Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
MALICIOUS | SUSPICIOUS | INFO |
---|---|---|
AGENTTESLA was detected
|
Checks for external IP
|
No info indicators. |
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
CODE | 0x00001000 | 0x0005AB38 | 0x0005AC00 | IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ | 6.50777 |
DATA | 0x0005C000 | 0x000099C4 | 0x00009A00 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE | 5.16404 |
BSS | 0x00066000 | 0x00000F21 | 0x00000000 | IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x00067000 | 0x000020C0 | 0x00002200 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE | 4.90694 |
.tls | 0x0006A000 | 0x00000010 | 0x00000000 | IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x0006B000 | 0x00000018 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED | 0.20692 |
.reloc | 0x0006C000 | 0x0000700C | 0x00007200 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED | 6.61351 |
.rsrc | 0x00074000 | 0x00042EE8 | 0x00043000 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED | 7.31149 |
No exports.
Click at the process to see the details.
Image |
---|
c:\users\admin\appdata\local\temp\fgff.exe |
c:\systemroot\system32\ntdll.dll |
c:\windows\system32\kernel32.dll |
c:\windows\system32\kernelbase.dll |
c:\windows\system32\user32.dll |
c:\windows\system32\gdi32.dll |
c:\windows\system32\lpk.dll |
c:\windows\system32\usp10.dll |
c:\windows\system32\msvcrt.dll |
c:\windows\system32\advapi32.dll |
c:\windows\system32\sechost.dll |
c:\windows\system32\oleaut32.dll |
c:\windows\system32\rpcrt4.dll |
c:\windows\system32\ole32.dll |
c:\windows\system32\version.dll |
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
c:\windows\system32\imm32.dll |
c:\windows\system32\msctf.dll |
c:\windows\system32\shell32.dll |
c:\windows\system32\shlwapi.dll |
c:\windows\system32\apphelp.dll |
Image |
---|
c:\users\admin\appdata\local\temp\fgff.exe |
c:\systemroot\system32\ntdll.dll |
c:\windows\system32\kernel32.dll |
c:\windows\system32\kernelbase.dll |
c:\windows\system32\advapi32.dll |
c:\windows\system32\msvcrt.dll |
c:\windows\system32\sechost.dll |
c:\windows\system32\rpcrt4.dll |
c:\windows\system32\psapi.dll |
c:\windows\system32\gdi32.dll |
c:\windows\system32\shlwapi.dll |
c:\windows\system32\user32.dll |
c:\windows\system32\lpk.dll |
c:\windows\system32\usp10.dll |
c:\windows\system32\imm32.dll |
c:\windows\system32\msctf.dll |
c:\windows\system32\mscoree.dll |
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll |
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll |
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll |
c:\windows\system32\sxs.dll |
c:\windows\system32\shfolder.dll |
c:\windows\system32\shell32.dll |
c:\windows\system32\iphlpapi.dll |
c:\windows\system32\nsi.dll |
c:\windows\system32\winnsi.dll |
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll |
c:\windows\system32\ole32.dll |
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll |
c:\windows\microsoft.net\framework\v2.0.50727\mscorsec.dll |
c:\windows\system32\wintrust.dll |
c:\windows\system32\crypt32.dll |
c:\windows\system32\msasn1.dll |
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
c:\windows\system32\riched20.dll |
c:\windows\system32\version.dll |
c:\windows\microsoft.net\framework\v2.0.50727\mscordacwks.dll |
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll |
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll |
c:\windows\microsoft.net\framework\v2.0.50727\mscorrc.dll |
c:\windows\system32\profapi.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll |
c:\windows\system32\cryptbase.dll |
c:\windows\system32\cryptsp.dll |
c:\windows\system32\rsaenh.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll |
c:\windows\system32\bcrypt.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll |
c:\windows\system32\rpcrtremote.dll |
c:\windows\system32\clbcatq.dll |
c:\windows\system32\oleaut32.dll |
c:\windows\system32\wbem\wbemdisp.dll |
c:\windows\system32\wbemcomn.dll |
c:\windows\system32\ws2_32.dll |
c:\windows\system32\wbem\wbemprox.dll |
c:\windows\system32\wbem\wmiutils.dll |
c:\windows\system32\wbem\wbemsvc.dll |
c:\windows\system32\wbem\fastprox.dll |
c:\windows\system32\ntdsapi.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\custommarshalers\bf7e7494e75e32979c7824a07570a8a9\custommarshalers.ni.dll |
c:\windows\assembly\gac_32\custommarshalers\2.0.0.0__b03f5f7f11d50a3a\custommarshalers.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll |
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll |
c:\windows\system32\sspicli.dll |
c:\windows\system32\propsys.dll |
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
c:\windows\system32\ntmarta.dll |
c:\windows\system32\wldap32.dll |
c:\windows\system32\urlmon.dll |
c:\windows\system32\iertutil.dll |
c:\windows\system32\wininet.dll |
c:\windows\system32\setupapi.dll |
c:\windows\system32\cfgmgr32.dll |
c:\windows\system32\devobj.dll |
c:\windows\system32\apphelp.dll |
c:\windows\system32\eventvwr.exe |
c:\windows\system32\mpr.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.security\d9a485330ec2708456134e4a9712a4ab\system.security.ni.dll |
c:\windows\system32\ieframe.dll |
c:\windows\system32\oleacc.dll |
c:\windows\system32\mlang.dll |
c:\windows\system32\vaultcli.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll |
c:\windows\system32\wshom.ocx |
c:\windows\system32\scrrun.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll |
c:\windows\system32\dnsapi.dll |
c:\windows\system32\dhcpcsvc6.dll |
c:\windows\system32\dhcpcsvc.dll |
c:\windows\system32\mswsock.dll |
c:\windows\system32\wshtcpip.dll |
c:\windows\system32\wship6.dll |
c:\windows\system32\rasadhlp.dll |
c:\windows\system32\fwpuclnt.dll |
c:\windows\system32\rasapi32.dll |
c:\windows\system32\rasman.dll |
c:\windows\system32\rtutils.dll |
c:\windows\system32\winhttp.dll |
c:\windows\system32\webio.dll |
Image |
---|
c:\windows\system32\eventvwr.exe |
c:\systemroot\system32\ntdll.dll |
c:\windows\system32\kernel32.dll |
c:\windows\system32\kernelbase.dll |
c:\windows\system32\user32.dll |
c:\windows\system32\gdi32.dll |
c:\windows\system32\lpk.dll |
c:\windows\system32\usp10.dll |
c:\windows\system32\msvcrt.dll |
c:\windows\system32\shell32.dll |
c:\windows\system32\shlwapi.dll |
c:\windows\system32\imm32.dll |
c:\windows\system32\msctf.dll |
c:\windows\system32\ole32.dll |
c:\windows\system32\rpcrt4.dll |
c:\windows\system32\cryptbase.dll |
c:\windows\system32\propsys.dll |
c:\windows\system32\oleaut32.dll |
c:\windows\system32\advapi32.dll |
c:\windows\system32\sechost.dll |
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
c:\windows\system32\clbcatq.dll |
c:\windows\system32\ntmarta.dll |
c:\windows\system32\wldap32.dll |
c:\windows\system32\profapi.dll |
c:\windows\system32\urlmon.dll |
c:\windows\system32\wininet.dll |
c:\windows\system32\iertutil.dll |
c:\windows\system32\crypt32.dll |
c:\windows\system32\msasn1.dll |
c:\windows\system32\sspicli.dll |
c:\users\admin\appdata\local\temp\fgff.exe |
c:\windows\system32\setupapi.dll |
c:\windows\system32\cfgmgr32.dll |
c:\windows\system32\devobj.dll |
c:\windows\system32\apphelp.dll |
Image |
---|
c:\users\admin\appdata\local\temp\fgff.exe |
c:\systemroot\system32\ntdll.dll |
c:\windows\system32\kernel32.dll |
c:\windows\system32\kernelbase.dll |
c:\windows\system32\user32.dll |
c:\windows\system32\gdi32.dll |
c:\windows\system32\lpk.dll |
c:\windows\system32\usp10.dll |
c:\windows\system32\msvcrt.dll |
c:\windows\system32\advapi32.dll |
c:\windows\system32\sechost.dll |
c:\windows\system32\rpcrt4.dll |
c:\windows\system32\oleaut32.dll |
c:\windows\system32\ole32.dll |
c:\windows\system32\version.dll |
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
c:\windows\system32\imm32.dll |
c:\windows\system32\msctf.dll |
Image |
---|
c:\windows\system32\reg.exe |
c:\systemroot\system32\ntdll.dll |
c:\windows\system32\kernel32.dll |
c:\windows\system32\kernelbase.dll |
c:\windows\system32\advapi32.dll |
c:\windows\system32\msvcrt.dll |
c:\windows\system32\sechost.dll |
c:\windows\system32\rpcrt4.dll |
c:\windows\system32\user32.dll |
c:\windows\system32\gdi32.dll |
c:\windows\system32\lpk.dll |
c:\windows\system32\usp10.dll |
c:\windows\system32\ws2_32.dll |
c:\windows\system32\nsi.dll |
c:\windows\system32\shlwapi.dll |
c:\windows\system32\imm32.dll |
c:\windows\system32\msctf.dll |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2900 | fgff.exe | GET | 200 | 52.206.161.133:80 | http://checkip.amazonaws.com/ | US |
text
|
|
shared |
PID | Process | IP | ASN | CN | Reputation |
---|---|---|---|---|---|
2900 | fgff.exe | 198.187.29.188:587 | Namecheap, Inc. | US | malicious |
2900 | fgff.exe | 52.206.161.133:80 | Amazon.com, Inc. | US | shared |
Domain | IP | Reputation |
---|---|---|
mail.cjcurrent.com | 198.187.29.188
|
malicious |
checkip.amazonaws.com | 52.206.161.133
34.233.102.38 52.200.125.74 52.6.79.229 18.211.215.84 52.202.139.131 |
shared |
PID | Process | Class | Message |
---|---|---|---|
2900 | fgff.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
2900 | fgff.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
2900 | fgff.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP |
No debug info.