agenttesla | c8792bf91afadb45be4732aa53a644e1aa01cc64a6c59e1fa84a05ed4f26e9ef

General

Target

6d15881beb1e1e6f550c3c461f3abf4f_JaffaCakes118.exe
Size

1.4MB
MD5

6d15881beb1e1e6f550c3c461f3abf4f
SHA1

bc3d19be6be897122245d372deb17e2c7683d7e4
SHA256

c8792bf91afadb45be4732aa53a644e1aa01cc64a6c59e1fa84a05ed4f26e9ef
SHA512

a27eb28a7df64690134ca96bf775ad404437bc4b4e50be7e6f0cef6cc8441e160e880c64d47828e423d7389b710b57762d8ccde70d4f2fc3cf489eeca2347c2f
SSDEEP

6144:GzuidtRNEzCjP4tj1LamdiGT1jszJssN+qZRFVkLFKB8BW8/LRFnyJN7sL4agU0J:UtRKuTccVkjsz7NlVkLmSDy8s8

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.gandi.net
Port:
587
Username:
[email protected]
Password:
Blessed000@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2772-19-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2772-22-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2772-23-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2772-24-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2772-17-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

Processes:

appx.exe

pid process

2636 appx.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2788 cmd.exe

pid	process
2636	appx.exe

pid	process
2788	cmd.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

appx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\appx = "C:\\Users\\Admin\\AppData\\Roaming\\appx.exe"	appx.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

appx.exe

description pid process target process

PID 2636 set thread context of 2772 2636 appx.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

InstallUtil.exe

pid process

2772 InstallUtil.exe
2772 InstallUtil.exe

description	pid	process	target process
PID 2636 set thread context of 2772	2636	appx.exe	InstallUtil.exe

pid	process
2772	InstallUtil.exe
2772	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

6d15881beb1e1e6f550c3c461f3abf4f_JaffaCakes118.exeappx.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	2296	6d15881beb1e1e6f550c3c461f3abf4f_JaffaCakes118.exe
Token: SeDebugPrivilege	2636	appx.exe
Token: SeDebugPrivilege	2772	InstallUtil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

InstallUtil.exe

pid process

2772 InstallUtil.exe

pid	process
2772	InstallUtil.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

6d15881beb1e1e6f550c3c461f3abf4f_JaffaCakes118.execmd.exeappx.exe

description	pid	process	target process
PID 2296 wrote to memory of 2816	2296	6d15881beb1e1e6f550c3c461f3abf4f_JaffaCakes118.exe	cmd.exe
PID 2296 wrote to memory of 2816	2296	6d15881beb1e1e6f550c3c461f3abf4f_JaffaCakes118.exe	cmd.exe
PID 2296 wrote to memory of 2816	2296	6d15881beb1e1e6f550c3c461f3abf4f_JaffaCakes118.exe	cmd.exe
PID 2296 wrote to memory of 2816	2296	6d15881beb1e1e6f550c3c461f3abf4f_JaffaCakes118.exe	cmd.exe
PID 2296 wrote to memory of 2788	2296	6d15881beb1e1e6f550c3c461f3abf4f_JaffaCakes118.exe	cmd.exe
PID 2296 wrote to memory of 2788	2296	6d15881beb1e1e6f550c3c461f3abf4f_JaffaCakes118.exe	cmd.exe
PID 2296 wrote to memory of 2788	2296	6d15881beb1e1e6f550c3c461f3abf4f_JaffaCakes118.exe	cmd.exe
PID 2296 wrote to memory of 2788	2296	6d15881beb1e1e6f550c3c461f3abf4f_JaffaCakes118.exe	cmd.exe
PID 2788 wrote to memory of 2636	2788	cmd.exe	appx.exe
PID 2788 wrote to memory of 2636	2788	cmd.exe	appx.exe
PID 2788 wrote to memory of 2636	2788	cmd.exe	appx.exe
PID 2788 wrote to memory of 2636	2788	cmd.exe	appx.exe
PID 2636 wrote to memory of 2772	2636	appx.exe	InstallUtil.exe
PID 2636 wrote to memory of 2772	2636	appx.exe	InstallUtil.exe
PID 2636 wrote to memory of 2772	2636	appx.exe	InstallUtil.exe
PID 2636 wrote to memory of 2772	2636	appx.exe	InstallUtil.exe
PID 2636 wrote to memory of 2772	2636	appx.exe	InstallUtil.exe
PID 2636 wrote to memory of 2772	2636	appx.exe	InstallUtil.exe
PID 2636 wrote to memory of 2772	2636	appx.exe	InstallUtil.exe
PID 2636 wrote to memory of 2772	2636	appx.exe	InstallUtil.exe
PID 2636 wrote to memory of 2772	2636	appx.exe	InstallUtil.exe
PID 2636 wrote to memory of 2772	2636	appx.exe	InstallUtil.exe
PID 2636 wrote to memory of 2772	2636	appx.exe	InstallUtil.exe
PID 2636 wrote to memory of 2772	2636	appx.exe	InstallUtil.exe

outlook_office_path 1 IoCs

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

outlook_win_path 1 IoCs

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\6d15881beb1e1e6f550c3c461f3abf4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6d15881beb1e1e6f550c3c461f3abf4f_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\6d15881beb1e1e6f550c3c461f3abf4f_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\appx.exe"
2⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\appx.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788

C:\Users\Admin\AppData\Roaming\appx.exe
"C:\Users\Admin\AppData\Roaming\appx.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2772

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\appx.exe
Filesize
1.4MB

MD5
6d15881beb1e1e6f550c3c461f3abf4f

SHA1
bc3d19be6be897122245d372deb17e2c7683d7e4

SHA256
c8792bf91afadb45be4732aa53a644e1aa01cc64a6c59e1fa84a05ed4f26e9ef

SHA512
a27eb28a7df64690134ca96bf775ad404437bc4b4e50be7e6f0cef6cc8441e160e880c64d47828e423d7389b710b57762d8ccde70d4f2fc3cf489eeca2347c2f

Download Submit
memory/2296-10-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/2296-1-0x0000000000BE0000-0x0000000000D56000-memory.dmp

Filesize
1.5MB

Download
memory/2296-2-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/2296-3-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/2296-4-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

Filesize
4KB

Download
memory/2296-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

Filesize
4KB

Download
memory/2636-12-0x0000000000420000-0x0000000000432000-memory.dmp

Filesize
72KB

Download
memory/2636-11-0x0000000000D70000-0x0000000000EE6000-memory.dmp

Filesize
1.5MB

Download
memory/2772-14-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2772-15-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2772-19-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2772-22-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2772-23-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2772-24-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2772-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2772-17-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads