agenttesla | 92aff680ae646607e5d30fd43bfb66d8d765b7bcf7ffc0aacb65c389358fc528

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ezld5G1NAEX61dX.exe
Size

832KB
MD5

719d1025c292bfee9c1df6903bb1c3ac
SHA1

d23fe682c242dff7446d9661cb6045e742666ebc
SHA256

92aff680ae646607e5d30fd43bfb66d8d765b7bcf7ffc0aacb65c389358fc528
SHA512

1d64abb7b77ed94c8d63a0dddf00b5b00b108ee20c320a8263e83d9bc23013bfeb1e3dbb03b171e3beee03b16111fc9349de2380943d5d960a67f55b94cbb1c1
SSDEEP

24576:EeWtb3BErWwO8+LXvon7qikP22ctGhJHfAAb/F:ENZBErO8+sn1J2sG/HfAAb/F

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
emidco.com
Port:
587
Username:
[email protected]
Password:
DMmpPxx9c
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

ezld5G1NAEX61dX.exe

description pid process target process

PID 1888 set thread context of 2528 1888 ezld5G1NAEX61dX.exe MSBuild.exe

description	pid	process	target process
PID 1888 set thread context of 2528	1888	ezld5G1NAEX61dX.exe	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

ezld5G1NAEX61dX.exeMSBuild.exe

pid	process
1888	ezld5G1NAEX61dX.exe
1888	ezld5G1NAEX61dX.exe
1888	ezld5G1NAEX61dX.exe
1888	ezld5G1NAEX61dX.exe
1888	ezld5G1NAEX61dX.exe
1888	ezld5G1NAEX61dX.exe
1888	ezld5G1NAEX61dX.exe
1888	ezld5G1NAEX61dX.exe
1888	ezld5G1NAEX61dX.exe
1888	ezld5G1NAEX61dX.exe
1888	ezld5G1NAEX61dX.exe
1888	ezld5G1NAEX61dX.exe
1888	ezld5G1NAEX61dX.exe
1888	ezld5G1NAEX61dX.exe
2528	MSBuild.exe
2528	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ezld5G1NAEX61dX.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 1888 ezld5G1NAEX61dX.exe
Token: SeDebugPrivilege 2528 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1888	ezld5G1NAEX61dX.exe
Token: SeDebugPrivilege	2528	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ezld5G1NAEX61dX.exe

description	pid	process	target process
PID 1888 wrote to memory of 2528	1888	ezld5G1NAEX61dX.exe	MSBuild.exe
PID 1888 wrote to memory of 2528	1888	ezld5G1NAEX61dX.exe	MSBuild.exe
PID 1888 wrote to memory of 2528	1888	ezld5G1NAEX61dX.exe	MSBuild.exe
PID 1888 wrote to memory of 2528	1888	ezld5G1NAEX61dX.exe	MSBuild.exe
PID 1888 wrote to memory of 2528	1888	ezld5G1NAEX61dX.exe	MSBuild.exe
PID 1888 wrote to memory of 2528	1888	ezld5G1NAEX61dX.exe	MSBuild.exe
PID 1888 wrote to memory of 2528	1888	ezld5G1NAEX61dX.exe	MSBuild.exe
PID 1888 wrote to memory of 2528	1888	ezld5G1NAEX61dX.exe	MSBuild.exe
PID 1888 wrote to memory of 2528	1888	ezld5G1NAEX61dX.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\ezld5G1NAEX61dX.exe
"C:\Users\Admin\AppData\Local\Temp\ezld5G1NAEX61dX.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1888-0-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/1888-1-0x0000000000C00000-0x0000000000CD6000-memory.dmp

Filesize
856KB

Download
memory/1888-2-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/1888-3-0x0000000000250000-0x0000000000272000-memory.dmp

Filesize
136KB

Download
memory/1888-4-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/1888-5-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/1888-6-0x0000000004B30000-0x0000000004BB2000-memory.dmp

Filesize
520KB

Download
memory/1888-7-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/1888-8-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/1888-22-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2528-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-15-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2528-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-21-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2528-23-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2528-24-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download