agenttesla | 191c3798be77e205711c854c27a25152dcc6185858f95e404ad71fd34c7214ef

General

Target

PO_10032885_Mahler-Besse_2_16_2020_1207.xls.xlsm
Size

137KB
MD5

2cb0d10d142dcee0d4f941ee11492746
SHA1

ecaf75e4135bb8f585ce31249d3284871dc4d042
SHA256

191c3798be77e205711c854c27a25152dcc6185858f95e404ad71fd34c7214ef
SHA512

9299a052bf6a32c2bc1edc91a14d38b9b80dcb78596a1190db1175ab8738d2f55b6879f127129d758e0ec9ce7879717f0fab59a87fa70b10f3c4948408a1c7c1

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Public\svchost32.exe	family_agenttesla
C:\Users\Public\svchost32.exe	family_agenttesla

Executes dropped EXE 1 IoCs

Processes:

svchost32.exe

pid process

3852 svchost32.exe

pid	process
3852	svchost32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3680 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svchost32.exe

pid process

3852 svchost32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost32.exe

description pid process

Token: SeDebugPrivilege 3852 svchost32.exe

pid	process
3852	svchost32.exe

description	pid	process
Token: SeDebugPrivilege	3852	svchost32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 3680 wrote to memory of 3852	3680	EXCEL.EXE	svchost32.exe
PID 3680 wrote to memory of 3852	3680	EXCEL.EXE	svchost32.exe
PID 3680 wrote to memory of 3852	3680	EXCEL.EXE	svchost32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO_10032885_Mahler-Besse_2_16_2020_1207.xls.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Public\svchost32.exe
"C:\Users\Public\svchost32.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\svchost32.exe
MD5
9b65bdf577ccfeacc1abb78248f96fc4

SHA1
0e2c6bf9dcbfdd7b32e0c8498256ba5f58da6099

SHA256
02261d11f15d4b62340ceed9b3ab2e1520ed3206ba85331be8a775426969ba1d

SHA512
215ff6170a2504c35dd7d81d5a66df0d561709e3ce2001371de58e77bfe3f2cc82b59cac3f917b9bbae603e4c3a9e808245b07cf978cd9ec7569ee46fbd8d8fc

Download Submit
C:\Users\Public\svchost32.exe
MD5
9b65bdf577ccfeacc1abb78248f96fc4

SHA1
0e2c6bf9dcbfdd7b32e0c8498256ba5f58da6099

SHA256
02261d11f15d4b62340ceed9b3ab2e1520ed3206ba85331be8a775426969ba1d

SHA512
215ff6170a2504c35dd7d81d5a66df0d561709e3ce2001371de58e77bfe3f2cc82b59cac3f917b9bbae603e4c3a9e808245b07cf978cd9ec7569ee46fbd8d8fc

Download Submit
memory/3852-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads