x0000012974750000-0x00000129747E6000-memory.dmp

Filesize
600KB

Download
memory/3152-0-0x000001295A2F0000-0x000001295A35C000-memory.dmp

Filesize
432KB

Download
memory/4080-8-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/4080-5-0x0000000074FA0000-0x0000000075750000-memory.dmp

Filesize
7.7MB

Download
memory/4080-7-0x0000000005780000-0x0000000005D24000-memory.dmp

Filesize
5.6MB

Download
memory/4080-4-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4080-9-0x0000000005240000-0x00000000052A6000-memory.dmp

Filesize
408KB

Download
memory/4080-10-0x0000000005F90000-0x0000000005FE0000-memory.dmp

Filesize
320KB

Download
memory/4080-11-0x0000000006080000-0x0000000006112000-memory.dmp

Filesize
584KB

Download
memory/4080-12-0x0000000006010000-0x000000000601A000-memory.dmp

Filesize
40KB

Download
memory/4080-13-0x0000000074FA0000-0x0000000075750000-memory.dmp

Filesize
7.7MB

Download
memory/4080-14-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download