agenttesla | e171ce5be2a6e71879cbb28bc17a8e126a24c337cf12df618d9758be4c639a20

General

Target

3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
Size

1.6MB
MD5

3707242f769e33f3e7f8c2b1e1652264
SHA1

54343df95d5535f5f5b43639d160d1d9c01847b6
SHA256

e171ce5be2a6e71879cbb28bc17a8e126a24c337cf12df618d9758be4c639a20
SHA512

4975879955925a54d566a6bdec03d55f1c87a173aac5772a0d85eb1c73185db1f15e0c8df7b87bc8867646dfe591a042431dce492b7d214061bbaefbd05b9ee1
SSDEEP

24576:BTRUglhhRkHF2roxCcmocwHx9iIOHixnVMtwYNSZGL:vUgZCkroJ3cMuRCxn

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.quiltershq.org
Port:
587
Username:
[email protected]
Password:
Goodluck7954

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/664-23-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 2 IoCs

Processes:

3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe

description	pid	process	target process
PID 3956 set thread context of 4968	3956	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 4968 set thread context of 664	4968	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe

pid	process
3956	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
3956	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
4968	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
4968	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
664	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
664	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3956	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
Token: SeDebugPrivilege	4968	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
Token: SeDebugPrivilege	664	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\AppData\Local\Temp\3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
"{path}"
2⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968

C:\Users\Admin\AppData\Local\Temp\3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe"
3⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe.log

Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
memory/664-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/664-25-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/664-26-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/3956-8-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/3956-5-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3956-6-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

Filesize
40KB

Download
memory/3956-7-0x0000000004700000-0x0000000004714000-memory.dmp

Filesize
80KB

Download
memory/3956-4-0x0000000004DA0000-0x0000000004E3C000-memory.dmp

Filesize
624KB

Download
memory/3956-9-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3956-10-0x0000000006970000-0x0000000006A8E000-memory.dmp

Filesize
1.1MB

Download
memory/3956-11-0x0000000006A90000-0x0000000006B88000-memory.dmp

Filesize
992KB

Download
memory/3956-0-0x0000000000180000-0x0000000000322000-memory.dmp

Filesize
1.6MB

Download
memory/3956-3-0x0000000004D00000-0x0000000004D92000-memory.dmp

Filesize
584KB

Download
memory/3956-2-0x00000000051D0000-0x0000000005774000-memory.dmp

Filesize
5.6MB

Download
memory/3956-1-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/3956-16-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4968-12-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4968-19-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/4968-20-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4968-21-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/4968-22-0x0000000006450000-0x00000000064B4000-memory.dmp

Filesize
400KB

Download
memory/4968-18-0x0000000005740000-0x0000000005796000-memory.dmp

Filesize
344KB

Download
memory/4968-17-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/4968-24-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4968-15-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download

description	pid	process	target process
PID 3956 wrote to memory of 4724	3956	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 3956 wrote to memory of 4724	3956	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 3956 wrote to memory of 4724	3956	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 3956 wrote to memory of 4968	3956	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 3956 wrote to memory of 4968	3956	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 3956 wrote to memory of 4968	3956	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 3956 wrote to memory of 4968	3956	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 3956 wrote to memory of 4968	3956	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 3956 wrote to memory of 4968	3956	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 3956 wrote to memory of 4968	3956	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 3956 wrote to memory of 4968	3956	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 4968 wrote to memory of 4256	4968	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 4968 wrote to memory of 4256	4968	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 4968 wrote to memory of 4256	4968	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 4968 wrote to memory of 664	4968	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 4968 wrote to memory of 664	4968	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 4968 wrote to memory of 664	4968	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 4968 wrote to memory of 664	4968	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 4968 wrote to memory of 664	4968	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 4968 wrote to memory of 664	4968	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 4968 wrote to memory of 664	4968	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe
PID 4968 wrote to memory of 664	4968	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe	3707242f769e33f3e7f8c2b1e1652264_JaffaCakes118.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads