agenttesla | 86e3101420d0467712a6920229e34bce70e978598abb37373c53306f937f8db7

General

Target

$267700.xlsx
Size

200KB
MD5

df0dbb4b27bda8afcdc08455003739e7
SHA1

86057b50f54296163776720171c21c2a946778e6
SHA256

86e3101420d0467712a6920229e34bce70e978598abb37373c53306f937f8db7
SHA512

4836c2aaf5dc450fb1a859770c735c1cfd2887dbeb779cc15c56e9a840f63e3a7d43d352dad3583eae4db2bcb7d31ea807f7f68258c258b423e9992c652cc3e2

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
lord@blessme

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1244-24-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1244-25-0x000000000043765E-mapping.dmp	family_agenttesla
behavioral1/memory/1244-28-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

25 1812 EQNEDT32.EXE
Executes dropped EXE 3 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

1144 vbc.exe
2020 vbc.exe
1244 vbc.exe
Abuses OpenXML format to download file from external location
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1812 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 1144 set thread context of 1244 1144 vbc.exe vbc.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1812 EQNEDT32.EXE

flow	pid	process
25	1812	EQNEDT32.EXE

pid	process
1144	vbc.exe
2020	vbc.exe
1244	vbc.exe

pid	process
1812	EQNEDT32.EXE

description	pid	process	target process
PID 1144 set thread context of 1244	1144	vbc.exe	vbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1812	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1852 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

vbc.exevbc.exe

pid process

1144 vbc.exe
1144 vbc.exe
1244 vbc.exe
1244 vbc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exevbc.exe

description pid process

Token: SeDebugPrivilege 1144 vbc.exe
Token: SeDebugPrivilege 1244 vbc.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1852 EXCEL.EXE
1852 EXCEL.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1852 EXCEL.EXE
1852 EXCEL.EXE
1852 EXCEL.EXE
744 WINWORD.EXE
744 WINWORD.EXE

pid	process
1852	EXCEL.EXE

pid	process
1144	vbc.exe
1144	vbc.exe
1244	vbc.exe
1244	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1144	vbc.exe
Token: SeDebugPrivilege	1244	vbc.exe

pid	process
1852	EXCEL.EXE
1852	EXCEL.EXE

pid	process
1852	EXCEL.EXE
1852	EXCEL.EXE
1852	EXCEL.EXE
744	WINWORD.EXE
744	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1812 wrote to memory of 1144	1812	EQNEDT32.EXE	vbc.exe
PID 1812 wrote to memory of 1144	1812	EQNEDT32.EXE	vbc.exe
PID 1812 wrote to memory of 1144	1812	EQNEDT32.EXE	vbc.exe
PID 1812 wrote to memory of 1144	1812	EQNEDT32.EXE	vbc.exe
PID 744 wrote to memory of 1056	744	WINWORD.EXE	splwow64.exe
PID 744 wrote to memory of 1056	744	WINWORD.EXE	splwow64.exe
PID 744 wrote to memory of 1056	744	WINWORD.EXE	splwow64.exe
PID 744 wrote to memory of 1056	744	WINWORD.EXE	splwow64.exe
PID 1144 wrote to memory of 2020	1144	vbc.exe	vbc.exe
PID 1144 wrote to memory of 2020	1144	vbc.exe	vbc.exe
PID 1144 wrote to memory of 2020	1144	vbc.exe	vbc.exe
PID 1144 wrote to memory of 2020	1144	vbc.exe	vbc.exe
PID 1144 wrote to memory of 1244	1144	vbc.exe	vbc.exe
PID 1144 wrote to memory of 1244	1144	vbc.exe	vbc.exe
PID 1144 wrote to memory of 1244	1144	vbc.exe	vbc.exe
PID 1144 wrote to memory of 1244	1144	vbc.exe	vbc.exe
PID 1144 wrote to memory of 1244	1144	vbc.exe	vbc.exe
PID 1144 wrote to memory of 1244	1144	vbc.exe	vbc.exe
PID 1144 wrote to memory of 1244	1144	vbc.exe	vbc.exe
PID 1144 wrote to memory of 1244	1144	vbc.exe	vbc.exe
PID 1144 wrote to memory of 1244	1144	vbc.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\$267700.xlsx
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1852

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1056

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:2020

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\invoice_4152112[1].doc
MD5
2c15d6b5dacee38f2b9d5bb1236f0bc3

SHA1
9a217860103db9c5b8e0eb4d9c5e0d5667b8f390

SHA256
31e0ea87983451b4c759b630005e2cdfe620c49eebef6bd0d8552268abd322c7

SHA512
6babf0dea8f79d390f85723c2708b526bad9d0e3bda2ae22d274608428fdd9c769a85e26d575e77eba99b95e42a73295bc1d87a5ca88083e601fbafb37d46b24

Download Submit
C:\Users\Public\vbc.exe
MD5
d24b31e1b896eefd1fc34d257f9ed279

SHA1
f61065cc95db18ce38ea31b71cf01d7bdf205dfa

SHA256
81c3590c04a0c3b1457057e2307778b409812d2e18f01fca9bf6a3b6b9b83ded

SHA512
305fb067a7a9498e9eb8cfac9ce9b73ecd53914abf7796484faa2d2d20ed20f9d5a609d9c4e0b0fb1f7e778d9f77de6150a492c88df19b7d8c3a8c52b6368b9f

Download Submit
C:\Users\Public\vbc.exe
MD5
d24b31e1b896eefd1fc34d257f9ed279

SHA1
f61065cc95db18ce38ea31b71cf01d7bdf205dfa

SHA256
81c3590c04a0c3b1457057e2307778b409812d2e18f01fca9bf6a3b6b9b83ded

SHA512
305fb067a7a9498e9eb8cfac9ce9b73ecd53914abf7796484faa2d2d20ed20f9d5a609d9c4e0b0fb1f7e778d9f77de6150a492c88df19b7d8c3a8c52b6368b9f

Download Submit
C:\Users\Public\vbc.exe
MD5
d24b31e1b896eefd1fc34d257f9ed279

SHA1
f61065cc95db18ce38ea31b71cf01d7bdf205dfa

SHA256
81c3590c04a0c3b1457057e2307778b409812d2e18f01fca9bf6a3b6b9b83ded

SHA512
305fb067a7a9498e9eb8cfac9ce9b73ecd53914abf7796484faa2d2d20ed20f9d5a609d9c4e0b0fb1f7e778d9f77de6150a492c88df19b7d8c3a8c52b6368b9f

Download Submit
C:\Users\Public\vbc.exe
MD5
d24b31e1b896eefd1fc34d257f9ed279

SHA1
f61065cc95db18ce38ea31b71cf01d7bdf205dfa

SHA256
81c3590c04a0c3b1457057e2307778b409812d2e18f01fca9bf6a3b6b9b83ded

SHA512
305fb067a7a9498e9eb8cfac9ce9b73ecd53914abf7796484faa2d2d20ed20f9d5a609d9c4e0b0fb1f7e778d9f77de6150a492c88df19b7d8c3a8c52b6368b9f

Download Submit
\Users\Public\vbc.exe
MD5
d24b31e1b896eefd1fc34d257f9ed279

SHA1
f61065cc95db18ce38ea31b71cf01d7bdf205dfa

SHA256
81c3590c04a0c3b1457057e2307778b409812d2e18f01fca9bf6a3b6b9b83ded

SHA512
305fb067a7a9498e9eb8cfac9ce9b73ecd53914abf7796484faa2d2d20ed20f9d5a609d9c4e0b0fb1f7e778d9f77de6150a492c88df19b7d8c3a8c52b6368b9f

Download Submit
memory/744-6-0x000000006B6D1000-0x000000006B6D4000-memory.dmp

Filesize
12KB

Download
memory/1056-17-0x000007FEFBE81000-0x000007FEFBE83000-memory.dmp

Filesize
8KB

Download
memory/1056-16-0x0000000000000000-mapping.dmp

Download
memory/1144-20-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/1144-12-0x0000000000000000-mapping.dmp

Download
memory/1144-22-0x0000000004F40000-0x0000000004F9C000-memory.dmp

Filesize
368KB

Download
memory/1144-21-0x0000000000740000-0x0000000000743000-memory.dmp

Filesize
12KB

Download
memory/1144-15-0x000000006AA50000-0x000000006B13E000-memory.dmp

Filesize
6.9MB

Download
memory/1144-18-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1244-25-0x000000000043765E-mapping.dmp

Download
memory/1244-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1244-27-0x000000006AA50000-0x000000006B13E000-memory.dmp

Filesize
6.9MB

Download
memory/1244-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1244-30-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1376-5-0x000007FEF77D0000-0x000007FEF7A4A000-memory.dmp

Filesize
2.5MB

Download
memory/1812-10-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download
memory/1852-2-0x000000002FD71000-0x000000002FD74000-memory.dmp

Filesize
12KB

Download
memory/1852-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1852-3-0x0000000071681000-0x0000000071683000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads