agenttesla | 5d29602ace80728915a5dcbcf3fdb46bc8a82bc5dacbe0c339cd9b544fbc17fc

Analysis

max time kernel
130s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
Size

410KB
MD5

d49652f293d246529d2102c8e962d85e
SHA1

04e31d28408be9d2963d402f368a880987b3851c
SHA256

5d29602ace80728915a5dcbcf3fdb46bc8a82bc5dacbe0c339cd9b544fbc17fc
SHA512

1e1c43fc685549bafc8be9d29f7f97935874b215e7b435d652eedce9c9946bb4370f2e41e3e6476ed0fabd3deaceab02f4f715e5d3475285802b170afee003af
SSDEEP

6144:QsVn8Y/2+3x5spUN1yY0zyZcVFVmPE45Ono0n4ed9PcTJpCvQLF:t58WhWmNEYOypPE450n4ewTJk

Score

10^/10

agenttesla defense_evasion discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.petrotos.gr
Port:
587
Username:
[email protected]
Password:
Tiger@456

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/3980-407-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

System Binary Proxy Execution: InstallUtil 1 TTPs 2 IoCs

Abuse InstallUtil to proxy execution of malicious code.

defense_evasion

InstallUtil

T1218.004

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
Key opened	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\InstallUtil.exe	system32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3040	system32.exe
3980	InstallUtil.exe

Loads dropped DLL 2 IoCs

pid	Process
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
3040	system32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system32 = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\system32.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 3980	3040	system32.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
3040	system32.exe
3980	InstallUtil.exe
3980	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
Token: SeDebugPrivilege	3040	system32.exe
Token: SeDebugPrivilege	3980	InstallUtil.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 4516	4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe	93
PID 4620 wrote to memory of 4516	4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe	93
PID 4620 wrote to memory of 4516	4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe	93
PID 4516 wrote to memory of 4324	4516	cmd.exe	95
PID 4516 wrote to memory of 4324	4516	cmd.exe	95
PID 4516 wrote to memory of 4324	4516	cmd.exe	95
PID 4620 wrote to memory of 3040	4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe	98
PID 4620 wrote to memory of 3040	4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe	98
PID 4620 wrote to memory of 3040	4620	d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe	98
PID 3040 wrote to memory of 3980	3040	system32.exe	99
PID 3040 wrote to memory of 3980	3040	system32.exe	99
PID 3040 wrote to memory of 3980	3040	system32.exe	99
PID 3040 wrote to memory of 3980	3040	system32.exe	99
PID 3040 wrote to memory of 3980	3040	system32.exe	99
PID 3040 wrote to memory of 3980	3040	system32.exe	99
PID 3040 wrote to memory of 3980	3040	system32.exe	99
PID 3040 wrote to memory of 3980	3040	system32.exe	99

C:\Users\Admin\AppData\Local\Temp\d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe"
1⤵
- System Binary Proxy Execution: InstallUtil
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v system32 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v system32 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4324
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe"
  2⤵
  - System Binary Proxy Execution: InstallUtil
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

InstallUtil

T1218.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4acacee3-cefe-4dab-b6f1-01f9a63ec79a\e.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe

Filesize
410KB

MD5
d49652f293d246529d2102c8e962d85e

SHA1
04e31d28408be9d2963d402f368a880987b3851c

SHA256
5d29602ace80728915a5dcbcf3fdb46bc8a82bc5dacbe0c339cd9b544fbc17fc

SHA512
1e1c43fc685549bafc8be9d29f7f97935874b215e7b435d652eedce9c9946bb4370f2e41e3e6476ed0fabd3deaceab02f4f715e5d3475285802b170afee003af

Download Submit
memory/3040-212-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/3040-214-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/3040-398-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/3040-399-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/3040-400-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/3040-408-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/3040-401-0x0000000006E50000-0x0000000006E5C000-memory.dmp

Filesize
48KB

Download
memory/3980-410-0x0000000006390000-0x00000000063A8000-memory.dmp

Filesize
96KB

Download
memory/3980-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3980-409-0x00000000057C0000-0x000000000585C000-memory.dmp

Filesize
624KB

Download
memory/3980-411-0x0000000006440000-0x00000000064A6000-memory.dmp

Filesize
408KB

Download
memory/4620-44-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-20-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-70-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-68-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-66-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-64-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-62-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-60-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-58-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-56-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-54-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-52-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-48-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-46-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-74-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-42-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-41-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-38-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-36-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-34-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-32-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-30-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-22-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-72-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-18-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-16-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-15-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-14-0x0000000073B60000-0x0000000073BE9000-memory.dmp

Filesize
548KB

Download
memory/4620-28-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-26-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-24-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-195-0x00000000750DE000-0x00000000750DF000-memory.dmp

Filesize
4KB

Download
memory/4620-196-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/4620-197-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/4620-76-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-50-0x0000000002FF0000-0x0000000003015000-memory.dmp

Filesize
148KB

Download
memory/4620-6-0x0000000005780000-0x0000000005812000-memory.dmp

Filesize
584KB

Download
memory/4620-5-0x0000000005620000-0x0000000005664000-memory.dmp

Filesize
272KB

Download
memory/4620-4-0x0000000005E50000-0x00000000063F4000-memory.dmp

Filesize
5.6MB

Download
memory/4620-3-0x0000000002FF0000-0x000000000301C000-memory.dmp

Filesize
176KB

Download
memory/4620-2-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/4620-1-0x0000000000BF0000-0x0000000000C5C000-memory.dmp

Filesize
432KB

Download
memory/4620-0-0x00000000750DE000-0x00000000750DF000-memory.dmp

Filesize
4KB

Download
memory/4620-199-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/4620-213-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download