Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
MALICIOUS | SUSPICIOUS | INFO |
---|---|---|
Actions looks like stealing of personal data
|
Starts itself from another location
|
No info indicators. |
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00097768 | 0x00098000 | IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ | 6.37544 |
.data | 0x00099000 | 0x00007A14 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x000A1000 | 0x00001FF4 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ | 3.69377 |
No exports.
Click at the process to see the details.
Image |
---|
c:\users\admin\appdata\local\temp\6d3192f8be7bf55d20f5b8b2f5229649.exe |
c:\systemroot\system32\ntdll.dll |
c:\windows\system32\kernel32.dll |
c:\windows\system32\kernelbase.dll |
c:\windows\system32\msvbvm60.dll |
c:\windows\system32\user32.dll |
c:\windows\system32\gdi32.dll |
c:\windows\system32\lpk.dll |
c:\windows\system32\usp10.dll |
c:\windows\system32\msvcrt.dll |
c:\windows\system32\advapi32.dll |
c:\windows\system32\sechost.dll |
c:\windows\system32\rpcrt4.dll |
c:\windows\system32\ole32.dll |
c:\windows\system32\oleaut32.dll |
c:\windows\system32\imm32.dll |
c:\windows\system32\msctf.dll |
c:\windows\system32\cryptbase.dll |
c:\windows\system32\sxs.dll |
c:\windows\system32\shell32.dll |
c:\windows\system32\shlwapi.dll |
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
c:\windows\system32\setupapi.dll |
c:\windows\system32\cfgmgr32.dll |
c:\windows\system32\devobj.dll |
c:\windows\system32\clbcatq.dll |
c:\windows\system32\propsys.dll |
c:\windows\system32\ntmarta.dll |
c:\windows\system32\wldap32.dll |
c:\windows\system32\profapi.dll |
c:\windows\system32\apphelp.dll |
c:\windows\system32\shdocvw.dll |
c:\windows\system32\windowscodecs.dll |
c:\windows\system32\ehstorshell.dll |
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
c:\windows\system32\cscui.dll |
c:\windows\system32\cscdll.dll |
c:\windows\system32\cscapi.dll |
c:\windows\system32\ntshrui.dll |
c:\windows\system32\srvcli.dll |
c:\windows\system32\slc.dll |
c:\windows\system32\imageres.dll |
c:\windows\system32\version.dll |
c:\windows\system32\urlmon.dll |
c:\windows\system32\wininet.dll |
c:\windows\system32\iertutil.dll |
c:\windows\system32\crypt32.dll |
c:\windows\system32\msasn1.dll |
c:\windows\system32\sspicli.dll |
c:\windows\system32\wscript.exe |
c:\users\admin\subfolder\filename.scr |
Image |
---|
c:\windows\system32\wscript.exe |
c:\systemroot\system32\ntdll.dll |
c:\windows\system32\kernel32.dll |
c:\windows\system32\kernelbase.dll |
c:\windows\system32\advapi32.dll |
c:\windows\system32\msvcrt.dll |
c:\windows\system32\sechost.dll |
c:\windows\system32\rpcrt4.dll |
c:\windows\system32\user32.dll |
c:\windows\system32\gdi32.dll |
c:\windows\system32\lpk.dll |
c:\windows\system32\usp10.dll |
c:\windows\system32\oleaut32.dll |
c:\windows\system32\ole32.dll |
c:\windows\system32\version.dll |
c:\windows\system32\imm32.dll |
c:\windows\system32\msctf.dll |
c:\windows\system32\cryptbase.dll |
c:\windows\system32\sxs.dll |
c:\windows\system32\clbcatq.dll |
c:\windows\system32\vbscript.dll |
c:\windows\system32\wintrust.dll |
c:\windows\system32\crypt32.dll |
c:\windows\system32\msasn1.dll |
c:\windows\system32\cryptsp.dll |
c:\windows\system32\rsaenh.dll |
c:\windows\system32\msisip.dll |
c:\windows\system32\wshext.dll |
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
c:\windows\system32\shell32.dll |
c:\windows\system32\shlwapi.dll |
c:\windows\system32\scrobj.dll |
c:\windows\system32\wshom.ocx |
c:\windows\system32\mpr.dll |
c:\windows\system32\scrrun.dll |
Image |
---|
c:\users\admin\subfolder\filename.scr |
c:\systemroot\system32\ntdll.dll |
c:\windows\system32\kernel32.dll |
c:\windows\system32\kernelbase.dll |
c:\windows\system32\msvbvm60.dll |
c:\windows\system32\user32.dll |
c:\windows\system32\gdi32.dll |
c:\windows\system32\lpk.dll |
c:\windows\system32\usp10.dll |
c:\windows\system32\msvcrt.dll |
c:\windows\system32\advapi32.dll |
c:\windows\system32\sechost.dll |
c:\windows\system32\rpcrt4.dll |
c:\windows\system32\ole32.dll |
c:\windows\system32\oleaut32.dll |
c:\windows\system32\imm32.dll |
c:\windows\system32\msctf.dll |
c:\windows\system32\cryptbase.dll |
c:\windows\system32\sxs.dll |
c:\windows\system32\shell32.dll |
c:\windows\system32\shlwapi.dll |
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
c:\windows\system32\setupapi.dll |
c:\windows\system32\cfgmgr32.dll |
c:\windows\system32\devobj.dll |
c:\windows\system32\clbcatq.dll |
c:\windows\system32\propsys.dll |
c:\windows\system32\ntmarta.dll |
c:\windows\system32\wldap32.dll |
c:\windows\system32\profapi.dll |
c:\windows\system32\apphelp.dll |
c:\windows\system32\shdocvw.dll |
c:\windows\system32\windowscodecs.dll |
c:\windows\system32\ehstorshell.dll |
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
c:\windows\system32\cscui.dll |
c:\windows\system32\cscdll.dll |
c:\windows\system32\cscapi.dll |
c:\windows\system32\ntshrui.dll |
c:\windows\system32\srvcli.dll |
c:\windows\system32\slc.dll |
c:\windows\system32\imageres.dll |
c:\windows\system32\version.dll |
Image |
---|
c:\users\admin\subfolder\filename.scr |
c:\systemroot\system32\ntdll.dll |
c:\windows\system32\kernel32.dll |
c:\windows\system32\kernelbase.dll |
c:\windows\system32\msvbvm60.dll |
c:\windows\system32\user32.dll |
c:\windows\system32\gdi32.dll |
c:\windows\system32\lpk.dll |
c:\windows\system32\msvcrt.dll |
c:\windows\system32\usp10.dll |
c:\windows\system32\advapi32.dll |
c:\windows\system32\sechost.dll |
c:\windows\system32\rpcrt4.dll |
c:\windows\system32\ole32.dll |
c:\windows\system32\oleaut32.dll |
c:\windows\system32\imm32.dll |
c:\windows\system32\msctf.dll |
c:\windows\system32\shell32.dll |
c:\windows\system32\shlwapi.dll |
c:\windows\system32\mscoree.dll |
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll |
c:\windows\system32\version.dll |
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll |
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll |
c:\windows\system32\profapi.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll |
c:\windows\system32\cryptbase.dll |
c:\windows\system32\cryptsp.dll |
c:\windows\system32\rsaenh.dll |
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll |
c:\windows\system32\bcrypt.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll |
c:\windows\system32\rpcrtremote.dll |
c:\windows\system32\clbcatq.dll |
c:\windows\system32\wbem\wbemdisp.dll |
c:\windows\system32\wbemcomn.dll |
c:\windows\system32\ws2_32.dll |
c:\windows\system32\nsi.dll |
c:\windows\system32\wbem\wbemprox.dll |
c:\windows\system32\wbem\wmiutils.dll |
c:\windows\system32\wbem\wbemsvc.dll |
c:\windows\system32\wbem\fastprox.dll |
c:\windows\system32\ntdsapi.dll |
c:\windows\system32\sxs.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\custommarshalers\bf7e7494e75e32979c7824a07570a8a9\custommarshalers.ni.dll |
c:\windows\assembly\gac_32\custommarshalers\2.0.0.0__b03f5f7f11d50a3a\custommarshalers.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll |
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll |
c:\windows\system32\sspicli.dll |
c:\windows\system32\shfolder.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.security\d9a485330ec2708456134e4a9712a4ab\system.security.ni.dll |
c:\windows\system32\crypt32.dll |
c:\windows\system32\msasn1.dll |
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll |
c:\windows\system32\ieframe.dll |
c:\windows\system32\psapi.dll |
c:\windows\system32\oleacc.dll |
c:\windows\system32\iertutil.dll |
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
c:\windows\system32\mlang.dll |
c:\windows\system32\wininet.dll |
c:\windows\system32\urlmon.dll |
c:\windows\system32\vaultcli.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll |
c:\windows\system32\wshom.ocx |
c:\windows\system32\mpr.dll |
c:\windows\system32\scrrun.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll |
c:\windows\system32\iphlpapi.dll |
c:\windows\system32\winnsi.dll |
c:\windows\system32\dnsapi.dll |
c:\windows\system32\dhcpcsvc6.dll |
c:\windows\system32\dhcpcsvc.dll |
c:\windows\system32\mswsock.dll |
c:\windows\system32\wshtcpip.dll |
c:\windows\system32\wship6.dll |
c:\windows\system32\rasadhlp.dll |
c:\windows\system32\fwpuclnt.dll |
c:\windows\system32\rasapi32.dll |
c:\windows\system32\rasman.dll |
c:\windows\system32\rtutils.dll |
c:\windows\system32\winhttp.dll |
c:\windows\system32\webio.dll |
PID | Process | IP | ASN | CN | Reputation |
---|---|---|---|---|---|
3280 | filename.scr | 202.146.241.47:587 | PT Centrin Utama | ID | malicious |
3280 | filename.scr | 52.44.169.135:80 | Amazon.com, Inc. | US | shared |
3280 | filename.scr | 18.204.189.102:80 | US | shared | |
3280 | filename.scr | 18.205.71.63:80 | US | shared |
Domain | IP | Reputation |
---|---|---|
mail.hervitama.co.id | 202.146.241.47
|
malicious |
checkip.amazonaws.com | 52.44.169.135
18.204.189.102 18.205.71.63 52.55.255.113 3.224.145.145 34.196.181.158 |
shared |
dns.msftncsi.com | 131.107.255.255
|
whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3280 | filename.scr | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3280 | filename.scr | A Network Trojan was detected | AV TROJAN Win.Keylogger.AgentTesla variant outbound SMTP connection |
3280 | filename.scr | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP |
No debug info.