agenttesla | 7d1bd0f1e6c73ead87681243ebfc1576158807ae4d3448d39b1ee35db265b753

General

Target

Revised-RBG-180129940.xlsx
Size

402KB
MD5

9a21b20bf0f722b2cd46058cbfad5571
SHA1

f359c45f331d5b159a1ae6ef80135f937bf32856
SHA256

7d1bd0f1e6c73ead87681243ebfc1576158807ae4d3448d39b1ee35db265b753
SHA512

8f350b572b864c5a2a96ad8306266e1cc6dfb7c3d81d18894dfdddda099a9d21a97b3aabaee41769693e862158f5282bc873d2f0e9bcfdea3be62a0b4e116328

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.shreejilogistix.com
Port:
587
Username:
[email protected]
Password:
ZHNecv9PfHk2

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/912-26-0x0000000000230000-0x000000000027D000-memory.dmp	family_agenttesla
behavioral1/memory/912-27-0x0000000000620000-0x000000000066C000-memory.dmp	family_agenttesla

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

16 760 EQNEDT32.EXE
Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

1688 vbc.exe
Abuses OpenXML format to download file from external location
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

760 EQNEDT32.EXE
760 EQNEDT32.EXE
760 EQNEDT32.EXE
760 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
16	760	EQNEDT32.EXE

pid	process
1688	vbc.exe

pid	process
760	EQNEDT32.EXE
760	EQNEDT32.EXE
760	EQNEDT32.EXE
760	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Swely = "C:\\Users\\Public\\Libraries\\ylewS.url"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 1688 set thread context of 912 1688 vbc.exe svchost.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

760 EQNEDT32.EXE

description	pid	process	target process
PID 1688 set thread context of 912	1688	vbc.exe	svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
760	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1812 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

912 svchost.exe
912 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 912 svchost.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1812 EXCEL.EXE
1812 EXCEL.EXE
1812 EXCEL.EXE
280 WINWORD.EXE
280 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1812	EXCEL.EXE

pid	process
912	svchost.exe
912	svchost.exe

description	pid	process
Token: SeDebugPrivilege	912	svchost.exe

pid	process
1812	EXCEL.EXE
1812	EXCEL.EXE
1812	EXCEL.EXE
280	WINWORD.EXE
280	WINWORD.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 760 wrote to memory of 1688	760	EQNEDT32.EXE	vbc.exe
PID 760 wrote to memory of 1688	760	EQNEDT32.EXE	vbc.exe
PID 760 wrote to memory of 1688	760	EQNEDT32.EXE	vbc.exe
PID 760 wrote to memory of 1688	760	EQNEDT32.EXE	vbc.exe
PID 280 wrote to memory of 1544	280	WINWORD.EXE	splwow64.exe
PID 280 wrote to memory of 1544	280	WINWORD.EXE	splwow64.exe
PID 280 wrote to memory of 1544	280	WINWORD.EXE	splwow64.exe
PID 280 wrote to memory of 1544	280	WINWORD.EXE	splwow64.exe
PID 1688 wrote to memory of 912	1688	vbc.exe	svchost.exe
PID 1688 wrote to memory of 912	1688	vbc.exe	svchost.exe
PID 1688 wrote to memory of 912	1688	vbc.exe	svchost.exe
PID 1688 wrote to memory of 912	1688	vbc.exe	svchost.exe
PID 1688 wrote to memory of 912	1688	vbc.exe	svchost.exe
PID 1688 wrote to memory of 912	1688	vbc.exe	svchost.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Revised-RBG-180129940.xlsx
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1544

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs
1⤵
PID:936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I4HTQEUG\document_v4120012[1].doc
MD5
446988fed3c06a2a0195479fccbed955

SHA1
3650070fada6121e813e3635b3734d9e80f43653

SHA256
4329673b6bb9797151a7eab278f0b82466d73303149f2e9ab797a95d04a982bd

SHA512
f00dd3d683087321ac0d200fa995a51b8c65109e5c1786b2a7f47b34b69b64d257ceca6b4a380ea6165f7268bc673e8d6861c992e47dda9cbf1c18c251714ab2

Download Submit
C:\Users\Public\vbc.exe
MD5
b94f6fe6c0a12f51cefa10222036b2e8

SHA1
b47a296f3044b5bb5a1e8f5306ad5687067289c9

SHA256
c2c6013ed703c379c923c39bea006e32b5b27f6c4145f2d219665a190e493971

SHA512
d70b471da3a745ec981003d4ade776a71eb9870eecb649f9055929ec0ea0bbff900c95064047fe1b65d59470a30269c23496a6c66895f86e7a51b25afc4e71e6

Download Submit
C:\Users\Public\vbc.exe
MD5
b94f6fe6c0a12f51cefa10222036b2e8

SHA1
b47a296f3044b5bb5a1e8f5306ad5687067289c9

SHA256
c2c6013ed703c379c923c39bea006e32b5b27f6c4145f2d219665a190e493971

SHA512
d70b471da3a745ec981003d4ade776a71eb9870eecb649f9055929ec0ea0bbff900c95064047fe1b65d59470a30269c23496a6c66895f86e7a51b25afc4e71e6

Download Submit
\Users\Public\vbc.exe
MD5
b94f6fe6c0a12f51cefa10222036b2e8

SHA1
b47a296f3044b5bb5a1e8f5306ad5687067289c9

SHA256
c2c6013ed703c379c923c39bea006e32b5b27f6c4145f2d219665a190e493971

SHA512
d70b471da3a745ec981003d4ade776a71eb9870eecb649f9055929ec0ea0bbff900c95064047fe1b65d59470a30269c23496a6c66895f86e7a51b25afc4e71e6

Download Submit
\Users\Public\vbc.exe
MD5
b94f6fe6c0a12f51cefa10222036b2e8

SHA1
b47a296f3044b5bb5a1e8f5306ad5687067289c9

SHA256
c2c6013ed703c379c923c39bea006e32b5b27f6c4145f2d219665a190e493971

SHA512
d70b471da3a745ec981003d4ade776a71eb9870eecb649f9055929ec0ea0bbff900c95064047fe1b65d59470a30269c23496a6c66895f86e7a51b25afc4e71e6

Download Submit
\Users\Public\vbc.exe
MD5
b94f6fe6c0a12f51cefa10222036b2e8

SHA1
b47a296f3044b5bb5a1e8f5306ad5687067289c9

SHA256
c2c6013ed703c379c923c39bea006e32b5b27f6c4145f2d219665a190e493971

SHA512
d70b471da3a745ec981003d4ade776a71eb9870eecb649f9055929ec0ea0bbff900c95064047fe1b65d59470a30269c23496a6c66895f86e7a51b25afc4e71e6

Download Submit
\Users\Public\vbc.exe
MD5
b94f6fe6c0a12f51cefa10222036b2e8

SHA1
b47a296f3044b5bb5a1e8f5306ad5687067289c9

SHA256
c2c6013ed703c379c923c39bea006e32b5b27f6c4145f2d219665a190e493971

SHA512
d70b471da3a745ec981003d4ade776a71eb9870eecb649f9055929ec0ea0bbff900c95064047fe1b65d59470a30269c23496a6c66895f86e7a51b25afc4e71e6

Download Submit
memory/280-6-0x000000006B531000-0x000000006B534000-memory.dmp

Filesize
12KB

Download
memory/524-5-0x000007FEF79D0000-0x000007FEF7C4A000-memory.dmp

Filesize
2.5MB

Download
memory/760-10-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/912-24-0x0000000069E70000-0x000000006A55E000-memory.dmp

Filesize
6.9MB

Download
memory/912-27-0x0000000000620000-0x000000000066C000-memory.dmp

Filesize
304KB

Download
memory/912-30-0x00000000046D3000-0x00000000046D4000-memory.dmp

Filesize
4KB

Download
memory/912-32-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/912-31-0x00000000046D4000-0x00000000046D6000-memory.dmp

Filesize
8KB

Download
memory/912-28-0x00000000046D1000-0x00000000046D2000-memory.dmp

Filesize
4KB

Download
memory/912-29-0x00000000046D2000-0x00000000046D3000-memory.dmp

Filesize
4KB

Download
memory/912-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/912-22-0x000000000040CD2F-mapping.dmp

Download
memory/912-23-0x0000000002080000-0x0000000002091000-memory.dmp

Filesize
68KB

Download
memory/912-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/912-26-0x0000000000230000-0x000000000027D000-memory.dmp

Filesize
308KB

Download
memory/1544-19-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmp

Filesize
8KB

Download
memory/1544-18-0x0000000000000000-mapping.dmp

Download
memory/1688-17-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1688-15-0x0000000000000000-mapping.dmp

Download
memory/1812-2-0x000000002F141000-0x000000002F144000-memory.dmp

Filesize
12KB

Download
memory/1812-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1812-3-0x0000000071241000-0x0000000071243000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads