agenttesla | 653de864a7498c655f3a0c92d15be1f892651d8bcc3abad74465de5fe61356b5

Analysis

max time kernel
140s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3HFN3NatQcTex2p.exe
Size

726KB
MD5

26edbc34e50837ed377c36cf8bb41420
SHA1

6b18423aafc1d84d8e9cfb6a372970b6188cc132
SHA256

653de864a7498c655f3a0c92d15be1f892651d8bcc3abad74465de5fe61356b5
SHA512

a33f9ac6aa534f9602868bd2ca633c66aee78daaf3afd349da5a3387d05ba97b703d9c3e32d21db41574a8799596a8d01f1a86dcf654741a14f559de8da8cf7f
SSDEEP

12288:nSXxD2iNx2V7H+oS/zOO91iJJhYG9wtYdIIPBV3IE4vT1PWIOztGeeWFm+Y39:nQ18ILOO91iPyA4Y2jvT8IOztGeRFm+Y

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.atarod.org.af
Port:
587
Username:
[email protected]
Password:
A1tarod@23
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4652 set thread context of 1844	4652	3HFN3NatQcTex2p.exe	100

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4652	3HFN3NatQcTex2p.exe
4652	3HFN3NatQcTex2p.exe
4652	3HFN3NatQcTex2p.exe
4652	3HFN3NatQcTex2p.exe
4652	3HFN3NatQcTex2p.exe
4652	3HFN3NatQcTex2p.exe
4652	3HFN3NatQcTex2p.exe
4652	3HFN3NatQcTex2p.exe
4652	3HFN3NatQcTex2p.exe
4652	3HFN3NatQcTex2p.exe
4652	3HFN3NatQcTex2p.exe
4652	3HFN3NatQcTex2p.exe
4652	3HFN3NatQcTex2p.exe
4652	3HFN3NatQcTex2p.exe
1844	MSBuild.exe
1844	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4652	3HFN3NatQcTex2p.exe
Token: SeDebugPrivilege	1844	MSBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 1844	4652	3HFN3NatQcTex2p.exe	100
PID 4652 wrote to memory of 1844	4652	3HFN3NatQcTex2p.exe	100
PID 4652 wrote to memory of 1844	4652	3HFN3NatQcTex2p.exe	100
PID 4652 wrote to memory of 1844	4652	3HFN3NatQcTex2p.exe	100
PID 4652 wrote to memory of 1844	4652	3HFN3NatQcTex2p.exe	100
PID 4652 wrote to memory of 1844	4652	3HFN3NatQcTex2p.exe	100
PID 4652 wrote to memory of 1844	4652	3HFN3NatQcTex2p.exe	100
PID 4652 wrote to memory of 1844	4652	3HFN3NatQcTex2p.exe	100

C:\Users\Admin\AppData\Local\Temp\3HFN3NatQcTex2p.exe
"C:\Users\Admin\AppData\Local\Temp\3HFN3NatQcTex2p.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1844-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-23-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/1844-22-0x0000000005DA0000-0x0000000005DF0000-memory.dmp

Filesize
320KB

Download
memory/1844-21-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/1844-20-0x0000000004FF0000-0x0000000005056000-memory.dmp

Filesize
408KB

Download
memory/1844-18-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4652-10-0x0000000005D40000-0x0000000005D4E000-memory.dmp

Filesize
56KB

Download
memory/4652-15-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4652-8-0x00000000058E0000-0x0000000005902000-memory.dmp

Filesize
136KB

Download
memory/4652-9-0x0000000005D00000-0x0000000005D18000-memory.dmp

Filesize
96KB

Download
memory/4652-0-0x00000000750EE000-0x00000000750EF000-memory.dmp

Filesize
4KB

Download
memory/4652-11-0x0000000005D50000-0x0000000005D66000-memory.dmp

Filesize
88KB

Download
memory/4652-12-0x0000000006DA0000-0x0000000006E22000-memory.dmp

Filesize
520KB

Download
memory/4652-13-0x0000000009570000-0x000000000960C000-memory.dmp

Filesize
624KB

Download
memory/4652-14-0x00000000750EE000-0x00000000750EF000-memory.dmp

Filesize
4KB

Download
memory/4652-7-0x0000000005770000-0x0000000005782000-memory.dmp

Filesize
72KB

Download
memory/4652-6-0x0000000006320000-0x0000000006674000-memory.dmp

Filesize
3.3MB

Download
memory/4652-5-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4652-19-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4652-4-0x0000000005660000-0x000000000566A000-memory.dmp

Filesize
40KB

Download
memory/4652-3-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/4652-2-0x0000000005D70000-0x0000000006314000-memory.dmp

Filesize
5.6MB

Download
memory/4652-1-0x0000000000BB0000-0x0000000000C6C000-memory.dmp

Filesize
752KB

Download