agenttesla | 16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 01:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe
Size

1.2MB
MD5

8f6f05076ef8b1cde169013b13a09768
SHA1

66b2bd2abfe26cb165fc6d8ece023e7860e5321f
SHA256

16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619
SHA512

99c8bb8ac997f140ac7e927a1aad810e2cbe67bf7d004cf373b510fa0381d856b8784daa9b2443af76f312cc05dab0cdee44f772154c66557f596ec933c8727e
SSDEEP

24576:qAHnh+eWsN3skA4RV1Hom2KXMmHaB8JoeKixnkCZqH+8d/ilS95:9h+ZkldoPK8YaB8bvLMmG

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 2180	2140	16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2180	RegSvcs.exe
2180	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2140	16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2140	16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe
2140	16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2140	16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe
2140	16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2180	2140	16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe	29
PID 2140 wrote to memory of 2180	2140	16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe	29
PID 2140 wrote to memory of 2180	2140	16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe	29
PID 2140 wrote to memory of 2180	2140	16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe	29
PID 2140 wrote to memory of 2180	2140	16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe	29
PID 2140 wrote to memory of 2180	2140	16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe	29
PID 2140 wrote to memory of 2180	2140	16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe	29
PID 2140 wrote to memory of 2180	2140	16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe	29

C:\Users\Admin\AppData\Local\Temp\16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe
"C:\Users\Admin\AppData\Local\Temp\16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\16b14371358c1315e2903c27a1ef2401a7e2bd88916765f7d2b0da6f1e102619.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2140-10-0x00000000001A0000-0x00000000001A4000-memory.dmp

Filesize
16KB

Download
memory/2180-11-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2180-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2180-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2180-15-0x000000007402E000-0x000000007402F000-memory.dmp

Filesize
4KB

Download
memory/2180-16-0x0000000000530000-0x0000000000584000-memory.dmp

Filesize
336KB

Download
memory/2180-17-0x0000000001F50000-0x0000000001FA2000-memory.dmp

Filesize
328KB

Download
memory/2180-18-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-19-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-21-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-25-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-35-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-47-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-45-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-41-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-73-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-71-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-69-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-67-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-65-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-63-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-43-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-61-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-59-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-57-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-55-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-53-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-51-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-49-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-39-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-37-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-33-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-31-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-29-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-27-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-23-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-20-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-79-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-77-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-75-0x0000000001F50000-0x0000000001F9D000-memory.dmp

Filesize
308KB

Download
memory/2180-1050-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-1051-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2180-1052-0x000000007402E000-0x000000007402F000-memory.dmp

Filesize
4KB

Download
memory/2180-1053-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download