agenttesla | 9da3f3e0eb77d090aae39e7df9c2e5a0243d0f4cd26c7a7ed0831bafde6e9fe6

General

Target

PO 5002407962.exe
Size

1.2MB
MD5

aec18c694fce000f07ae7dc56653bff0
SHA1

840635306bec9a2ec62d9c12fd19eece134878cf
SHA256

82e145d3a3699341fd1baab548a2327fa87e642e7734b8b12121f24e072ec9d9
SHA512

cbb1849e23bb055ef059ad1b5c32823edc2fc52151a9d55a0c1f84a381687b8717175f00e39fbbdbf3b1fc4cd8341b56f492fc218202f8e9e9a7f4211d014ef7
SSDEEP

12288:eARmQ3lR3IYGg0RAbueIKU41eksRz+goaoxmQa3/tYCSbD/PxN:3Z5GTRAqVUeksRzjojG3SCUD/

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.ercolina-usa.com
Port:
21
Username:
[email protected]
Password:
,%EVY$JU0=lu

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.ercolina-usa.com
Port:
21
Username:
[email protected]
Password:
,%EVY$JU0=lu

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2740 set thread context of 2612	2740	PO 5002407962.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2612	AddInProcess32.exe
2612	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	AddInProcess32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2612	AddInProcess32.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 3020	2740	PO 5002407962.exe	28
PID 2740 wrote to memory of 3020	2740	PO 5002407962.exe	28
PID 2740 wrote to memory of 3020	2740	PO 5002407962.exe	28
PID 2740 wrote to memory of 3020	2740	PO 5002407962.exe	28
PID 2740 wrote to memory of 3020	2740	PO 5002407962.exe	28
PID 2740 wrote to memory of 3020	2740	PO 5002407962.exe	28
PID 2740 wrote to memory of 3020	2740	PO 5002407962.exe	28
PID 2740 wrote to memory of 3020	2740	PO 5002407962.exe	28
PID 2740 wrote to memory of 2604	2740	PO 5002407962.exe	29
PID 2740 wrote to memory of 2604	2740	PO 5002407962.exe	29
PID 2740 wrote to memory of 2604	2740	PO 5002407962.exe	29
PID 2740 wrote to memory of 2604	2740	PO 5002407962.exe	29
PID 2740 wrote to memory of 2612	2740	PO 5002407962.exe	30
PID 2740 wrote to memory of 2612	2740	PO 5002407962.exe	30
PID 2740 wrote to memory of 2612	2740	PO 5002407962.exe	30
PID 2740 wrote to memory of 2612	2740	PO 5002407962.exe	30
PID 2740 wrote to memory of 2612	2740	PO 5002407962.exe	30
PID 2740 wrote to memory of 2612	2740	PO 5002407962.exe	30
PID 2740 wrote to memory of 2612	2740	PO 5002407962.exe	30
PID 2740 wrote to memory of 2612	2740	PO 5002407962.exe	30
PID 2740 wrote to memory of 2612	2740	PO 5002407962.exe	30
PID 2740 wrote to memory of 2692	2740	PO 5002407962.exe	31
PID 2740 wrote to memory of 2692	2740	PO 5002407962.exe	31
PID 2740 wrote to memory of 2692	2740	PO 5002407962.exe	31
PID 2740 wrote to memory of 2692	2740	PO 5002407962.exe	31

C:\Users\Admin\AppData\Local\Temp\PO 5002407962.exe
"C:\Users\Admin\AppData\Local\Temp\PO 5002407962.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
  2⤵
  PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:2604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:2692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2612-22-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2612-27-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

Filesize
4KB

Download
memory/2612-30-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-29-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

Filesize
4KB

Download
memory/2612-28-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2612-25-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2612-23-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2740-1-0x00000000003D0000-0x00000000003E8000-memory.dmp

Filesize
96KB

Download
memory/2740-0-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp

Filesize
4KB

Download
memory/2740-26-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download
memory/2740-3-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download
memory/2740-2-0x0000000001F80000-0x000000000201A000-memory.dmp

Filesize
616KB

Download
memory/3020-6-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3020-8-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3020-10-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3020-4-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads