agenttesla | 92aff680ae646607e5d30fd43bfb66d8d765b7bcf7ffc0aacb65c389358fc528

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ezld5G1NAEX61dX.exe
Size

832KB
MD5

719d1025c292bfee9c1df6903bb1c3ac
SHA1

d23fe682c242dff7446d9661cb6045e742666ebc
SHA256

92aff680ae646607e5d30fd43bfb66d8d765b7bcf7ffc0aacb65c389358fc528
SHA512

1d64abb7b77ed94c8d63a0dddf00b5b00b108ee20c320a8263e83d9bc23013bfeb1e3dbb03b171e3beee03b16111fc9349de2380943d5d960a67f55b94cbb1c1
SSDEEP

24576:EeWtb3BErWwO8+LXvon7qikP22ctGhJHfAAb/F:ENZBErO8+sn1J2sG/HfAAb/F

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
emidco.com
Port:
587
Username:
[email protected]
Password:
DMmpPxx9c
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

ezld5G1NAEX61dX.exe

description pid process target process

PID 384 set thread context of 1920 384 ezld5G1NAEX61dX.exe MSBuild.exe

description	pid	process	target process
PID 384 set thread context of 1920	384	ezld5G1NAEX61dX.exe	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

ezld5G1NAEX61dX.exeMSBuild.exe

pid	process
384	ezld5G1NAEX61dX.exe
384	ezld5G1NAEX61dX.exe
384	ezld5G1NAEX61dX.exe
384	ezld5G1NAEX61dX.exe
384	ezld5G1NAEX61dX.exe
384	ezld5G1NAEX61dX.exe
384	ezld5G1NAEX61dX.exe
384	ezld5G1NAEX61dX.exe
384	ezld5G1NAEX61dX.exe
384	ezld5G1NAEX61dX.exe
384	ezld5G1NAEX61dX.exe
384	ezld5G1NAEX61dX.exe
384	ezld5G1NAEX61dX.exe
384	ezld5G1NAEX61dX.exe
1920	MSBuild.exe
1920	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ezld5G1NAEX61dX.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 384 ezld5G1NAEX61dX.exe
Token: SeDebugPrivilege 1920 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	384	ezld5G1NAEX61dX.exe
Token: SeDebugPrivilege	1920	MSBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ezld5G1NAEX61dX.exe

description	pid	process	target process
PID 384 wrote to memory of 1920	384	ezld5G1NAEX61dX.exe	MSBuild.exe
PID 384 wrote to memory of 1920	384	ezld5G1NAEX61dX.exe	MSBuild.exe
PID 384 wrote to memory of 1920	384	ezld5G1NAEX61dX.exe	MSBuild.exe
PID 384 wrote to memory of 1920	384	ezld5G1NAEX61dX.exe	MSBuild.exe
PID 384 wrote to memory of 1920	384	ezld5G1NAEX61dX.exe	MSBuild.exe
PID 384 wrote to memory of 1920	384	ezld5G1NAEX61dX.exe	MSBuild.exe
PID 384 wrote to memory of 1920	384	ezld5G1NAEX61dX.exe	MSBuild.exe
PID 384 wrote to memory of 1920	384	ezld5G1NAEX61dX.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\ezld5G1NAEX61dX.exe
"C:\Users\Admin\AppData\Local\Temp\ezld5G1NAEX61dX.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/384-10-0x0000000006740000-0x00000000067DC000-memory.dmp

Filesize
624KB

Download
memory/384-0-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/384-2-0x0000000007FB0000-0x0000000008554000-memory.dmp

Filesize
5.6MB

Download
memory/384-3-0x0000000007AC0000-0x0000000007B52000-memory.dmp

Filesize
584KB

Download
memory/384-4-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/384-5-0x0000000002F10000-0x0000000002F1A000-memory.dmp

Filesize
40KB

Download
memory/384-6-0x0000000007D60000-0x0000000007D82000-memory.dmp

Filesize
136KB

Download
memory/384-17-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/384-8-0x00000000076A0000-0x00000000076B0000-memory.dmp

Filesize
64KB

Download
memory/384-1-0x0000000000B30000-0x0000000000C06000-memory.dmp

Filesize
856KB

Download
memory/384-7-0x0000000006680000-0x000000000668C000-memory.dmp

Filesize
48KB

Download
memory/384-11-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/384-12-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/384-9-0x0000000008C60000-0x0000000008CE2000-memory.dmp

Filesize
520KB

Download
memory/1920-18-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/1920-16-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/1920-15-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/1920-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-19-0x00000000068F0000-0x0000000006940000-memory.dmp

Filesize
320KB

Download
memory/1920-20-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download