agenttesla | 87a21393ccd3a833e6b7481eaf2dd7f3889cafa097bfbf4e2c96160fbf12b265

Analysis

max time kernel
133s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jrP1O57Izu07l0t.exe
Size

719KB
MD5

faab59c6da6c4e9a5d74ffd849f1ed91
SHA1

065293adb90f03c758908ba3e9bf6b3f72d02f5f
SHA256

87a21393ccd3a833e6b7481eaf2dd7f3889cafa097bfbf4e2c96160fbf12b265
SHA512

4e3a4d7df919b0aa86401f26c468623be22986f3668dd6a8501ac2a848246ff7d6e1c3e87034d734f1cb6f7e6ac94d2741f7d4bd8601e88e20889253c1f59c92
SSDEEP

12288:PdbZtdc5E2HyniuyPYVyOEbuCJ4vUzYeCDVoh+WboBQkx9qqoz8z9kByB:lFtdEYobxdj7B42y

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.atlantegypt.com
Port:
587
Username:
[email protected]
Password:
OL11121314ol
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

jrP1O57Izu07l0t.exe

description pid process target process

PID 3632 set thread context of 4280 3632 jrP1O57Izu07l0t.exe MSBuild.exe

description	pid	process	target process
PID 3632 set thread context of 4280	3632	jrP1O57Izu07l0t.exe	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

jrP1O57Izu07l0t.exeMSBuild.exe

pid	process
3632	jrP1O57Izu07l0t.exe
3632	jrP1O57Izu07l0t.exe
3632	jrP1O57Izu07l0t.exe
3632	jrP1O57Izu07l0t.exe
3632	jrP1O57Izu07l0t.exe
3632	jrP1O57Izu07l0t.exe
3632	jrP1O57Izu07l0t.exe
3632	jrP1O57Izu07l0t.exe
3632	jrP1O57Izu07l0t.exe
3632	jrP1O57Izu07l0t.exe
3632	jrP1O57Izu07l0t.exe
3632	jrP1O57Izu07l0t.exe
3632	jrP1O57Izu07l0t.exe
3632	jrP1O57Izu07l0t.exe
3632	jrP1O57Izu07l0t.exe
3632	jrP1O57Izu07l0t.exe
4280	MSBuild.exe
4280	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jrP1O57Izu07l0t.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 3632 jrP1O57Izu07l0t.exe
Token: SeDebugPrivilege 4280 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	3632	jrP1O57Izu07l0t.exe
Token: SeDebugPrivilege	4280	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

jrP1O57Izu07l0t.exe

description	pid	process	target process
PID 3632 wrote to memory of 452	3632	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 3632 wrote to memory of 452	3632	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 3632 wrote to memory of 452	3632	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 3632 wrote to memory of 4280	3632	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 3632 wrote to memory of 4280	3632	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 3632 wrote to memory of 4280	3632	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 3632 wrote to memory of 4280	3632	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 3632 wrote to memory of 4280	3632	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 3632 wrote to memory of 4280	3632	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 3632 wrote to memory of 4280	3632	jrP1O57Izu07l0t.exe	MSBuild.exe
PID 3632 wrote to memory of 4280	3632	jrP1O57Izu07l0t.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\jrP1O57Izu07l0t.exe
"C:\Users\Admin\AppData\Local\Temp\jrP1O57Izu07l0t.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3632-10-0x0000000006490000-0x0000000006512000-memory.dmp

Filesize
520KB

Download
memory/3632-4-0x00000000051A0000-0x00000000051AA000-memory.dmp

Filesize
40KB

Download
memory/3632-0-0x00000000746BE000-0x00000000746BF000-memory.dmp

Filesize
4KB

Download
memory/3632-12-0x00000000746BE000-0x00000000746BF000-memory.dmp

Filesize
4KB

Download
memory/3632-11-0x00000000107B0000-0x000000001084C000-memory.dmp

Filesize
624KB

Download
memory/3632-5-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/3632-6-0x0000000007910000-0x00000000079CA000-memory.dmp

Filesize
744KB

Download
memory/3632-7-0x00000000053B0000-0x00000000053D2000-memory.dmp

Filesize
136KB

Download
memory/3632-8-0x00000000057E0000-0x00000000057EC000-memory.dmp

Filesize
48KB

Download
memory/3632-9-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/3632-2-0x0000000005820000-0x0000000005DC4000-memory.dmp

Filesize
5.6MB

Download
memory/3632-1-0x0000000000540000-0x00000000005FA000-memory.dmp

Filesize
744KB

Download
memory/3632-3-0x0000000004FD0000-0x0000000005062000-memory.dmp

Filesize
584KB

Download
memory/3632-13-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/3632-17-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/4280-16-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/4280-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4280-18-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/4280-19-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/4280-20-0x00000000065D0000-0x0000000006620000-memory.dmp

Filesize
320KB

Download
memory/4280-21-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download