agenttesla | e3b438339a4ce2dba793223d9448b8c597080daaaf63bdd94a79079b78cf2fcf

General

Target

c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe
Size

800KB
MD5

c2ce115eece7c53ec5b202a0bd4d1778
SHA1

8cbb0836da268c35d2ad2691edaa4252134e21af
SHA256

e3b438339a4ce2dba793223d9448b8c597080daaaf63bdd94a79079b78cf2fcf
SHA512

a1c377449ce676685d30cc5f2cb3fb8c5d78d4c63986003ecc78fae5f2e8c8a77393c03c8bdd83a542a38ba204c297ffc2e9ca74f68424d2cedd71117a462e81
SSDEEP

12288:c5vuhhyEdCes6MBL1zm2I4ku0aa8NQR+nENV9wsQu2RS8h4+nxFx/:choM16MBdx078KqiVSfBKGp

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.penavico--cz.com
Port:
587
Username:
[email protected]
Password:
Fq$L%J((!6

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 6 IoCs

resource	yara_rule
behavioral1/memory/640-26-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/640-27-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/640-30-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/640-33-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/640-35-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/640-37-0x00000000008A0000-0x00000000008E0000-memory.dmp	family_agenttesla

Nirsoft 1 IoCs

resource	yara_rule
behavioral1/files/0x000300000000b1f3-7.dat	Nirsoft

Executes dropped EXE 4 IoCs

pid	Process
2820	AdvancedRun.exe
2420	AdvancedRun.exe
2360	AdvancedRun.exe
2448	AdvancedRun.exe

Loads dropped DLL 8 IoCs

pid	Process
3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe
3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe
2820	AdvancedRun.exe
2820	AdvancedRun.exe
3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe
3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe
2360	AdvancedRun.exe
2360	AdvancedRun.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3060 set thread context of 640	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe
2820	AdvancedRun.exe
2820	AdvancedRun.exe
2420	AdvancedRun.exe
2420	AdvancedRun.exe
2360	AdvancedRun.exe
2360	AdvancedRun.exe
2448	AdvancedRun.exe
2448	AdvancedRun.exe
3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe
3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe
640	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe
640	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe
Token: SeDebugPrivilege	2820	AdvancedRun.exe
Token: SeImpersonatePrivilege	2820	AdvancedRun.exe
Token: SeDebugPrivilege	2420	AdvancedRun.exe
Token: SeImpersonatePrivilege	2420	AdvancedRun.exe
Token: SeDebugPrivilege	2360	AdvancedRun.exe
Token: SeImpersonatePrivilege	2360	AdvancedRun.exe
Token: SeDebugPrivilege	2448	AdvancedRun.exe
Token: SeImpersonatePrivilege	2448	AdvancedRun.exe
Token: SeDebugPrivilege	640	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2820	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2820	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2820	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2820	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	30
PID 2820 wrote to memory of 2420	2820	AdvancedRun.exe	31
PID 2820 wrote to memory of 2420	2820	AdvancedRun.exe	31
PID 2820 wrote to memory of 2420	2820	AdvancedRun.exe	31
PID 2820 wrote to memory of 2420	2820	AdvancedRun.exe	31
PID 3060 wrote to memory of 2360	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	32
PID 3060 wrote to memory of 2360	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	32
PID 3060 wrote to memory of 2360	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	32
PID 3060 wrote to memory of 2360	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	32
PID 2360 wrote to memory of 2448	2360	AdvancedRun.exe	33
PID 2360 wrote to memory of 2448	2360	AdvancedRun.exe	33
PID 2360 wrote to memory of 2448	2360	AdvancedRun.exe	33
PID 2360 wrote to memory of 2448	2360	AdvancedRun.exe	33
PID 3060 wrote to memory of 640	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	34
PID 3060 wrote to memory of 640	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	34
PID 3060 wrote to memory of 640	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	34
PID 3060 wrote to memory of 640	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	34
PID 3060 wrote to memory of 640	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	34
PID 3060 wrote to memory of 640	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	34
PID 3060 wrote to memory of 640	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	34
PID 3060 wrote to memory of 640	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	34
PID 3060 wrote to memory of 640	3060	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 2820
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 2360
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- C:\Users\Admin\AppData\Local\Temp\c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/640-30-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-38-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download
memory/640-37-0x00000000008A0000-0x00000000008E0000-memory.dmp

Filesize
256KB

Download
memory/640-36-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download
memory/640-35-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-26-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/640-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3060-1-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/3060-32-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/3060-2-0x00000000021B0000-0x0000000002252000-memory.dmp

Filesize
648KB

Download
memory/3060-0-0x00000000002C0000-0x000000000038E000-memory.dmp

Filesize
824KB

Download
memory/3060-5-0x00000000008B0000-0x00000000008D8000-memory.dmp

Filesize
160KB

Download
memory/3060-4-0x0000000005070000-0x00000000050B0000-memory.dmp

Filesize
256KB

Download
memory/3060-3-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing