agenttesla | 5f72eaac08827dde28d9fb7e945856329d8e06a5557557f300ae67b13f967745

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe
Size

1.9MB
MD5

5fc640b52af0bd71a56f22622520e2f5
SHA1

52ef9db0719881a02d5d56b28c499607bccd6d95
SHA256

5f72eaac08827dde28d9fb7e945856329d8e06a5557557f300ae67b13f967745
SHA512

ca65d050aeff678152d6694c8c5e4c39d724a7fe953e757f7d9f038f61d330a7ebfd51e9776cbeab9bc289c10c08d1275ec8c98687f51cb262c7dd4f30c0567f
SSDEEP

24576:iavuwCYVVVxg7y61og65VQUUaoEp9W64UJKW1mPLFeCXDMDYA:zvZTVD61SVVW64UJKW1mPLFeCXDMDYA

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.shakurjay.com
Port:
587
Username:
[email protected]
Password:
zpwXtxm7

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/4804-5-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3012 set thread context of 4804	3012	5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe	106

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4804	5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe
4804	5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 4804	3012	5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe	106
PID 3012 wrote to memory of 4804	3012	5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe	106
PID 3012 wrote to memory of 4804	3012	5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe	106
PID 3012 wrote to memory of 4804	3012	5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe	106
PID 3012 wrote to memory of 4804	3012	5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe	106
PID 3012 wrote to memory of 4804	3012	5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe	106
PID 3012 wrote to memory of 4804	3012	5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe	106
PID 3012 wrote to memory of 4804	3012	5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe	106

C:\Users\Admin\AppData\Local\Temp\5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\5fc640b52af0bd71a56f22622520e2f5_JaffaCakes118.exe.log

Filesize
594B

MD5
fdb26b3b547022b45cfaeee57eafd566

SHA1
11c6798b8a59233f404014c5e79b3363cd564b37

SHA256
2707fc7f074413881b7bafca05079327b188db6005709951e7f69d39a2af97c0

SHA512
44d9bb8c0f0b341690d00eda86e15a50f7f29ce9595925c1a2a7e19ad26202d10049a7a97bea278ecb7d429ad555de8edceeffff664d4b06309a9410a09bb700

Download Submit
memory/3012-1-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3012-2-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3012-3-0x0000000074EF2000-0x0000000074EF3000-memory.dmp

Filesize
4KB

Download
memory/3012-4-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3012-11-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3012-0-0x0000000074EF2000-0x0000000074EF3000-memory.dmp

Filesize
4KB

Download
memory/4804-8-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4804-9-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4804-10-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4804-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4804-12-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4804-13-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4804-14-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download