agenttesla | 42a79ea60f01d619dd9886f6e37745bfd8783a6c85bcab51b76ee3e2c8e4a26c

General

Target

995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe
Size

1.4MB
MD5

995f49454cab4d1a79a73620a454a191
SHA1

fab9bb3b3d54b5b5fd2dda76469c00820d510439
SHA256

42a79ea60f01d619dd9886f6e37745bfd8783a6c85bcab51b76ee3e2c8e4a26c
SHA512

e7e6f74c38b086afcc823349dbedc4af7c28da00fe966fc7d049705cb86877aeca7e51c657bd7b9f97e5dd1132341c4d09190348b0d67374b9f59e1cbdb559a4
SSDEEP

24576:5PxMfmw1AXiS0rMaqERwrH4wOVfa+vUe/I7YcMUigeVPNDo7zjdrGTjjefU:QRai1vfC0phQ7YcMUigeVlDAzpregU

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.dogulumetal.com
Port:
587
Username:
[email protected]
Password:
DMaslak2950**

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 5 IoCs

resource	yara_rule
behavioral1/memory/3052-53-0x0000000000400000-0x0000000000458000-memory.dmp	family_agenttesla
behavioral1/memory/3052-50-0x0000000000400000-0x0000000000458000-memory.dmp	family_agenttesla
behavioral1/memory/3052-47-0x0000000000400000-0x0000000000458000-memory.dmp	family_agenttesla
behavioral1/memory/3052-52-0x0000000000400000-0x0000000000458000-memory.dmp	family_agenttesla
behavioral1/memory/3052-45-0x0000000000400000-0x0000000000458000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

pid	Process
1428	ori2crypt.exe
2680	ori4crypt.exe

Loads dropped DLL 2 IoCs

pid	Process
2428	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe
2428	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 2428	1912	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1912	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe
1912	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe
1912	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2428	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2396	1912	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	30
PID 1912 wrote to memory of 2396	1912	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	30
PID 1912 wrote to memory of 2396	1912	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	30
PID 1912 wrote to memory of 2396	1912	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	30
PID 1912 wrote to memory of 2428	1912	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	31
PID 1912 wrote to memory of 2428	1912	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	31
PID 1912 wrote to memory of 2428	1912	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	31
PID 1912 wrote to memory of 2428	1912	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	31
PID 1912 wrote to memory of 2428	1912	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	31
PID 1912 wrote to memory of 2428	1912	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	31
PID 1912 wrote to memory of 2428	1912	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	31
PID 1912 wrote to memory of 2428	1912	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	31
PID 2428 wrote to memory of 1428	2428	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	32
PID 2428 wrote to memory of 1428	2428	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	32
PID 2428 wrote to memory of 1428	2428	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	32
PID 2428 wrote to memory of 1428	2428	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	32
PID 2428 wrote to memory of 2680	2428	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	33
PID 2428 wrote to memory of 2680	2428	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	33
PID 2428 wrote to memory of 2680	2428	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	33
PID 2428 wrote to memory of 2680	2428	995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Local\Temp\995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe"
  2⤵
  PID:2396
- C:\Users\Admin\AppData\Local\Temp\995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\995f49454cab4d1a79a73620a454a191_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\ori2crypt.exe
    "C:\Users\Admin\AppData\Local\Temp\ori2crypt.exe" 0
    3⤵
    - Executes dropped EXE
    PID:1428
  - - C:\Users\Admin\AppData\Local\Temp\ori2crypt.exe
      "C:\Users\Admin\AppData\Local\Temp\ori2crypt.exe"
      4⤵
      PID:3052
- - C:\Users\Admin\AppData\Local\Temp\ori4crypt.exe
    "C:\Users\Admin\AppData\Local\Temp\ori4crypt.exe" 0
    3⤵
    - Executes dropped EXE
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ori2crypt.exe

Filesize
448KB

MD5
86a60424dbef02793d797001801f0e3b

SHA1
c3c1fb75dd03f4071097c8c9908fac7e475b1849

SHA256
59d78b2a753c1d0a0e4fafa79ceb7e4c2fff9600f390fff15623bc2804b4aa25

SHA512
85db051f6480d02355be3a550be8e4a53f519fe97a2202edc300aa1ae4f75a66b9af1846453ad4ca5185a062c38f7b8fbbfdbab37f33567534d5300e2954b78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ori4crypt.exe

Filesize
561KB

MD5
8aeb8a6f328d5037f72f2d05059689e1

SHA1
803bd51629fd1e4b6feb2187fd808981a6ac341b

SHA256
3146ecadfe100257ddd3dd5585a76b9fd38f0366c9671ace458676ac73a5a1f2

SHA512
1b8c1bd15e81624e2d35778b1212dab957fc12e2cc669da4029fa5ad2983d4832eefe405b9bf58ac63ef83f533f1ab4c372a1a08f9e46c93d915410c738fbd19

Download Submit
\Users\Admin\AppData\Local\Temp\ori2crypt.exe

Filesize
592KB

MD5
4f88a966ce9395ce4c44cabed10b0a54

SHA1
f5a44c49e6b1112c2e819b676972281688e97aee

SHA256
148b0c0331a2405acb923f2eb337d45361ee62e46a4fc6ebdd8cc782c95cbadb

SHA512
170911949c8ce51fc4c3a9086e6601455195560b0a7a6c553e2f1e446ff2c1e4dfa29c97d204fdb8df08a7b7dea64a070132574590161bb3ac8c9ab9dadb328a

Download Submit
memory/1428-54-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/1428-39-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/1428-36-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/1428-31-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/1428-29-0x00000000748D1000-0x00000000748D2000-memory.dmp

Filesize
4KB

Download
memory/1912-4-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/1912-3-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/1912-0-0x00000000748D1000-0x00000000748D2000-memory.dmp

Filesize
4KB

Download
memory/1912-2-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/1912-1-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/1912-20-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2428-37-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2428-16-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2428-7-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2428-5-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2428-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2428-9-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2428-13-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2680-38-0x0000000000EE0000-0x0000000000F72000-memory.dmp

Filesize
584KB

Download
memory/3052-53-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3052-50-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3052-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3052-47-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3052-52-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3052-45-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3052-43-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3052-41-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing