agenttesla | 4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
Size

1.4MB
MD5

e1588f75f06d249baf1761e572233d12
SHA1

7b8c3cf2000affbfdeb15807e4bb1048debf1e16
SHA256

4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701
SHA512

0ebd6a10ea0979088e4fabbda01fec2c29bbec07d8c519eb2ed4ef600c53e6639eda45be76a6f849d57b2fc7c993023ffc9b32343bd58187d3e536a58bbd1cdb
SSDEEP

24576:cAHnh+eWsN3skA4RV1Hom2KXMmHajyYady5ebPIxn5or5:7h+ZkldoPK8YajdadhGw

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe

description pid process target process

PID 2808 set thread context of 1880 2808 4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe RegSvcs.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1076 2808 WerFault.exe 4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

1880 RegSvcs.exe
1880 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe

pid process

2808 4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 1880 RegSvcs.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe

pid process

2808 4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
2808 4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe

pid process

2808 4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
2808 4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe

description	pid	process	target process
PID 2808 set thread context of 1880	2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	RegSvcs.exe

pid	pid_target	process	target process
1076	2808	WerFault.exe	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe

pid	process
1880	RegSvcs.exe
1880	RegSvcs.exe

pid	process
2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe

description	pid	process
Token: SeDebugPrivilege	1880	RegSvcs.exe

pid	process
2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe

pid	process
2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe

description	pid	process	target process
PID 2808 wrote to memory of 1880	2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	RegSvcs.exe
PID 2808 wrote to memory of 1880	2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	RegSvcs.exe
PID 2808 wrote to memory of 1880	2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	RegSvcs.exe
PID 2808 wrote to memory of 1880	2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	RegSvcs.exe
PID 2808 wrote to memory of 1880	2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	RegSvcs.exe
PID 2808 wrote to memory of 1880	2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	RegSvcs.exe
PID 2808 wrote to memory of 1880	2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	RegSvcs.exe
PID 2808 wrote to memory of 1880	2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	RegSvcs.exe
PID 2808 wrote to memory of 1076	2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	WerFault.exe
PID 2808 wrote to memory of 1076	2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	WerFault.exe
PID 2808 wrote to memory of 1076	2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	WerFault.exe
PID 2808 wrote to memory of 1076	2808	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
"C:\Users\Admin\AppData\Local\Temp\4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 316
2⤵
- Program crash
PID:1076

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uppishly
Filesize
261KB

MD5
00c414bc939b1f92a1f13d13d31eddc0

SHA1
167ba7d6f5564d03f782951465dfa588b061bb47

SHA256
20efb0215d1280eca34972f547b030a578c2b93c44a51da4bd7325d1e5eea23b

SHA512
43dd759e197e05f550512ec70bff23596cd5cba9e6b4ab21bf65b94f157b869f4bcb01485da3374708ed80a1df095f4fdda3aa6c811a944e0303ae4b7affe76b

Download Submit
memory/1880-44-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1880-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1880-1054-0x0000000074A60000-0x000000007514E000-memory.dmp

Filesize
6.9MB

Download
memory/1880-16-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/1880-17-0x0000000002040000-0x0000000002094000-memory.dmp

Filesize
336KB

Download
memory/1880-18-0x0000000002090000-0x00000000020E2000-memory.dmp

Filesize
328KB

Download
memory/1880-19-0x0000000074A60000-0x000000007514E000-memory.dmp

Filesize
6.9MB

Download
memory/1880-20-0x0000000074A60000-0x000000007514E000-memory.dmp

Filesize
6.9MB

Download
memory/1880-22-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-46-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-42-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-40-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-54-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-60-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-58-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-56-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-52-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-68-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-48-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-32-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-12-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1880-50-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-38-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-30-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-28-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-26-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-24-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-21-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-34-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-36-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-62-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-80-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-78-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-76-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-74-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-72-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-1051-0x0000000074A60000-0x000000007514E000-memory.dmp

Filesize
6.9MB

Download
memory/1880-1052-0x0000000074A60000-0x000000007514E000-memory.dmp

Filesize
6.9MB

Download
memory/1880-70-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-66-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-64-0x0000000002090000-0x00000000020DD000-memory.dmp

Filesize
308KB

Download
memory/1880-1053-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/2808-11-0x00000000001F0000-0x00000000001F4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads