agenttesla | 7ef5e8ef52c30fec9a47bad942c0a757eb47fd67a46fcef29a78e4892a0a0e94

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 01:08

Target

STATEMENT OF ACCOUNT.exe
Size

1.1MB
MD5

0640fe8e51432d90ec56ed8524b40970
SHA1

d042a7a0a6a85a0fc7dd270d452731c362a234a5
SHA256

7ef5e8ef52c30fec9a47bad942c0a757eb47fd67a46fcef29a78e4892a0a0e94
SHA512

f4d6e8589360f8938aa8f5223e40ff8eaa308afc4b68d7bc2aa9e0ead04b7bb8e582b6dbf5203095290d19b626948d42a957be20f6902e84de812f2932b5922f
SSDEEP

24576:XqDEvCTbMWu7rQYlBQcBiT6rprG8aHQednaE:XTvC/MTQYxsWR7aHQmn

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3020 set thread context of 2172	3020	STATEMENT OF ACCOUNT.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3064	3020	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2172	RegSvcs.exe
2172	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3020	STATEMENT OF ACCOUNT.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2172	RegSvcs.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2172	3020	STATEMENT OF ACCOUNT.exe	28
PID 3020 wrote to memory of 2172	3020	STATEMENT OF ACCOUNT.exe	28
PID 3020 wrote to memory of 2172	3020	STATEMENT OF ACCOUNT.exe	28
PID 3020 wrote to memory of 2172	3020	STATEMENT OF ACCOUNT.exe	28
PID 3020 wrote to memory of 2172	3020	STATEMENT OF ACCOUNT.exe	28
PID 3020 wrote to memory of 2172	3020	STATEMENT OF ACCOUNT.exe	28
PID 3020 wrote to memory of 2172	3020	STATEMENT OF ACCOUNT.exe	28
PID 3020 wrote to memory of 2172	3020	STATEMENT OF ACCOUNT.exe	28
PID 3020 wrote to memory of 3064	3020	STATEMENT OF ACCOUNT.exe	29
PID 3020 wrote to memory of 3064	3020	STATEMENT OF ACCOUNT.exe	29
PID 3020 wrote to memory of 3064	3020	STATEMENT OF ACCOUNT.exe	29
PID 3020 wrote to memory of 3064	3020	STATEMENT OF ACCOUNT.exe	29

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe
"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 300
  2⤵
  - Program crash
  PID:3064

memory/2172-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2172-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2172-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2172-16-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/2172-17-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-18-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/2172-19-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/3020-10-0x0000000000110000-0x0000000000114000-memory.dmp

Filesize
16KB

Download