agenttesla | c6b6c3ad94852d0fb8d6cf6d3aa2c4bfd14c627287317a72995a4c59a12d331e

Analysis

max time kernel
107s
max time network
107s
platform
windows7_x64
resource
win7v20201028
submitted
22-01-2021 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL SHIPPING INVOICE DOCUMENTS.doc
Size

1.9MB
MD5

8a415789b67c76118e31ca3748f528d0
SHA1

96ff9794cf429dd2bd8c7744622e28df2d6032a0
SHA256

c6b6c3ad94852d0fb8d6cf6d3aa2c4bfd14c627287317a72995a4c59a12d331e
SHA512

c89a719a3a48b61f6db38c8041e61ad83c387daaa280ca1380687c71038d39fe5961c3eb92adad047f826220ab6c95c6d508ee053590187bb4286a7849c8d103

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.sardaplywood.com
Port:
587
Username:
superstars@sardaplywood.com
Password:
sup123st45

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/820-16-0x0000000004F10000-0x0000000004F6C000-memory.dmp	family_agenttesla
behavioral1/memory/1968-18-0x000000000043768E-mapping.dmp	family_agenttesla
behavioral1/memory/1968-17-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1968-25-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1772-29-0x000000000043768E-mapping.dmp	family_agenttesla
behavioral1/memory/316-40-0x000000000043768E-mapping.dmp	family_agenttesla

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

5 1964 EQNEDT32.EXE
Executes dropped EXE 6 IoCs

Processes:

dmitrix2681.scrdmitrix2681.scrdmitrix2681.scrdmitrix2681.scrdmitrix2681.scrdmitrix2681.scr

pid process

820 dmitrix2681.scr
1968 dmitrix2681.scr
1608 dmitrix2681.scr
1772 dmitrix2681.scr
1804 dmitrix2681.scr
316 dmitrix2681.scr
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1964 EQNEDT32.EXE
1964 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 api.ipify.org
8 api.ipify.org

flow	pid	process
5	1964	EQNEDT32.EXE

pid	process
820	dmitrix2681.scr
1968	dmitrix2681.scr
1608	dmitrix2681.scr
1772	dmitrix2681.scr
1804	dmitrix2681.scr
316	dmitrix2681.scr

pid	process
1964	EQNEDT32.EXE
1964	EQNEDT32.EXE

flow	ioc
7	api.ipify.org
8	api.ipify.org

Suspicious use of SetThreadContext 5 IoCs

Processes:

dmitrix2681.scr

description	pid	process	target process
PID 820 set thread context of 1968	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 set thread context of 1608	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 set thread context of 1772	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 set thread context of 1804	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 set thread context of 316	820	dmitrix2681.scr	dmitrix2681.scr

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1964 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1964	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1680 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

dmitrix2681.scrdmitrix2681.scr

pid process

820 dmitrix2681.scr
820 dmitrix2681.scr
1772 dmitrix2681.scr
1772 dmitrix2681.scr
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dmitrix2681.scrdmitrix2681.scr

description pid process

Token: SeDebugPrivilege 820 dmitrix2681.scr
Token: SeDebugPrivilege 1772 dmitrix2681.scr
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEdmitrix2681.scr

pid process

1680 WINWORD.EXE
1680 WINWORD.EXE
1772 dmitrix2681.scr

pid	process
1680	WINWORD.EXE

pid	process
820	dmitrix2681.scr
820	dmitrix2681.scr
1772	dmitrix2681.scr
1772	dmitrix2681.scr

description	pid	process
Token: SeDebugPrivilege	820	dmitrix2681.scr
Token: SeDebugPrivilege	1772	dmitrix2681.scr

pid	process
1680	WINWORD.EXE
1680	WINWORD.EXE
1772	dmitrix2681.scr

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

EQNEDT32.EXEdmitrix2681.scr

description	pid	process	target process
PID 1964 wrote to memory of 820	1964	EQNEDT32.EXE	dmitrix2681.scr
PID 1964 wrote to memory of 820	1964	EQNEDT32.EXE	dmitrix2681.scr
PID 1964 wrote to memory of 820	1964	EQNEDT32.EXE	dmitrix2681.scr
PID 1964 wrote to memory of 820	1964	EQNEDT32.EXE	dmitrix2681.scr
PID 820 wrote to memory of 1968	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1968	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1968	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1968	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1968	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1968	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1968	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1968	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1968	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1608	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1608	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1608	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1608	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1608	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1608	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1608	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1608	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1608	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1772	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1772	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1772	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1772	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1772	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1772	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1772	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1772	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1772	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1804	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1804	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1804	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1804	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1804	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1804	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1804	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1804	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 1804	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 316	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 316	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 316	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 316	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 316	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 316	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 316	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 316	820	dmitrix2681.scr	dmitrix2681.scr
PID 820 wrote to memory of 316	820	dmitrix2681.scr	dmitrix2681.scr

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DHL SHIPPING INVOICE DOCUMENTS.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Roaming\dmitrix2681.scr
"C:\Users\Admin\AppData\Roaming\dmitrix2681.scr"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

C:\Users\Admin\AppData\Roaming\dmitrix2681.scr
"C:\Users\Admin\AppData\Roaming\dmitrix2681.scr"
3⤵
- Executes dropped EXE
PID:1968

C:\Users\Admin\AppData\Roaming\dmitrix2681.scr
"C:\Users\Admin\AppData\Roaming\dmitrix2681.scr"
3⤵
- Executes dropped EXE
PID:1608

C:\Users\Admin\AppData\Roaming\dmitrix2681.scr
"C:\Users\Admin\AppData\Roaming\dmitrix2681.scr"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1772

C:\Users\Admin\AppData\Roaming\dmitrix2681.scr
"C:\Users\Admin\AppData\Roaming\dmitrix2681.scr"
3⤵
- Executes dropped EXE
PID:1804

C:\Users\Admin\AppData\Roaming\dmitrix2681.scr
"C:\Users\Admin\AppData\Roaming\dmitrix2681.scr"
3⤵
- Executes dropped EXE
PID:316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dmitrix2681.scr
MD5
8f067e5d8c2bfb6d64f3b747566e5790

SHA1
967ac2725a7be422b5b1349c971dd792c877ff47

SHA256
7d7924e92e2e23345b47169e428d4bc85cd5140e733e90512d28cef9e7d0c38a

SHA512
480cef0f3e98f8d93df1cb4cc8c1f10d9d35c6591012a1286c5fc9a244f7f7cd99bdab6f328bd33d02640480d8f769a27657b37039b4df62d82064ddad195785

Download Submit
C:\Users\Admin\AppData\Roaming\dmitrix2681.scr
MD5
8f067e5d8c2bfb6d64f3b747566e5790

SHA1
967ac2725a7be422b5b1349c971dd792c877ff47

SHA256
7d7924e92e2e23345b47169e428d4bc85cd5140e733e90512d28cef9e7d0c38a

SHA512
480cef0f3e98f8d93df1cb4cc8c1f10d9d35c6591012a1286c5fc9a244f7f7cd99bdab6f328bd33d02640480d8f769a27657b37039b4df62d82064ddad195785

Download Submit
C:\Users\Admin\AppData\Roaming\dmitrix2681.scr
MD5
8f067e5d8c2bfb6d64f3b747566e5790

SHA1
967ac2725a7be422b5b1349c971dd792c877ff47

SHA256
7d7924e92e2e23345b47169e428d4bc85cd5140e733e90512d28cef9e7d0c38a

SHA512
480cef0f3e98f8d93df1cb4cc8c1f10d9d35c6591012a1286c5fc9a244f7f7cd99bdab6f328bd33d02640480d8f769a27657b37039b4df62d82064ddad195785

Download Submit
C:\Users\Admin\AppData\Roaming\dmitrix2681.scr
MD5
8f067e5d8c2bfb6d64f3b747566e5790

SHA1
967ac2725a7be422b5b1349c971dd792c877ff47

SHA256
7d7924e92e2e23345b47169e428d4bc85cd5140e733e90512d28cef9e7d0c38a

SHA512
480cef0f3e98f8d93df1cb4cc8c1f10d9d35c6591012a1286c5fc9a244f7f7cd99bdab6f328bd33d02640480d8f769a27657b37039b4df62d82064ddad195785

Download Submit
C:\Users\Admin\AppData\Roaming\dmitrix2681.scr
MD5
8f067e5d8c2bfb6d64f3b747566e5790

SHA1
967ac2725a7be422b5b1349c971dd792c877ff47

SHA256
7d7924e92e2e23345b47169e428d4bc85cd5140e733e90512d28cef9e7d0c38a

SHA512
480cef0f3e98f8d93df1cb4cc8c1f10d9d35c6591012a1286c5fc9a244f7f7cd99bdab6f328bd33d02640480d8f769a27657b37039b4df62d82064ddad195785

