agenttesla | 1dd5a09cb94c09e726de5c72b3a0ae121b11e195f43dc49944954822206ffa18

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50ZZk7HiITiwndh.exe
Size

720KB
MD5

2bee3a88220e7fe1c07a153b134e6b27
SHA1

75ff17e5ae97389b1bed55d28355fc33ca69ea33
SHA256

3a63d678ce5318dce83c3ebabe2daad7fae4b324f6dabeb7199719a464313ad8
SHA512

68474244a01b623c333c52f014593c6c3809518d2f29e41e0d701440f54a7a502c8a623ac6f4a61ca6419763d649c81cd370154324eac36ae53a52b06760833d
SSDEEP

12288:QQPAq0mIMUCA8GfkNekupi4OdnqAhdusnNRCvfbVQvgF1Sf3NhJ/Jym/HEhY3BF/:kq6MvAf8NiU4jAhduyWvT2vgK3J/80Hl

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
emidco.com
Port:
587
Username:
[email protected]
Password:
DMmpPxx9c
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

50ZZk7HiITiwndh.exe

description pid process target process

PID 2220 set thread context of 2728 2220 50ZZk7HiITiwndh.exe MSBuild.exe

description	pid	process	target process
PID 2220 set thread context of 2728	2220	50ZZk7HiITiwndh.exe	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

50ZZk7HiITiwndh.exeMSBuild.exe

pid	process
2220	50ZZk7HiITiwndh.exe
2220	50ZZk7HiITiwndh.exe
2220	50ZZk7HiITiwndh.exe
2220	50ZZk7HiITiwndh.exe
2220	50ZZk7HiITiwndh.exe
2220	50ZZk7HiITiwndh.exe
2220	50ZZk7HiITiwndh.exe
2220	50ZZk7HiITiwndh.exe
2220	50ZZk7HiITiwndh.exe
2220	50ZZk7HiITiwndh.exe
2220	50ZZk7HiITiwndh.exe
2220	50ZZk7HiITiwndh.exe
2220	50ZZk7HiITiwndh.exe
2220	50ZZk7HiITiwndh.exe
2728	MSBuild.exe
2728	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

50ZZk7HiITiwndh.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 2220 50ZZk7HiITiwndh.exe
Token: SeDebugPrivilege 2728 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	2220	50ZZk7HiITiwndh.exe
Token: SeDebugPrivilege	2728	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

50ZZk7HiITiwndh.exe

description	pid	process	target process
PID 2220 wrote to memory of 2728	2220	50ZZk7HiITiwndh.exe	MSBuild.exe
PID 2220 wrote to memory of 2728	2220	50ZZk7HiITiwndh.exe	MSBuild.exe
PID 2220 wrote to memory of 2728	2220	50ZZk7HiITiwndh.exe	MSBuild.exe
PID 2220 wrote to memory of 2728	2220	50ZZk7HiITiwndh.exe	MSBuild.exe
PID 2220 wrote to memory of 2728	2220	50ZZk7HiITiwndh.exe	MSBuild.exe
PID 2220 wrote to memory of 2728	2220	50ZZk7HiITiwndh.exe	MSBuild.exe
PID 2220 wrote to memory of 2728	2220	50ZZk7HiITiwndh.exe	MSBuild.exe
PID 2220 wrote to memory of 2728	2220	50ZZk7HiITiwndh.exe	MSBuild.exe
PID 2220 wrote to memory of 2728	2220	50ZZk7HiITiwndh.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\50ZZk7HiITiwndh.exe
"C:\Users\Admin\AppData\Local\Temp\50ZZk7HiITiwndh.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2220-24-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2220-1-0x0000000000FB0000-0x000000000106A000-memory.dmp

Filesize
744KB

Download
memory/2220-2-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2220-3-0x0000000004DC0000-0x0000000004E7A000-memory.dmp

Filesize
744KB

Download
memory/2220-4-0x00000000002E0000-0x0000000000302000-memory.dmp

Filesize
136KB

Download
memory/2220-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2220-6-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/2220-7-0x0000000005E90000-0x0000000005F12000-memory.dmp

Filesize
520KB

Download
memory/2220-8-0x000000007473E000-0x000000007473F000-memory.dmp

Filesize
4KB

Download
memory/2220-9-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2220-0-0x000000007473E000-0x000000007473F000-memory.dmp

Filesize
4KB

Download
memory/2728-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-18-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-25-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-26-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-27-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download