agenttesla | f51abe112b0563612f3bf64926f4931207985fa0a478e8ec94cf1c011ba96091

Analysis

max time kernel
126s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO#152412812.exe
Size

1.3MB
MD5

0465c4b179297c46bbc2c6b62e372278
SHA1

bd32e9fe2994062271f328d973227de0747c4b8e
SHA256

f51abe112b0563612f3bf64926f4931207985fa0a478e8ec94cf1c011ba96091
SHA512

b2796ebda53b17894359808a224ef7cae025be6ef8d4487cef87b2fa23d519e29f66647e7f4500cc016bdb6884107cc7850ed228694b90fdf3278dc040b6a3f5
SSDEEP

24576:NAHnh+eWsN3skA4RV1Hom2KXMmHaoUcnfLatYRMUBBzt35:sh+ZkldoPK8YaoUcTa5UB3

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 464 set thread context of 2860	464	PO#152412812.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2860	RegSvcs.exe
2860	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4992	PO#152412812.exe
464	PO#152412812.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4992	PO#152412812.exe
4992	PO#152412812.exe
464	PO#152412812.exe
464	PO#152412812.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4992	PO#152412812.exe
4992	PO#152412812.exe
464	PO#152412812.exe
464	PO#152412812.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 4540	4992	PO#152412812.exe	88
PID 4992 wrote to memory of 4540	4992	PO#152412812.exe	88
PID 4992 wrote to memory of 4540	4992	PO#152412812.exe	88
PID 4992 wrote to memory of 464	4992	PO#152412812.exe	89
PID 4992 wrote to memory of 464	4992	PO#152412812.exe	89
PID 4992 wrote to memory of 464	4992	PO#152412812.exe	89
PID 464 wrote to memory of 2860	464	PO#152412812.exe	90
PID 464 wrote to memory of 2860	464	PO#152412812.exe	90
PID 464 wrote to memory of 2860	464	PO#152412812.exe	90
PID 464 wrote to memory of 2860	464	PO#152412812.exe	90

C:\Users\Admin\AppData\Local\Temp\PO#152412812.exe
"C:\Users\Admin\AppData\Local\Temp\PO#152412812.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\PO#152412812.exe"
  2⤵
  PID:4540
- C:\Users\Admin\AppData\Local\Temp\PO#152412812.exe
  "C:\Users\Admin\AppData\Local\Temp\PO#152412812.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\PO#152412812.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4000 /prefetch:8
1⤵
PID:1092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tilths

Filesize
28KB

MD5
d4497186e00472a0c50f4a7e6755d49a

SHA1
33bfedd9d8bc373bf95da7e8ac6203d4813e9c54

SHA256
6a48ad648c21572c36c00099c967f95d1b8adc5ab0b739b4ef2949ca112456d2

SHA512
8be3ae6effe6cf1adb2b10efef147fc47a816f4554c9d1fb98bbab96d5c460dd1438033d9605814a85c03ad7bbc79c800adb8294803d17bd8d861d50281c1da2

Download Submit
memory/2860-23-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2860-24-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2860-25-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2860-26-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2860-27-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/2860-28-0x0000000003550000-0x00000000035A4000-memory.dmp

Filesize
336KB

Download
memory/2860-29-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/2860-31-0x0000000003710000-0x0000000003762000-memory.dmp

Filesize
328KB

Download
memory/2860-30-0x00000000060A0000-0x0000000006644000-memory.dmp

Filesize
5.6MB

Download
memory/2860-32-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/2860-36-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-46-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-52-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-92-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-90-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-88-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-86-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-84-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-82-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-80-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-78-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-76-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-74-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-72-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-70-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-68-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-66-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-64-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-62-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-60-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-58-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-56-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-50-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-48-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-44-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-42-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-54-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-40-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-38-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-34-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-33-0x0000000003710000-0x000000000375D000-memory.dmp

Filesize
308KB

Download
memory/2860-1063-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/2860-1064-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/2860-1065-0x0000000006A30000-0x0000000006A80000-memory.dmp

Filesize
320KB

Download
memory/2860-1066-0x0000000006B20000-0x0000000006BB2000-memory.dmp

Filesize
584KB

Download
memory/2860-1067-0x0000000006A80000-0x0000000006A8A000-memory.dmp

Filesize
40KB

Download
memory/2860-1068-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2860-1069-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/2860-1070-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4992-10-0x0000000001750000-0x0000000001754000-memory.dmp

Filesize
16KB

Download