Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
MALICIOUS | SUSPICIOUS | INFO |
---|---|---|
Changes the autorun value in the registry
|
Checks for external IP
|
No info indicators. |
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000FC9D0 | 0x000FD000 | IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ | 6.90806 |
.data | 0x000FE000 | 0x00000A08 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x000FF000 | 0x0000CE5C | 0x0000D000 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ | 5.79491 |
No exports.
Click at the process to see the details.
Image |
---|
c:\users\admin\appdata\local\temp\5976cecda5d2139f87427bc20c41183f.exe |
c:\systemroot\system32\ntdll.dll |
c:\windows\system32\kernel32.dll |
c:\windows\system32\kernelbase.dll |
c:\windows\system32\msvbvm60.dll |
c:\windows\system32\user32.dll |
c:\windows\system32\gdi32.dll |
c:\windows\system32\lpk.dll |
c:\windows\system32\usp10.dll |
c:\windows\system32\msvcrt.dll |
c:\windows\system32\advapi32.dll |
c:\windows\system32\sechost.dll |
c:\windows\system32\rpcrt4.dll |
c:\windows\system32\ole32.dll |
c:\windows\system32\oleaut32.dll |
c:\windows\system32\imm32.dll |
c:\windows\system32\msctf.dll |
c:\windows\system32\cryptbase.dll |
c:\windows\system32\sxs.dll |
c:\windows\system32\cryptsp.dll |
c:\windows\system32\rsaenh.dll |
c:\windows\system32\shell32.dll |
c:\windows\system32\shlwapi.dll |
c:\windows\system32\apphelp.dll |
Image |
---|
c:\users\admin\appdata\local\temp\5976cecda5d2139f87427bc20c41183f.exe |
c:\systemroot\system32\ntdll.dll |
c:\windows\system32\kernel32.dll |
c:\windows\system32\kernelbase.dll |
c:\windows\system32\msvbvm60.dll |
c:\windows\system32\user32.dll |
c:\windows\system32\gdi32.dll |
c:\windows\system32\lpk.dll |
c:\windows\system32\msvcrt.dll |
c:\windows\system32\usp10.dll |
c:\windows\system32\advapi32.dll |
c:\windows\system32\sechost.dll |
c:\windows\system32\rpcrt4.dll |
c:\windows\system32\ole32.dll |
c:\windows\system32\oleaut32.dll |
c:\windows\system32\imm32.dll |
c:\windows\system32\msctf.dll |
c:\windows\system32\shell32.dll |
c:\windows\system32\shlwapi.dll |
c:\windows\system32\mscoree.dll |
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll |
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll |
c:\windows\system32\version.dll |
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll |
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll |
c:\windows\system32\profapi.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll |
c:\windows\system32\cryptbase.dll |
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll |
c:\windows\system32\bcrypt.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll |
c:\windows\system32\cryptsp.dll |
c:\windows\system32\rsaenh.dll |
c:\windows\system32\rpcrtremote.dll |
c:\windows\system32\clbcatq.dll |
c:\windows\system32\wbem\wbemdisp.dll |
c:\windows\system32\wbemcomn.dll |
c:\windows\system32\ws2_32.dll |
c:\windows\system32\nsi.dll |
c:\windows\system32\wbem\wbemprox.dll |
c:\windows\system32\wbem\wmiutils.dll |
c:\windows\system32\wbem\wbemsvc.dll |
c:\windows\system32\wbem\fastprox.dll |
c:\windows\system32\ntdsapi.dll |
c:\windows\system32\sxs.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\custommarshalers\bf7e7494e75e32979c7824a07570a8a9\custommarshalers.ni.dll |
c:\windows\assembly\gac_32\custommarshalers\2.0.0.0__b03f5f7f11d50a3a\custommarshalers.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll |
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll |
c:\windows\system32\sspicli.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll |
c:\windows\system32\rasapi32.dll |
c:\windows\system32\rasman.dll |
c:\windows\system32\shfolder.dll |
c:\windows\system32\rtutils.dll |
c:\windows\system32\mswsock.dll |
c:\windows\system32\wshtcpip.dll |
c:\windows\system32\wship6.dll |
c:\windows\system32\winhttp.dll |
c:\windows\system32\webio.dll |
c:\windows\assembly\nativeimages_v2.0.50727_32\system.security\d9a485330ec2708456134e4a9712a4ab\system.security.ni.dll |
c:\windows\system32\iphlpapi.dll |
c:\windows\system32\winnsi.dll |
c:\windows\system32\dhcpcsvc6.dll |
c:\windows\system32\crypt32.dll |
c:\windows\system32\msasn1.dll |
c:\windows\system32\dhcpcsvc.dll |
c:\windows\system32\dnsapi.dll |
c:\windows\system32\rasadhlp.dll |
c:\windows\system32\fwpuclnt.dll |
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll |
c:\windows\system32\ieframe.dll |
c:\windows\system32\psapi.dll |
c:\windows\system32\oleacc.dll |
c:\windows\system32\iertutil.dll |
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
c:\program files\internet explorer\ieproxy.dll |
c:\windows\system32\mlang.dll |
c:\windows\system32\wininet.dll |
c:\windows\system32\urlmon.dll |
c:\windows\system32\vaultcli.dll |
c:\windows\system32\wshom.ocx |
c:\windows\system32\mpr.dll |
c:\windows\system32\scrrun.dll |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1248 | 5976cecda5d2139f87427bc20c41183f.exe | GET | 200 | 34.224.0.116:80 | http://checkip.amazonaws.com/ | US |
text
|
|
shared |
PID | Process | IP | ASN | CN | Reputation |
---|---|---|---|---|---|
1248 | 5976cecda5d2139f87427bc20c41183f.exe | 34.224.0.116:80 | Amazon.com, Inc. | US | shared |
1248 | 5976cecda5d2139f87427bc20c41183f.exe | 31.210.72.226:587 | Radore Veri Merkezi Hizmetleri A.S. | TR | malicious |
Domain | IP | Reputation |
---|---|---|
checkip.amazonaws.com | 34.224.0.116
18.211.58.73 52.44.169.135 18.214.132.216 34.196.181.158 18.213.79.189 3.224.145.145 34.236.80.17 |
shared |
mail.innovecera.com | 31.210.72.226
|
malicious |
PID | Process | Class | Message |
---|---|---|---|
1248 | 5976cecda5d2139f87427bc20c41183f.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
1248 | 5976cecda5d2139f87427bc20c41183f.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
1248 | 5976cecda5d2139f87427bc20c41183f.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
1248 | 5976cecda5d2139f87427bc20c41183f.exe | A Network Trojan was detected | AV TROJAN Win.Keylogger.AgentTesla variant outbound SMTP connection |
No debug info.