Download Submit
C:\Users\Admin\AppData\Roaming\dmitrix2681.scr
MD5
8f067e5d8c2bfb6d64f3b747566e5790

SHA1
967ac2725a7be422b5b1349c971dd792c877ff47

SHA256
7d7924e92e2e23345b47169e428d4bc85cd5140e733e90512d28cef9e7d0c38a

SHA512
480cef0f3e98f8d93df1cb4cc8c1f10d9d35c6591012a1286c5fc9a244f7f7cd99bdab6f328bd33d02640480d8f769a27657b37039b4df62d82064ddad195785

Download Submit
C:\Users\Admin\AppData\Roaming\dmitrix2681.scr
MD5
8f067e5d8c2bfb6d64f3b747566e5790

SHA1
967ac2725a7be422b5b1349c971dd792c877ff47

SHA256
7d7924e92e2e23345b47169e428d4bc85cd5140e733e90512d28cef9e7d0c38a

SHA512
480cef0f3e98f8d93df1cb4cc8c1f10d9d35c6591012a1286c5fc9a244f7f7cd99bdab6f328bd33d02640480d8f769a27657b37039b4df62d82064ddad195785

Download Submit
\Users\Admin\AppData\Roaming\dmitrix2681.scr
MD5
8f067e5d8c2bfb6d64f3b747566e5790

SHA1
967ac2725a7be422b5b1349c971dd792c877ff47

SHA256
7d7924e92e2e23345b47169e428d4bc85cd5140e733e90512d28cef9e7d0c38a

SHA512
480cef0f3e98f8d93df1cb4cc8c1f10d9d35c6591012a1286c5fc9a244f7f7cd99bdab6f328bd33d02640480d8f769a27657b37039b4df62d82064ddad195785

Download Submit
\Users\Admin\AppData\Roaming\dmitrix2681.scr
MD5
8f067e5d8c2bfb6d64f3b747566e5790

SHA1
967ac2725a7be422b5b1349c971dd792c877ff47

SHA256
7d7924e92e2e23345b47169e428d4bc85cd5140e733e90512d28cef9e7d0c38a

SHA512
480cef0f3e98f8d93df1cb4cc8c1f10d9d35c6591012a1286c5fc9a244f7f7cd99bdab6f328bd33d02640480d8f769a27657b37039b4df62d82064ddad195785

Download Submit
memory/316-42-0x000000006B9E0000-0x000000006C0CE000-memory.dmp

Filesize
6.9MB

Download
memory/316-40-0x000000000043768E-mapping.dmp

Download
memory/820-13-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/820-15-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/820-16-0x0000000004F10000-0x0000000004F6C000-memory.dmp

Filesize
368KB

Download
memory/820-12-0x000000006B9E0000-0x000000006C0CE000-memory.dmp

Filesize
6.9MB

Download
memory/820-27-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/820-9-0x0000000000000000-mapping.dmp

Download
memory/1296-6-0x000007FEF68D0000-0x000007FEF6B4A000-memory.dmp

Filesize
2.5MB

Download
memory/1608-24-0x000000006B9E0000-0x000000006C0CE000-memory.dmp

Filesize
6.9MB

Download
memory/1608-22-0x000000000043768E-mapping.dmp

Download
memory/1680-3-0x0000000070841000-0x0000000070843000-memory.dmp

Filesize
8KB

Download
memory/1680-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1680-2-0x0000000072DC1000-0x0000000072DC4000-memory.dmp

Filesize
12KB

Download
memory/1772-32-0x000000006B9E0000-0x000000006C0CE000-memory.dmp

Filesize
6.9MB

Download
memory/1772-29-0x000000000043768E-mapping.dmp

Download
memory/1772-44-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/1772-45-0x0000000004C01000-0x0000000004C02000-memory.dmp

Filesize
4KB

Download
memory/1804-33-0x000000000043768E-mapping.dmp

Download
memory/1804-36-0x000000006B9E0000-0x000000006C0CE000-memory.dmp

Filesize
6.9MB

Download
memory/1964-5-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1968-21-0x000000006B9E0000-0x000000006C0CE000-memory.dmp

Filesize
6.9MB

Download
memory/1968-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1968-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1968-18-0x000000000043768E-mapping.dmp

Download