agenttesla | 0a5a8423274bf1f4ba1b90b99ef3efdadcb5459a519c47dc6ebb97a2065ead4c

General

Target

1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
Size

659KB
MD5

1188574f43ab4949dbc23b2b0c358c64
SHA1

71fccbdd47f6285899cf45e0ba5d532490caa8ba
SHA256

0a5a8423274bf1f4ba1b90b99ef3efdadcb5459a519c47dc6ebb97a2065ead4c
SHA512

93cf09dd8efbcbb353d68f0b049fca2df8f52c13a23847de24049680dcc5bd46185870db098d2c5a283a1b4f4d2a7165a3f4304c2f77447b8bb34eff8a24c723
SSDEEP

6144:2NZuc+lNVaQsebRFxlh9jwrp5aTvAgT4RS3eATXModewM9O7vGmcqebCa3ems9t:2j+paxO8rSTmk3eA79s9yebCm

Score

10^/10

agenttesla agilenet execution keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4128-1-0x0000000000E20000-0x0000000000ECC000-memory.dmp	family_agenttesla
C:\Users\Admin\AppData\Local\System64	family_agenttesla

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/4128-3-0x00000000031F0000-0x0000000003206000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System64 = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Local\\System64"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Start PowerShell.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4300 powershell.exe

pid	process
4300	powershell.exe

Modifies registry class 2 IoCs

Processes:

powershell.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exepowershell.exe

pid	process
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
4300	powershell.exe
4300	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4128 1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
Token: SeDebugPrivilege 4300 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

1800 OpenWith.exe

description	pid	process
Token: SeDebugPrivilege	4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
Token: SeDebugPrivilege	4300	powershell.exe

pid	process
1800	OpenWith.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 4128 wrote to memory of 4628	4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe	cmd.exe
PID 4128 wrote to memory of 4628	4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe	cmd.exe
PID 4128 wrote to memory of 4628	4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe	cmd.exe
PID 4628 wrote to memory of 2860	4628	cmd.exe	reg.exe
PID 4628 wrote to memory of 2860	4628	cmd.exe	reg.exe
PID 4628 wrote to memory of 2860	4628	cmd.exe	reg.exe
PID 4128 wrote to memory of 4300	4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe	powershell.exe
PID 4128 wrote to memory of 4300	4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe	powershell.exe
PID 4128 wrote to memory of 4300	4128	1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1188574f43ab4949dbc23b2b0c358c64_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v System64 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\System64"
2⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v System64 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\System64"
3⤵
- Adds Run key to start application
PID:2860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process C:\Users\Admin\AppData\Local\System64
2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\System64
Filesize
659KB

MD5
1188574f43ab4949dbc23b2b0c358c64

SHA1
71fccbdd47f6285899cf45e0ba5d532490caa8ba

SHA256
0a5a8423274bf1f4ba1b90b99ef3efdadcb5459a519c47dc6ebb97a2065ead4c

SHA512
93cf09dd8efbcbb353d68f0b049fca2df8f52c13a23847de24049680dcc5bd46185870db098d2c5a283a1b4f4d2a7165a3f4304c2f77447b8bb34eff8a24c723

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dv0iy51z.rzb.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4128-7-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4128-2-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/4128-4-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4128-5-0x0000000003250000-0x0000000003258000-memory.dmp

Filesize
32KB

Download
memory/4128-6-0x0000000006650000-0x00000000066E2000-memory.dmp

Filesize
584KB

Download
memory/4128-0-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

Filesize
4KB

Download
memory/4128-8-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

Filesize
4KB

Download
memory/4128-9-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4128-10-0x0000000006C00000-0x0000000006C44000-memory.dmp

Filesize
272KB

Download
memory/4128-11-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4128-12-0x0000000005DF0000-0x0000000005DF8000-memory.dmp

Filesize
32KB

Download
memory/4128-15-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4128-1-0x0000000000E20000-0x0000000000ECC000-memory.dmp

Filesize
688KB

Download
memory/4128-3-0x00000000031F0000-0x0000000003206000-memory.dmp

Filesize
88KB

Download
memory/4300-33-0x0000000005B50000-0x0000000005B6E000-memory.dmp

Filesize
120KB

Download
memory/4300-32-0x0000000005580000-0x00000000058D4000-memory.dmp

Filesize
3.3MB

Download
memory/4300-20-0x0000000004BD0000-0x0000000004BF2000-memory.dmp

Filesize
136KB

Download
memory/4300-21-0x00000000054A0000-0x0000000005506000-memory.dmp

Filesize
408KB

Download
memory/4300-19-0x0000000004C00000-0x0000000005228000-memory.dmp

Filesize
6.2MB

Download
memory/4300-22-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/4300-18-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4300-37-0x0000000006080000-0x00000000060A2000-memory.dmp

Filesize
136KB

Download
memory/4300-36-0x0000000006030000-0x000000000604A000-memory.dmp

Filesize
104KB

Download
memory/4300-35-0x00000000060F0000-0x0000000006186000-memory.dmp

Filesize
600KB

Download
memory/4300-34-0x0000000005B70000-0x0000000005BBC000-memory.dmp

Filesize
304KB

Download
memory/4300-17-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4300-41-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4300-16-0x0000000004590000-0x00000000045C6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads