agenttesla | 7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 11:00

Target

Order Inquiry 37674304.exe
Size

602KB
MD5

90384630603db9e5a555e63b50542c67
SHA1

1ea91cd860d92a43b2a5ab0a4187c2a18c2ee11f
SHA256

7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db
SHA512

a29ce98d23cd58d5b8ae1c7ae7f1b16abec3c232124632535d7b03adad0889024235e17e76f8c4a06511c196fee82386762e8ff91dc6238a6ba50020f464e1c0
SSDEEP

12288:EAevfRBK5O6M2PrsOfO9rFIBpGImoozvItcHHFojhbCxprzvue30gaff/CRy:/lIJripFmoozQm6jOpHlda/l

Score

10^/10

Family

agenttesla

Credentials

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2384 set thread context of 552	2384	Order Inquiry 37674304.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
552	CasPol.exe
552	CasPol.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	CasPol.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 4896	2384	Order Inquiry 37674304.exe	81
PID 2384 wrote to memory of 4896	2384	Order Inquiry 37674304.exe	81
PID 2384 wrote to memory of 4896	2384	Order Inquiry 37674304.exe	81
PID 2384 wrote to memory of 552	2384	Order Inquiry 37674304.exe	82
PID 2384 wrote to memory of 552	2384	Order Inquiry 37674304.exe	82
PID 2384 wrote to memory of 552	2384	Order Inquiry 37674304.exe	82
PID 2384 wrote to memory of 552	2384	Order Inquiry 37674304.exe	82
PID 2384 wrote to memory of 552	2384	Order Inquiry 37674304.exe	82
PID 2384 wrote to memory of 552	2384	Order Inquiry 37674304.exe	82
PID 2384 wrote to memory of 552	2384	Order Inquiry 37674304.exe	82
PID 2384 wrote to memory of 552	2384	Order Inquiry 37674304.exe	82
PID 2384 wrote to memory of 2488	2384	Order Inquiry 37674304.exe	83
PID 2384 wrote to memory of 2488	2384	Order Inquiry 37674304.exe	83
PID 2384 wrote to memory of 2488	2384	Order Inquiry 37674304.exe	83

C:\Users\Admin\AppData\Local\Temp\Order Inquiry 37674304.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry 37674304.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  PID:4896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:2488

memory/552-8-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/552-10-0x0000000006250000-0x00000000062A0000-memory.dmp

Filesize
320KB

Download
memory/552-15-0x0000000006690000-0x000000000669A000-memory.dmp

Filesize
40KB

Download
memory/552-14-0x00000000066C0000-0x0000000006752000-memory.dmp

Filesize
584KB

Download
memory/552-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/552-5-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/552-13-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/552-12-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/552-11-0x0000000006340000-0x00000000063DC000-memory.dmp

Filesize
624KB

Download
memory/552-7-0x0000000005360000-0x00000000053C6000-memory.dmp

Filesize
408KB

Download
memory/552-6-0x0000000005810000-0x0000000005DB4000-memory.dmp

Filesize
5.6MB

Download
memory/2384-0-0x00007FFB74CF3000-0x00007FFB74CF5000-memory.dmp

Filesize
8KB

Download
memory/2384-9-0x00007FFB74CF0000-0x00007FFB757B1000-memory.dmp

Filesize
10.8MB

Download
memory/2384-1-0x0000023BE99F0000-0x0000023BE99FA000-memory.dmp

Filesize
40KB

Download
memory/2384-3-0x00007FFB74CF0000-0x00007FFB757B1000-memory.dmp

Filesize
10.8MB

Download
memory/2384-2-0x0000023BEC140000-0x0000023BEC1D6000-memory.dmp

Filesize
600KB

Download