agenttesla | 87a21393ccd3a833e6b7481eaf2dd7f3889cafa097bfbf4e2c96160fbf12b265

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jrP1O57Izu07l0t.exe
Size

719KB
MD5

faab59c6da6c4e9a5d74ffd849f1ed91
SHA1

065293adb90f03c758908ba3e9bf6b3f72d02f5f
SHA256

87a21393ccd3a833e6b7481eaf2dd7f3889cafa097bfbf4e2c96160fbf12b265
SHA512

4e3a4d7df919b0aa86401f26c468623be22986f3668dd6a8501ac2a848246ff7d6e1c3e87034d734f1cb6f7e6ac94d2741f7d4bd8601e88e20889253c1f59c92
SSDEEP

12288:PdbZtdc5E2HyniuyPYVyOEbuCJ4vUzYeCDVoh+WboBQkx9qqoz8z9kByB:lFtdEYobxdj7B42y

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.atlantegypt.com
Port:
587
Username:
[email protected]
Password:
OL11121314ol
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

jrP1O57Izu07l0t.exe

description pid process target process

PID 2400 set thread context of 2732 2400 jrP1O57Izu07l0t.exe MSBuild.exe

description	pid	process	target process
PID 2400 set thread context of 2732	2400	jrP1O57Izu07l0t.exe	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

jrP1O57Izu07l0t.exeMSBuild.exe

pid	process
2400	jrP1O57Izu07l0t.exe
2400	jrP1O57Izu07l0t.exe
2400	jrP1O57Izu07l0t.exe
2400	jrP1O57Izu07l0t.exe
2400	jrP1O57Izu07l0t.exe
2400	jrP1O57Izu07l0t.exe
2400	jrP1O57Izu07l0t.exe
2400	jrP1O57Izu07l0t.exe
2400	jrP1O57Izu07l0t.exe
2400	jrP1O57Izu07l0t.exe
2400	jrP1O57Izu07l0t.exe
2400	jrP1O57Izu07l0t.exe
2400	jrP1O57Izu07l0t.exe
2400	jrP1O57Izu07l0t.exe
2732	MSBuild.exe
2732	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jrP1O57Izu07l0t.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 2400 jrP1O57Izu07l0t.exe
Token: SeDebugPrivilege 2732 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	2400	jrP1O57Izu07l0t.exe
Token: SeDebugPrivilege	2732	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

jrP1O57Izu07l0t.exe

description	pid	process	target process
PID 2400 wrote to memory of 2732	2400	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 2400 wrote to memory of 2732	2400	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 2400 wrote to memory of 2732	2400	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 2400 wrote to memory of 2732	2400	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 2400 wrote to memory of 2732	2400	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 2400 wrote to memory of 2732	2400	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 2400 wrote to memory of 2732	2400	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 2400 wrote to memory of 2732	2400	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 2400 wrote to memory of 2732	2400	jrP1O57Izu07l0t.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\jrP1O57Izu07l0t.exe
"C:\Users\Admin\AppData\Local\Temp\jrP1O57Izu07l0t.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2400-20-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2400-1-0x0000000000D90000-0x0000000000E4A000-memory.dmp

Filesize
744KB

Download
memory/2400-2-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2400-3-0x0000000005A80000-0x0000000005B3A000-memory.dmp

Filesize
744KB

Download
memory/2400-4-0x0000000000AA0000-0x0000000000AC2000-memory.dmp

Filesize
136KB

Download
memory/2400-5-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2400-6-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/2400-7-0x0000000006030000-0x00000000060B2000-memory.dmp

Filesize
520KB

Download
memory/2400-8-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

Filesize
4KB

Download
memory/2400-9-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2400-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

Filesize
4KB

Download
memory/2732-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-14-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2732-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-21-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2732-22-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2732-23-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download