agenttesla | 0a5a8423274bf1f4ba1b90b99ef3efdadcb5459a519c47dc6ebb97a2065ead4c

General

Target

1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
Size

659KB
MD5

1188574f43ab4949dbc23b2b0c358c64
SHA1

71fccbdd47f6285899cf45e0ba5d532490caa8ba
SHA256

0a5a8423274bf1f4ba1b90b99ef3efdadcb5459a519c47dc6ebb97a2065ead4c
SHA512

93cf09dd8efbcbb353d68f0b049fca2df8f52c13a23847de24049680dcc5bd46185870db098d2c5a283a1b4f4d2a7165a3f4304c2f77447b8bb34eff8a24c723
SSDEEP

6144:2NZuc+lNVaQsebRFxlh9jwrp5aTvAgT4RS3eATXModewM9O7vGmcqebCa3ems9t:2j+paxO8rSTmk3eA79s9yebCm

Score

10^/10

agenttesla agilenet execution keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1676-1-0x00000000002F0000-0x000000000039C000-memory.dmp	family_agenttesla
C:\Users\Admin\AppData\Local\System64	family_agenttesla

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1676-2-0x0000000000210000-0x0000000000226000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\System64 = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Local\\System64"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Start PowerShell.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1800 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings rundll32.exe

pid	process
1800	powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exepowershell.exe

pid	process
1676	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
1676	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
1676	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
1676	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
1800	powershell.exe
1800	powershell.exe
1800	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1676 1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
Token: SeDebugPrivilege 1800 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

1032 AcroRd32.exe
1032 AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	1676	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
Token: SeDebugPrivilege	1800	powershell.exe

pid	process
1032	AcroRd32.exe
1032	AcroRd32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.execmd.exepowershell.exerundll32.exe

description	pid	process	target process
PID 1676 wrote to memory of 2696	1676	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe	cmd.exe
PID 1676 wrote to memory of 2696	1676	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe	cmd.exe
PID 1676 wrote to memory of 2696	1676	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe	cmd.exe
PID 1676 wrote to memory of 2696	1676	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe	cmd.exe
PID 2696 wrote to memory of 2556	2696	cmd.exe	reg.exe
PID 2696 wrote to memory of 2556	2696	cmd.exe	reg.exe
PID 2696 wrote to memory of 2556	2696	cmd.exe	reg.exe
PID 2696 wrote to memory of 2556	2696	cmd.exe	reg.exe
PID 1676 wrote to memory of 1800	1676	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe	powershell.exe
PID 1676 wrote to memory of 1800	1676	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe	powershell.exe
PID 1676 wrote to memory of 1800	1676	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe	powershell.exe
PID 1676 wrote to memory of 1800	1676	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe	powershell.exe
PID 1800 wrote to memory of 2832	1800	powershell.exe	rundll32.exe
PID 1800 wrote to memory of 2832	1800	powershell.exe	rundll32.exe
PID 1800 wrote to memory of 2832	1800	powershell.exe	rundll32.exe
PID 1800 wrote to memory of 2832	1800	powershell.exe	rundll32.exe
PID 1800 wrote to memory of 2832	1800	powershell.exe	rundll32.exe
PID 1800 wrote to memory of 2832	1800	powershell.exe	rundll32.exe
PID 1800 wrote to memory of 2832	1800	powershell.exe	rundll32.exe
PID 2832 wrote to memory of 1032	2832	rundll32.exe	AcroRd32.exe
PID 2832 wrote to memory of 1032	2832	rundll32.exe	AcroRd32.exe
PID 2832 wrote to memory of 1032	2832	rundll32.exe	AcroRd32.exe
PID 2832 wrote to memory of 1032	2832	rundll32.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v System64 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\System64"
2⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v System64 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\System64"
3⤵
- Adds Run key to start application
PID:2556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process C:\Users\Admin\AppData\Local\System64
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\System64
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\System64"
4⤵
- Suspicious use of SetWindowsHookEx
PID:1032

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\System64
Filesize
659KB

MD5
1188574f43ab4949dbc23b2b0c358c64

SHA1
71fccbdd47f6285899cf45e0ba5d532490caa8ba

SHA256
0a5a8423274bf1f4ba1b90b99ef3efdadcb5459a519c47dc6ebb97a2065ead4c

SHA512
93cf09dd8efbcbb353d68f0b049fca2df8f52c13a23847de24049680dcc5bd46185870db098d2c5a283a1b4f4d2a7165a3f4304c2f77447b8bb34eff8a24c723

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
b3b622f33b62976b2d43593d57622079

SHA1
b2dfa920721ea5d0ffd773bc283b2880349a0db9

SHA256
accef3c7115a55eb7232e406fedd4a01073f211f6c2dac58e859480c1c1adbd3

SHA512
3ab83ab88155455aee4d432533fe78a3d3facc6e322b4f08ff0c7476d79dbf2cfae959fa78d59fa53c98a541f9230e2327261d15e0625d4fbfba1921850eb23d

Download Submit
memory/1676-0-0x00000000743DE000-0x00000000743DF000-memory.dmp

Filesize
4KB

Download
memory/1676-1-0x00000000002F0000-0x000000000039C000-memory.dmp

Filesize
688KB

Download
memory/1676-2-0x0000000000210000-0x0000000000226000-memory.dmp

Filesize
88KB

Download
memory/1676-3-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/1676-4-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/1676-5-0x00000000743DE000-0x00000000743DF000-memory.dmp

Filesize
4KB

Download
memory/1676-6-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/1676-7-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/1676-9-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads