agenttesla | 4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
Size

1.4MB
MD5

e1588f75f06d249baf1761e572233d12
SHA1

7b8c3cf2000affbfdeb15807e4bb1048debf1e16
SHA256

4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701
SHA512

0ebd6a10ea0979088e4fabbda01fec2c29bbec07d8c519eb2ed4ef600c53e6639eda45be76a6f849d57b2fc7c993023ffc9b32343bd58187d3e536a58bbd1cdb
SSDEEP

24576:cAHnh+eWsN3skA4RV1Hom2KXMmHajyYady5ebPIxn5or5:7h+ZkldoPK8YajdadhGw

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe

description pid process target process

PID 232 set thread context of 2844 232 4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2844 RegSvcs.exe
2844 RegSvcs.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe

pid process

1388 4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
232 4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2844 RegSvcs.exe

description	pid	process	target process
PID 232 set thread context of 2844	232	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	RegSvcs.exe

pid	process
2844	RegSvcs.exe
2844	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2844	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe

pid	process
1388	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
1388	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
232	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
232	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe

pid	process
1388	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
1388	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
232	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
232	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe

description	pid	process	target process
PID 1388 wrote to memory of 4492	1388	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	RegSvcs.exe
PID 1388 wrote to memory of 4492	1388	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	RegSvcs.exe
PID 1388 wrote to memory of 4492	1388	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	RegSvcs.exe
PID 1388 wrote to memory of 232	1388	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
PID 1388 wrote to memory of 232	1388	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
PID 1388 wrote to memory of 232	1388	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
PID 232 wrote to memory of 2844	232	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	RegSvcs.exe
PID 232 wrote to memory of 2844	232	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	RegSvcs.exe
PID 232 wrote to memory of 2844	232	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	RegSvcs.exe
PID 232 wrote to memory of 2844	232	4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
"C:\Users\Admin\AppData\Local\Temp\4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe"
2⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe
"C:\Users\Admin\AppData\Local\Temp\4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\4c0dca6d29a7ef1153f8f730ec934571c5b0be25b43f6096ff26e143f6d8b701.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut496D.tmp
Filesize
261KB

MD5
00c414bc939b1f92a1f13d13d31eddc0

SHA1
167ba7d6f5564d03f782951465dfa588b061bb47

SHA256
20efb0215d1280eca34972f547b030a578c2b93c44a51da4bd7325d1e5eea23b

SHA512
43dd759e197e05f550512ec70bff23596cd5cba9e6b4ab21bf65b94f157b869f4bcb01485da3374708ed80a1df095f4fdda3aa6c811a944e0303ae4b7affe76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\semispinalis
Filesize
28KB

MD5
a69627806e038d3712d3ed7e104e1750

SHA1
2d2c8387332a984033c896145745947268017e0a

SHA256
76f48832ac0b3c3ebdd61924a7ed09d44d71e4ed1d347a57d06547a3400ddf21

SHA512
4a39426d49d1b0a4c6d0c9fd2bce8e1acac2e64f94bc7e47fdea5ad113e6ba74a6983397162aef25039b9ac5af96180ba4e45b81227f9f86bb9abadd959f4ce0

Download Submit
memory/1388-12-0x0000000003360000-0x0000000003364000-memory.dmp

Filesize
16KB

Download
memory/2844-27-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2844-30-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2844-31-0x000000007482E000-0x000000007482F000-memory.dmp

Filesize
4KB

Download
memory/2844-32-0x0000000002D10000-0x0000000002D64000-memory.dmp

Filesize
336KB

Download
memory/2844-33-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/2844-36-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/2844-57-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-97-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-93-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-89-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-85-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-81-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-77-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-1068-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/2844-1069-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/2844-75-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-73-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-71-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-67-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-63-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-59-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-55-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-53-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-51-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-49-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-47-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-45-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-95-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-43-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-91-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-87-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-41-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-83-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-79-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-40-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/2844-38-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-37-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-69-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-65-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-61-0x00000000051E0000-0x000000000522D000-memory.dmp

Filesize
308KB

Download
memory/2844-35-0x00000000051E0000-0x0000000005232000-memory.dmp

Filesize
328KB

Download
memory/2844-34-0x0000000005790000-0x0000000005D34000-memory.dmp

Filesize
5.6MB

Download
memory/2844-29-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2844-28-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2844-1071-0x00000000063E0000-0x0000000006472000-memory.dmp

Filesize
584KB

Download
memory/2844-1070-0x00000000062F0000-0x0000000006340000-memory.dmp

Filesize
320KB

Download
memory/2844-1072-0x0000000006340000-0x000000000634A000-memory.dmp

Filesize
40KB

Download
memory/2844-1073-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2844-1074-0x000000007482E000-0x000000007482F000-memory.dmp

Filesize
4KB

Download
memory/2844-1075-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads