agenttesla | ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9

General

Target

ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
Size

1.2MB
MD5

551e9650c3683f499ba8bc3abed3c41e
SHA1

9a85cb80e49d1949391af936e8a131b5b7e94b3c
SHA256

ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9
SHA512

339f828c932a6f2997da9b737704cec8728da47cd279ac0d24d515f636940a6506e64294eecd4948543a76a7f14db64f95cabd89def51292e23dc6d78ecc7d61
SSDEEP

24576:tqDEvCTbMWu7rQYlBQcBiT6rprG8apZjEqTW7nJVyEh9Nu:tTvC/MTQYxsWR7apZjXKnh

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ip-api.com

flow	ioc
19	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe

description	pid	process	target process
PID 3880 set thread context of 5064	3880	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

5064 RegSvcs.exe
5064 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe

pid process

3880 ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 5064 RegSvcs.exe

pid	process
5064	RegSvcs.exe
5064	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	5064	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe

pid	process
3880	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
3880	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe

pid	process
3880	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
3880	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe

description	pid	process	target process
PID 3880 wrote to memory of 5064	3880	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 3880 wrote to memory of 5064	3880	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 3880 wrote to memory of 5064	3880	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe
PID 3880 wrote to memory of 5064	3880	ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe
"C:\Users\Admin\AppData\Local\Temp\ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\ef21971cc13a1478cf396c7290ca859e4a77178d63c914093456515befa16bb9.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut4546.tmp
Filesize
263KB

MD5
aa537bd47dcb9aa4129951878b7ad457

SHA1
f55c881e98ee0d051826d0607a8823c198c1c875

SHA256
8195e61ee8e54912d7606a89867b9dde3206831ec4f4d152e306cc91741c2013

SHA512
d9e06237fa7763a34977e7b324d97fc70e4292d23d2aa9e534241f538d13bea4208ffb51cb5d2d3a4bd9a1422cf5f96aed485022933a946434f47cd2f1e54aae

Download Submit
memory/3880-12-0x0000000003F40000-0x0000000003F44000-memory.dmp

Filesize
16KB

Download
memory/5064-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5064-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5064-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5064-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5064-17-0x000000007430E000-0x000000007430F000-memory.dmp

Filesize
4KB

Download
memory/5064-18-0x0000000002B60000-0x0000000002BB6000-memory.dmp

Filesize
344KB

Download
memory/5064-20-0x00000000057D0000-0x0000000005D74000-memory.dmp

Filesize
5.6MB

Download
memory/5064-19-0x0000000074300000-0x0000000074AB0000-memory.dmp

Filesize
7.7MB

Download
memory/5064-21-0x00000000051B0000-0x0000000005204000-memory.dmp

Filesize
336KB

Download
memory/5064-37-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-39-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-35-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-33-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-31-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-29-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-27-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-25-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-23-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-22-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-73-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-57-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-81-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-260-0x0000000074300000-0x0000000074AB0000-memory.dmp

Filesize
7.7MB

Download
memory/5064-79-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-77-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-75-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-71-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-69-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-68-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-65-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-63-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-61-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-59-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-55-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-53-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-51-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-49-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-47-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-45-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-43-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-41-0x00000000051B0000-0x00000000051FE000-memory.dmp

Filesize
312KB

Download
memory/5064-1067-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/5064-1068-0x0000000074300000-0x0000000074AB0000-memory.dmp

Filesize
7.7MB

Download
memory/5064-1069-0x00000000065A0000-0x00000000065F0000-memory.dmp

Filesize
320KB

Download
memory/5064-1070-0x0000000006690000-0x0000000006722000-memory.dmp

Filesize
584KB

Download
memory/5064-1071-0x0000000006620000-0x000000000662A000-memory.dmp

Filesize
40KB

Download
memory/5064-1072-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5064-1073-0x000000007430E000-0x000000007430F000-memory.dmp

Filesize
4KB

Download
memory/5064-1074-0x0000000074300000-0x0000000074AB0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads