agenttesla | 3bff4a308ecd13d7ee25b1327195eb52319660f220377dfc2224ac987ad97778

General

Target

1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe
Size

980KB
MD5

1b8967a79880dfff1a89796c914a9535
SHA1

65c723076961c27a33bc59bc1915ab8c9ebd73ca
SHA256

3bff4a308ecd13d7ee25b1327195eb52319660f220377dfc2224ac987ad97778
SHA512

91070539e9c157989e12165faf5a0fbcc97027668428e3e5389193a9bf4bb9bfcb43a03f9d6807ba25c6207380d6926503ab04db4099f1957eb890b90a0384f9
SSDEEP

24576:rAOcZEhB5zKb28JW6WTq6ai0bagi7vzJ/:ta2E0Tq6d4a5vt

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
secure300.inmotionhosting.com
Port:
587
Username:
[email protected]
Password:
HCBo3_tl-nKP1@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/744-61-0x0000000001100000-0x00000000015C7000-memory.dmp	family_agenttesla
behavioral2/memory/744-64-0x0000000001100000-0x000000000113C000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vhlrf.pif1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	vhlrf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

vhlrf.pifRegSvcs.exe

pid process

3064 vhlrf.pif
744 RegSvcs.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3064	vhlrf.pif
744	RegSvcs.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vhlrf.pif

description pid process target process

PID 3064 set thread context of 744 3064 vhlrf.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

vhlrf.pifRegSvcs.exe

pid process

3064 vhlrf.pif
3064 vhlrf.pif
744 RegSvcs.exe
744 RegSvcs.exe
744 RegSvcs.exe
744 RegSvcs.exe
744 RegSvcs.exe
744 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 744 RegSvcs.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vhlrf.pifRegSvcs.exe

pid process

3064 vhlrf.pif
744 RegSvcs.exe

description	pid	process	target process
PID 3064 set thread context of 744	3064	vhlrf.pif	RegSvcs.exe

pid	process
3064	vhlrf.pif
3064	vhlrf.pif
744	RegSvcs.exe
744	RegSvcs.exe
744	RegSvcs.exe
744	RegSvcs.exe
744	RegSvcs.exe
744	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	744	RegSvcs.exe

pid	process
3064	vhlrf.pif
744	RegSvcs.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exevhlrf.pif

description	pid	process	target process
PID 5000 wrote to memory of 3064	5000	1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe	vhlrf.pif
PID 5000 wrote to memory of 3064	5000	1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe	vhlrf.pif
PID 5000 wrote to memory of 3064	5000	1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe	vhlrf.pif
PID 3064 wrote to memory of 812	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 812	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 812	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 3924	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 3924	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 3924	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 2436	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 2436	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 2436	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 3216	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 3216	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 3216	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 1072	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 1072	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 1072	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 696	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 696	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 696	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 2936	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 2936	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 2936	3064	vhlrf.pif	mshta.exe
PID 3064 wrote to memory of 744	3064	vhlrf.pif	RegSvcs.exe
PID 3064 wrote to memory of 744	3064	vhlrf.pif	RegSvcs.exe
PID 3064 wrote to memory of 744	3064	vhlrf.pif	RegSvcs.exe
PID 3064 wrote to memory of 744	3064	vhlrf.pif	RegSvcs.exe
PID 3064 wrote to memory of 744	3064	vhlrf.pif	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b8967a79880dfff1a89796c914a9535_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5000

C:\Users\Admin\50764647\vhlrf.pif
"C:\Users\Admin\50764647\vhlrf.pif" ihdes.mrg
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:812

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:3924

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:2436

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:3216

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:1072

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:696

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\50764647\ihdes.mrg
Filesize
83.8MB

MD5
e400b295e5833a76175d3573d326c011

SHA1
a188ef799e43e51f99c2490fa78df682d46da713

SHA256
a16d5b5bd922750123f7e8550e7b03e3297608678d318309268d71f18f7f06b0

SHA512
34f0b7b9ddeb9b12a60476308e55b9bca4acc11169d67a1ed1172e8e3d75c146ba8590f3b51482171c4bdb40166ae44816a4942afa07e247bcc25c5078289412

Download Submit
C:\Users\Admin\50764647\ktguieluna.caw
Filesize
428KB

MD5
120aff8455f26c9ce6641cba06fed1bc

SHA1
ef345967e50a3048434a1afaa66a6662a9d5cdf6

SHA256
f177d13df363aef0451a8a5273b1aa0f50305686b697a2f8c9d5981a79141399

SHA512
0d0f40e8405c226b40d3945f523813bb12a85c66d32e9d8a43af520f7d098b57c8b9a870699b6d5a9672ca54d602cf4614e76a20517e458a9acc1bc701eddd65

Download Submit
C:\Users\Admin\50764647\odqjo.bin
Filesize
48KB

MD5
fce3722adadc2bfc220511ca0f56d82a

SHA1
d0a8e10196459fe72abb3268ffe21c4e4610efc0

SHA256
2434b0b787db2a0df7eda6bb56b9d579d577332717fa92febd5ec49606a48936

SHA512
04882c774b1bd3b7943b6a7a3a7d1fe631a8f9e9a33164370a8a58150f7006a072239178bbc2c781c2a2548f633fbea856d6b4f2e7e6e6bad6cf86cebbc264ef

Download Submit
C:\Users\Admin\50764647\vhlrf.pif
Filesize
758KB

MD5
279dae7236f5f2488a4bacde6027f730

SHA1
29a012e5259739f24480cedfd6d5f2d860cfcdb3

SHA256
415850f2706681a6d80708fca8ac18dcf97e58b8f3fdc7bc4b558ab15fc0a03f

SHA512
b81276fc4d915a9721dae15aa064781a1dba665ff4864ccbdf624e8049c1b3c12a2b374f11cffcf6e4a5217766836edbc5f2376ffa8765f9070cbd87d7ae2fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
memory/744-66-0x0000000006120000-0x00000000066C4000-memory.dmp

Filesize
5.6MB

Download
memory/744-64-0x0000000001100000-0x000000000113C000-memory.dmp

Filesize
240KB

Download
memory/744-65-0x0000000072B80000-0x0000000073330000-memory.dmp

Filesize
7.7MB

Download
memory/744-61-0x0000000001100000-0x00000000015C7000-memory.dmp

Filesize
4.8MB

Download
memory/744-67-0x0000000005C10000-0x0000000005CA2000-memory.dmp

Filesize
584KB

Download
memory/744-68-0x0000000005DE0000-0x0000000005DF0000-memory.dmp

Filesize
64KB

Download
memory/744-69-0x0000000005E90000-0x0000000005F2C000-memory.dmp

Filesize
624KB

Download
memory/744-70-0x0000000005E70000-0x0000000005E88000-memory.dmp

Filesize
96KB

Download
memory/744-71-0x0000000006A10000-0x0000000006A76000-memory.dmp

Filesize
408KB

Download
memory/744-72-0x0000000072B80000-0x0000000073330000-memory.dmp

Filesize
7.7MB

Download
memory/744-73-0x0000000005DE0000-0x0000000005DF0000-memory.dmp

Filesize
64KB

Download
memory/744-74-0x0000000006BD0000-0x0000000006C20000-memory.dmp

Filesize
320KB

Download
memory/744-75-0x0000000006D60000-0x0000000006D6A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads