agenttesla | d4d0017b7ee338ad4c3ae0a6b9e61ed2ecb4279c1b30bd636eec2e924450bad7

General

Target

338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe
Size

756KB
MD5

338a2590962fb66ab7a2d4436c3100f8
SHA1

970fe9b649285cf8adfd10d42a1e06cda73b3982
SHA256

d4d0017b7ee338ad4c3ae0a6b9e61ed2ecb4279c1b30bd636eec2e924450bad7
SHA512

b88b4653c76f817388df4d1306905e96c6b6797d1d999e5a18c570c1536735bbc60ef4a34e533e061f85453bb701561207654b571be86d4ae09eddddf571b6e9
SSDEEP

12288:VPLTrMosq9TjxTp7+R3/pMOu3thdQrZyuwz2d:pLTrv9eR3h+

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Prince11

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2244-8-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2244-9-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2244-12-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2244-17-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2244-14-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe

description	pid	process	target process
PID 2236 set thread context of 2244	2236	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe

description	pid	process	target process
PID 2236 wrote to memory of 2244	2236	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe
PID 2236 wrote to memory of 2244	2236	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe
PID 2236 wrote to memory of 2244	2236	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe
PID 2236 wrote to memory of 2244	2236	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe
PID 2236 wrote to memory of 2244	2236	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe
PID 2236 wrote to memory of 2244	2236	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe
PID 2236 wrote to memory of 2244	2236	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe
PID 2236 wrote to memory of 2244	2236	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe
PID 2236 wrote to memory of 2244	2236	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe
PID 2244 wrote to memory of 576	2244	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe	dw20.exe
PID 2244 wrote to memory of 576	2244	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe	dw20.exe
PID 2244 wrote to memory of 576	2244	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe	dw20.exe
PID 2244 wrote to memory of 576	2244	338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Local\Temp\338a2590962fb66ab7a2d4436c3100f8_JaffaCakes118.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 384
3⤵
PID:576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-24-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/576-21-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2236-0-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/2236-1-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/2236-2-0x0000000000A70000-0x0000000000AB0000-memory.dmp

Filesize
256KB

Download
memory/2236-3-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/2236-4-0x0000000000A70000-0x0000000000AB0000-memory.dmp

Filesize
256KB

Download
memory/2236-5-0x0000000000A70000-0x0000000000AB0000-memory.dmp

Filesize
256KB

Download
memory/2236-16-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2244-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2244-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2244-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2244-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2244-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2244-18-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-20-0x00000000001D0000-0x0000000000210000-memory.dmp

Filesize
256KB

Download
memory/2244-19-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2244-22-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-23-0x00000000001D0000-0x0000000000210000-memory.dmp

Filesize
256KB

Download
memory/2244-6-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads