agenttesla | 3d983115cbb929fdcdcb923b05feec1c6844a9ee7702e3c1f6686c8a6d140806

Analysis

max time kernel
133s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 06:29

Target

3d983115cbb929fdcdcb923b05feec1c6844a9ee7702e3c1f6686c8a6d140806.exe
Size

1004KB
MD5

075d24eaa7b4efd472681fee7311f029
SHA1

637620bde6421b9fffbd56d0314b030241bd0d81
SHA256

3d983115cbb929fdcdcb923b05feec1c6844a9ee7702e3c1f6686c8a6d140806
SHA512

700c8a45373cdee64b91e99ed8ab85ecbf107b8e858d3bb82919990b349868dda96eeafe8d973c6506611cba268c07e2a21e846464e2b6b7adb1790b63d13cb2
SSDEEP

24576:/AHnh+eWsN3skA4RV1Hom2KXMmHaV/c9kYr/5:ih+ZkldoPK8YaV/JYd

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	api.ipify.org
18	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4604 set thread context of 4720	4604	3d983115cbb929fdcdcb923b05feec1c6844a9ee7702e3c1f6686c8a6d140806.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1968	4604	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4720	RegSvcs.exe
4720	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4604	3d983115cbb929fdcdcb923b05feec1c6844a9ee7702e3c1f6686c8a6d140806.exe
4604	3d983115cbb929fdcdcb923b05feec1c6844a9ee7702e3c1f6686c8a6d140806.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4720	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4604	3d983115cbb929fdcdcb923b05feec1c6844a9ee7702e3c1f6686c8a6d140806.exe
4604	3d983115cbb929fdcdcb923b05feec1c6844a9ee7702e3c1f6686c8a6d140806.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4604	3d983115cbb929fdcdcb923b05feec1c6844a9ee7702e3c1f6686c8a6d140806.exe
4604	3d983115cbb929fdcdcb923b05feec1c6844a9ee7702e3c1f6686c8a6d140806.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4720	4604	3d983115cbb929fdcdcb923b05feec1c6844a9ee7702e3c1f6686c8a6d140806.exe	85
PID 4604 wrote to memory of 4720	4604	3d983115cbb929fdcdcb923b05feec1c6844a9ee7702e3c1f6686c8a6d140806.exe	85
PID 4604 wrote to memory of 4720	4604	3d983115cbb929fdcdcb923b05feec1c6844a9ee7702e3c1f6686c8a6d140806.exe	85
PID 4604 wrote to memory of 4720	4604	3d983115cbb929fdcdcb923b05feec1c6844a9ee7702e3c1f6686c8a6d140806.exe	85

C:\Users\Admin\AppData\Local\Temp\3d983115cbb929fdcdcb923b05feec1c6844a9ee7702e3c1f6686c8a6d140806.exe
"C:\Users\Admin\AppData\Local\Temp\3d983115cbb929fdcdcb923b05feec1c6844a9ee7702e3c1f6686c8a6d140806.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\3d983115cbb929fdcdcb923b05feec1c6844a9ee7702e3c1f6686c8a6d140806.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 696
  2⤵
  - Program crash
  PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4604 -ip 4604
1⤵
PID:552

memory/4604-10-0x0000000002530000-0x0000000002534000-memory.dmp

Filesize
16KB

Download
memory/4720-11-0x0000000000700000-0x0000000000740000-memory.dmp

Filesize
256KB

Download
memory/4720-12-0x00000000738CE000-0x00000000738CF000-memory.dmp

Filesize
4KB

Download
memory/4720-13-0x0000000005200000-0x00000000057A4000-memory.dmp

Filesize
5.6MB

Download
memory/4720-15-0x0000000004BD0000-0x0000000004C36000-memory.dmp

Filesize
408KB

Download
memory/4720-14-0x00000000738C0000-0x0000000074070000-memory.dmp

Filesize
7.7MB

Download
memory/4720-16-0x0000000006150000-0x00000000061A0000-memory.dmp

Filesize
320KB

Download
memory/4720-17-0x0000000006240000-0x00000000062D2000-memory.dmp

Filesize
584KB

Download
memory/4720-18-0x00000000061D0000-0x00000000061DA000-memory.dmp

Filesize
40KB

Download
memory/4720-19-0x00000000738CE000-0x00000000738CF000-memory.dmp

Filesize
4KB

Download
memory/4720-20-0x00000000738C0000-0x0000000074070000-memory.dmp

Filesize
7.7MB

Download