agenttesla | ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9

General

Target

ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
Size

1.2MB
MD5

551e9650c3683f499ba8bc3abed3c41e
SHA1

9a85cb80e49d1949391af936e8a131b5b7e94b3c
SHA256

ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9
SHA512

339f828c932a6f2997da9b737704cec8728da47cd279ac0d24d515f636940a6506e64294eecd4948543a76a7f14db64f95cabd89def51292e23dc6d78ecc7d61
SSDEEP

24576:tqDEvCTbMWu7rQYlBQcBiT6rprG8apZjEqTW7nJVyEh9Nu:tTvC/MTQYxsWR7apZjXKnh

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe

description	pid	process	target process
PID 2488 set thread context of 2660	2488	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2660 RegSvcs.exe
2660 RegSvcs.exe

pid	process
2660	RegSvcs.exe
2660	RegSvcs.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exeef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exeef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exeef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe

pid	process
1304	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
2924	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
2636	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
2488	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2660 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2660	RegSvcs.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exeef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exeef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exeef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe

pid	process
1304	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
1304	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
2924	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
2924	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
2636	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
2636	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
2488	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
2488	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exeef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exeef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exeef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe

pid	process
1304	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
1304	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
2924	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
2924	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
2636	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
2636	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
2488	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
2488	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exeef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exeef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exeef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe

description	pid	process	target process
PID 1304 wrote to memory of 2092	1304	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 1304 wrote to memory of 2092	1304	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 1304 wrote to memory of 2092	1304	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 1304 wrote to memory of 2092	1304	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 1304 wrote to memory of 2092	1304	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 1304 wrote to memory of 2092	1304	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 1304 wrote to memory of 2092	1304	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 1304 wrote to memory of 2924	1304	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
PID 1304 wrote to memory of 2924	1304	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
PID 1304 wrote to memory of 2924	1304	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
PID 1304 wrote to memory of 2924	1304	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
PID 2924 wrote to memory of 1696	2924	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2924 wrote to memory of 1696	2924	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2924 wrote to memory of 1696	2924	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2924 wrote to memory of 1696	2924	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2924 wrote to memory of 1696	2924	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2924 wrote to memory of 1696	2924	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2924 wrote to memory of 1696	2924	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2924 wrote to memory of 2636	2924	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
PID 2924 wrote to memory of 2636	2924	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
PID 2924 wrote to memory of 2636	2924	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
PID 2924 wrote to memory of 2636	2924	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
PID 2636 wrote to memory of 2612	2636	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2636 wrote to memory of 2612	2636	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2636 wrote to memory of 2612	2636	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2636 wrote to memory of 2612	2636	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2636 wrote to memory of 2612	2636	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2636 wrote to memory of 2612	2636	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2636 wrote to memory of 2612	2636	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2636 wrote to memory of 2488	2636	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
PID 2636 wrote to memory of 2488	2636	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
PID 2636 wrote to memory of 2488	2636	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
PID 2636 wrote to memory of 2488	2636	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
PID 2488 wrote to memory of 2660	2488	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2488 wrote to memory of 2660	2488	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2488 wrote to memory of 2660	2488	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2488 wrote to memory of 2660	2488	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2488 wrote to memory of 2660	2488	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2488 wrote to memory of 2660	2488	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2488 wrote to memory of 2660	2488	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 2488 wrote to memory of 2660	2488	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
"C:\Users\Admin\AppData\Local\Temp\ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe"
2⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
"C:\Users\Admin\AppData\Local\Temp\ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe"
3⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
"C:\Users\Admin\AppData\Local\Temp\ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe"
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe"
4⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
"C:\Users\Admin\AppData\Local\Temp\ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut16CC.tmp
Filesize
9KB

MD5
06e107ffc62a054b40d6768b558e2297

SHA1
bd01b8dedc778e5f57582fe8293abd38d00d3797

SHA256
570f1ff030098e2503a5f2ba54c01b90a20f310e2b56f3e3b0c57d350939815a

SHA512
3a224fed2f474af3d8fc189f4d333f33cda7019f6833340ed4e50f8fe892813cf834c692cb9460e8a482aa2ab156c59cc7eb7303fe17510fe53512aa39979238

Download Submit
C:\Users\Admin\AppData\Local\Temp\avenses
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\avenses
Filesize
29KB

MD5
0d6a6765034376c1f5a6e43d12e7c166

SHA1
f0ad49fc4789d1eb3d984fb8175a548258e14843

SHA256
fbf21aac8074dede113943cc523806aba2674688b5553605df3ecb0172cda716

SHA512
6eebfc7cc3521cef514177832a3004e57af29b86962a76247b4f5528b60cafbabdc7785b6ca99fc1b5625d9f41a4c33a2c426811b703c3aa8f079ab948c048f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\proximobuccal
Filesize
263KB

MD5
657c19937963aae16ba4b9f1686a5302

SHA1
229c669b6a79513687603616fe300ccb951e92d9

SHA256
6e809d17ea1e214ea1d6c820db4ab333a97f6374adfe02c55b6a7b37f0bb5aa9

SHA512
9935f8cc3651eac3238248cbca4ab92e3364aba122651b206d044be35b0200c3d5bcb9bdb6d8a3e6e4da38f631cb7cc695318f90727dbe4ad45f999bb316eb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\proximobuccal
Filesize
263KB

MD5
aa537bd47dcb9aa4129951878b7ad457

SHA1
f55c881e98ee0d051826d0607a8823c198c1c875

SHA256
8195e61ee8e54912d7606a89867b9dde3206831ec4f4d152e306cc91741c2013

SHA512
d9e06237fa7763a34977e7b324d97fc70e4292d23d2aa9e534241f538d13bea4208ffb51cb5d2d3a4bd9a1422cf5f96aed485022933a946434f47cd2f1e54aae

Download Submit
memory/1304-11-0x00000000001A0000-0x00000000001A4000-memory.dmp

Filesize
16KB

Download
memory/2660-102-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-96-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-53-0x00000000003B0000-0x0000000000406000-memory.dmp

Filesize
344KB

Download
memory/2660-54-0x0000000002000000-0x0000000002054000-memory.dmp

Filesize
336KB

Download
memory/2660-58-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-56-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-55-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-114-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-116-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-112-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-110-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-108-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-106-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-104-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-51-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2660-100-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-98-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-52-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2660-94-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-90-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-88-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-86-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-84-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-82-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-80-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-78-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-76-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-74-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-72-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-68-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-66-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-64-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-92-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-70-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-62-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download
memory/2660-60-0x0000000002000000-0x000000000204E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads