agenttesla | 6b4736cadf2ab0f4477b857257ec184758cd846ebae168b2ccc4af62e6871835

Analysis

max time kernel
107s
max time network
109s
platform
windows7_x64
resource
win7v20201028
submitted
21-01-2021 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order 21-21.doc
Size

1.8MB
MD5

7c2eddeb04db10bd3f18c209e44f8ee5
SHA1

9ea7737b937666839fc2697fd105036ad22b6db9
SHA256

6b4736cadf2ab0f4477b857257ec184758cd846ebae168b2ccc4af62e6871835
SHA512

3e378ea1f6c5d6c2dec9c01d9aca73ab0bde58c1b79b709186dbec7a204c918092c5c57d469639abfe4b3154e2dd73cc425aaf172e9e02661bc96c73980c6f78

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.sardaplywood.com
Port:
587
Username:
superstars@sardaplywood.com
Password:
sup123st45

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/536-16-0x0000000004BF0000-0x0000000004C4C000-memory.dmp	family_agenttesla
behavioral1/memory/1380-20-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1380-21-0x000000000043769E-mapping.dmp	family_agenttesla
behavioral1/memory/1660-33-0x000000000043769E-mapping.dmp	family_agenttesla
behavioral1/memory/1380-28-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

5 1780 EQNEDT32.EXE
Executes dropped EXE 6 IoCs

Processes:

kdoto8943.scrkdoto8943.scrkdoto8943.scrkdoto8943.scrkdoto8943.scrkdoto8943.scr

pid process

536 kdoto8943.scr
1204 kdoto8943.scr
1380 kdoto8943.scr
472 kdoto8943.scr
300 kdoto8943.scr
1660 kdoto8943.scr
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1780 EQNEDT32.EXE
1780 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 api.ipify.org
8 api.ipify.org

flow	pid	process
5	1780	EQNEDT32.EXE

pid	process
536	kdoto8943.scr
1204	kdoto8943.scr
1380	kdoto8943.scr
472	kdoto8943.scr
300	kdoto8943.scr
1660	kdoto8943.scr

pid	process
1780	EQNEDT32.EXE
1780	EQNEDT32.EXE

flow	ioc
7	api.ipify.org
8	api.ipify.org

Suspicious use of SetThreadContext 5 IoCs

Processes:

kdoto8943.scr

description	pid	process	target process
PID 536 set thread context of 1204	536	kdoto8943.scr	kdoto8943.scr
PID 536 set thread context of 1380	536	kdoto8943.scr	kdoto8943.scr
PID 536 set thread context of 472	536	kdoto8943.scr	kdoto8943.scr
PID 536 set thread context of 300	536	kdoto8943.scr	kdoto8943.scr
PID 536 set thread context of 1660	536	kdoto8943.scr	kdoto8943.scr

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1780 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1780	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1740 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

kdoto8943.scrkdoto8943.scr

pid process

536 kdoto8943.scr
536 kdoto8943.scr
1660 kdoto8943.scr
1660 kdoto8943.scr
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kdoto8943.scrkdoto8943.scr

description pid process

Token: SeDebugPrivilege 536 kdoto8943.scr
Token: SeDebugPrivilege 1660 kdoto8943.scr
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEkdoto8943.scr

pid process

1740 WINWORD.EXE
1740 WINWORD.EXE
1660 kdoto8943.scr

pid	process
1740	WINWORD.EXE

pid	process
536	kdoto8943.scr
536	kdoto8943.scr
1660	kdoto8943.scr
1660	kdoto8943.scr

description	pid	process
Token: SeDebugPrivilege	536	kdoto8943.scr
Token: SeDebugPrivilege	1660	kdoto8943.scr

pid	process
1740	WINWORD.EXE
1740	WINWORD.EXE
1660	kdoto8943.scr

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

EQNEDT32.EXEkdoto8943.scr

description	pid	process	target process
PID 1780 wrote to memory of 536	1780	EQNEDT32.EXE	kdoto8943.scr
PID 1780 wrote to memory of 536	1780	EQNEDT32.EXE	kdoto8943.scr
PID 1780 wrote to memory of 536	1780	EQNEDT32.EXE	kdoto8943.scr
PID 1780 wrote to memory of 536	1780	EQNEDT32.EXE	kdoto8943.scr
PID 536 wrote to memory of 1204	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1204	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1204	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1204	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1204	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1380	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1380	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1380	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1380	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1380	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1380	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1380	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1380	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1380	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 472	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 472	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 472	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 472	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 472	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 300	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 300	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 300	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 300	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 300	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1660	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1660	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1660	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1660	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1660	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1660	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1660	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1660	536	kdoto8943.scr	kdoto8943.scr
PID 536 wrote to memory of 1660	536	kdoto8943.scr	kdoto8943.scr

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order 21-21.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Roaming\kdoto8943.scr
"C:\Users\Admin\AppData\Roaming\kdoto8943.scr"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Roaming\kdoto8943.scr
"C:\Users\Admin\AppData\Roaming\kdoto8943.scr"
3⤵
- Executes dropped EXE
PID:1204

C:\Users\Admin\AppData\Roaming\kdoto8943.scr
"C:\Users\Admin\AppData\Roaming\kdoto8943.scr"
3⤵
- Executes dropped EXE
PID:472

C:\Users\Admin\AppData\Roaming\kdoto8943.scr
"C:\Users\Admin\AppData\Roaming\kdoto8943.scr"
3⤵
- Executes dropped EXE
PID:1380

C:\Users\Admin\AppData\Roaming\kdoto8943.scr
"C:\Users\Admin\AppData\Roaming\kdoto8943.scr"
3⤵
- Executes dropped EXE
PID:300

C:\Users\Admin\AppData\Roaming\kdoto8943.scr
"C:\Users\Admin\AppData\Roaming\kdoto8943.scr"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\kdoto8943.scr
MD5
b95249a3ceacb06a049d3f211479fc7e

SHA1
5de29c60c381140276e5e96b473018a73bdd53eb

SHA256
bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af

SHA512
3591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47

Download Submit
C:\Users\Admin\AppData\Roaming\kdoto8943.scr
MD5
b95249a3ceacb06a049d3f211479fc7e

SHA1
5de29c60c381140276e5e96b473018a73bdd53eb

SHA256
bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af

SHA512
3591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47

Download Submit
C:\Users\Admin\AppData\Roaming\kdoto8943.scr
MD5
b95249a3ceacb06a049d3f211479fc7e

SHA1
5de29c60c381140276e5e96b473018a73bdd53eb

SHA256
bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af

SHA512
3591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47

Download Submit
C:\Users\Admin\AppData\Roaming\kdoto8943.scr
MD5
b95249a3ceacb06a049d3f211479fc7e

SHA1
5de29c60c381140276e5e96b473018a73bdd53eb

SHA256
bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af

SHA512
3591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47

Download Submit
C:\Users\Admin\AppData\Roaming\kdoto8943.scr
MD5
b95249a3ceacb06a049d3f211479fc7e

SHA1
5de29c60c381140276e5e96b473018a73bdd53eb

SHA256
bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af

SHA512
3591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47

Download Submit
C:\Users\Admin\AppData\Roaming\kdoto8943.scr
MD5
b95249a3ceacb06a049d3f211479fc7e

SHA1
5de29c60c381140276e5e96b473018a73bdd53eb

SHA256
bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af

SHA512
3591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47

Download Submit
C:\Users\Admin\AppData\Roaming\kdoto8943.scr
MD5
b95249a3ceacb06a049d3f211479fc7e

SHA1
5de29c60c381140276e5e96b473018a73bdd53eb

SHA256
bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af

SHA512
3591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47

Download Submit
\Users\Admin\AppData\Roaming\kdoto8943.scr
MD5
b95249a3ceacb06a049d3f211479fc7e

SHA1
5de29c60c381140276e5e96b473018a73bdd53eb

SHA256
bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af

SHA512
3591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47

Download Submit
\Users\Admin\AppData\Roaming\kdoto8943.scr
MD5
b95249a3ceacb06a049d3f211479fc7e

SHA1
5de29c60c381140276e5e96b473018a73bdd53eb

SHA256
bd600300188d8cb735f9e4afcc580398a2842126c9a5e884259fd2d46ac103af

SHA512
3591c84202c405366e4fb38befabfe14fa3324745e32d1cc254c803e4e9a4bb7871afba6ee4649a2f33f97186640acbab2e75da4be9440d52711e416eac9bf47

Download Submit
memory/300-29-0x000000000043769E-mapping.dmp

Download
memory/472-25-0x000000000043769E-mapping.dmp

Download
memory/536-15-0x00000000044C0000-0x00000000044C1000-memory.dmp

Filesize
4KB

Download
memory/536-13-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/536-16-0x0000000004BF0000-0x0000000004C4C000-memory.dmp

Filesize
368KB

Download
memory/536-12-0x000000006B500000-0x000000006BBEE000-memory.dmp

Filesize
6.9MB

Download
memory/536-9-0x0000000000000000-mapping.dmp

Download
memory/536-36-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/1088-6-0x000007FEF7730000-0x000007FEF79AA000-memory.dmp

Filesize
2.5MB

Download
memory/1204-18-0x000000000043769E-mapping.dmp

Download
memory/1380-21-0x000000000043769E-mapping.dmp

Download
memory/1380-23-0x000000006B500000-0x000000006BBEE000-memory.dmp

Filesize
6.9MB

Download
memory/1380-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1380-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1380-39-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/1660-33-0x000000000043769E-mapping.dmp

Download
memory/1660-35-0x000000006B500000-0x000000006BBEE000-memory.dmp

Filesize
6.9MB

Download
memory/1660-40-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1660-41-0x00000000049D1000-0x00000000049D2000-memory.dmp

Filesize
4KB

Download
memory/1740-2-0x00000000728E1000-0x00000000728E4000-memory.dmp

Filesize
12KB

Download
memory/1740-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1740-3-0x0000000070361000-0x0000000070363000-memory.dmp

Filesize
8KB

Download
memory/1780-5-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download