agenttesla | d60076d9ebcd69f0403422ebb01bf2df5faa59ce3fe2596b76ba0868ec666549

General

Target

Purchase order.doc
Size

69KB
MD5

f0bbb85804a6759fe665b2482b6d083e
SHA1

0eba1c2a8877c96b1cda52a11ab2066124663e19
SHA256

d60076d9ebcd69f0403422ebb01bf2df5faa59ce3fe2596b76ba0868ec666549
SHA512

cc0f3314ba4d01de4af012eac61033d686183b83b2ec6a674ff27248f72dbbe86f8f655460ec37385d6c3f6628f80928dcfaa0cbb135fa541b270b92b5591abf

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
ruben000

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3928-25-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/3928-26-0x000000000043760E-mapping.dmp	family_agenttesla

Executes dropped EXE 3 IoCs

Processes:

Server.gifServer.gifServer.gif

pid process

2100 Server.gif
3976 Server.gif
3928 Server.gif
Suspicious use of SetThreadContext 1 IoCs

Processes:

Server.gif

description pid process target process

PID 2100 set thread context of 3928 2100 Server.gif Server.gif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2100	Server.gif
3976	Server.gif
3928	Server.gif

description	pid	process	target process
PID 2100 set thread context of 3928	2100	Server.gif	Server.gif

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4076 schtasks.exe

pid	process
4076	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

832 WINWORD.EXE
832 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Server.gifServer.gif

pid process

2100 Server.gif
2100 Server.gif
3928 Server.gif
3928 Server.gif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Server.gifServer.gif

description pid process

Token: SeDebugPrivilege 2100 Server.gif
Token: SeDebugPrivilege 3928 Server.gif
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

832 WINWORD.EXE
832 WINWORD.EXE
832 WINWORD.EXE
832 WINWORD.EXE
832 WINWORD.EXE
832 WINWORD.EXE
832 WINWORD.EXE

pid	process
832	WINWORD.EXE
832	WINWORD.EXE

pid	process
2100	Server.gif
2100	Server.gif
3928	Server.gif
3928	Server.gif

description	pid	process
Token: SeDebugPrivilege	2100	Server.gif
Token: SeDebugPrivilege	3928	Server.gif

pid	process
832	WINWORD.EXE
832	WINWORD.EXE
832	WINWORD.EXE
832	WINWORD.EXE
832	WINWORD.EXE
832	WINWORD.EXE
832	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

WINWORD.EXEServer.gif

description	pid	process	target process
PID 832 wrote to memory of 2100	832	WINWORD.EXE	Server.gif
PID 832 wrote to memory of 2100	832	WINWORD.EXE	Server.gif
PID 832 wrote to memory of 2100	832	WINWORD.EXE	Server.gif
PID 2100 wrote to memory of 4076	2100	Server.gif	schtasks.exe
PID 2100 wrote to memory of 4076	2100	Server.gif	schtasks.exe
PID 2100 wrote to memory of 4076	2100	Server.gif	schtasks.exe
PID 2100 wrote to memory of 3976	2100	Server.gif	Server.gif
PID 2100 wrote to memory of 3976	2100	Server.gif	Server.gif
PID 2100 wrote to memory of 3976	2100	Server.gif	Server.gif
PID 2100 wrote to memory of 3928	2100	Server.gif	Server.gif
PID 2100 wrote to memory of 3928	2100	Server.gif	Server.gif
PID 2100 wrote to memory of 3928	2100	Server.gif	Server.gif
PID 2100 wrote to memory of 3928	2100	Server.gif	Server.gif
PID 2100 wrote to memory of 3928	2100	Server.gif	Server.gif
PID 2100 wrote to memory of 3928	2100	Server.gif	Server.gif
PID 2100 wrote to memory of 3928	2100	Server.gif	Server.gif
PID 2100 wrote to memory of 3928	2100	Server.gif	Server.gif

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Purchase order.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Local\Temp\Server.gif
C:\Users\Admin\AppData\Local\Temp\Server.gif
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OokNvg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6628.tmp"
3⤵
- Creates scheduled task(s)
PID:4076

C:\Users\Admin\AppData\Local\Temp\Server.gif
"C:\Users\Admin\AppData\Local\Temp\Server.gif"
3⤵
- Executes dropped EXE
PID:3976

C:\Users\Admin\AppData\Local\Temp\Server.gif
"C:\Users\Admin\AppData\Local\Temp\Server.gif"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server.gif.log

MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.gif

MD5
4bb60ef7036ee00d8272c78f40da201e

SHA1
50547a4c1e40e36367df85cbe09a6b02474ef82e

SHA256
d1692c8db90c7a95a72e827ce43ffeb3bc88d3328203c7fd924a9401c8b220e7

SHA512
7feadb9ac6dcca3c7fd3db6558efea691d790fc0c57072e9bae388b54235c2f615143b60308e551ba9640bb8648df40744d579ccb4b5847d066a3f0c28f9e17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.gif

MD5
4bb60ef7036ee00d8272c78f40da201e

SHA1
50547a4c1e40e36367df85cbe09a6b02474ef82e

SHA256
d1692c8db90c7a95a72e827ce43ffeb3bc88d3328203c7fd924a9401c8b220e7

SHA512
7feadb9ac6dcca3c7fd3db6558efea691d790fc0c57072e9bae388b54235c2f615143b60308e551ba9640bb8648df40744d579ccb4b5847d066a3f0c28f9e17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.gif

MD5
4bb60ef7036ee00d8272c78f40da201e

SHA1
50547a4c1e40e36367df85cbe09a6b02474ef82e

SHA256
d1692c8db90c7a95a72e827ce43ffeb3bc88d3328203c7fd924a9401c8b220e7

SHA512
7feadb9ac6dcca3c7fd3db6558efea691d790fc0c57072e9bae388b54235c2f615143b60308e551ba9640bb8648df40744d579ccb4b5847d066a3f0c28f9e17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.gif

MD5
4bb60ef7036ee00d8272c78f40da201e

SHA1
50547a4c1e40e36367df85cbe09a6b02474ef82e

SHA256
d1692c8db90c7a95a72e827ce43ffeb3bc88d3328203c7fd924a9401c8b220e7

SHA512
7feadb9ac6dcca3c7fd3db6558efea691d790fc0c57072e9bae388b54235c2f615143b60308e551ba9640bb8648df40744d579ccb4b5847d066a3f0c28f9e17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6628.tmp

MD5
18fa17792bd17490763708d16454dcf4

SHA1
27df889593e101927c104dbcfa1059033cae2feb

SHA256
a015a2ed5a06ad374a162fd9da8c6c932aa1b92fa254cd5aa9fc2fecdc069262

SHA512
143680d346db4f601f51c9d115c7accf531d89d77fd83dd7b56cd90e28a143b547a288c948cbb171e4d7e4b6e5ed75ee85587ff872df598fda98a43cebd7a79c

Download Submit
memory/832-7-0x00007FFAC7350000-0x00007FFAC7360000-memory.dmp

Filesize
64KB

Download
memory/832-3-0x00007FFACA7F0000-0x00007FFACA800000-memory.dmp

Filesize
64KB

Download
memory/832-2-0x00007FFACA7F0000-0x00007FFACA800000-memory.dmp

Filesize
64KB

Download
memory/832-6-0x00007FFAEA7F0000-0x00007FFAEAE27000-memory.dmp

Filesize
6.2MB

Download
memory/832-4-0x00007FFACA7F0000-0x00007FFACA800000-memory.dmp

Filesize
64KB

Download
memory/832-5-0x00007FFACA7F0000-0x00007FFACA800000-memory.dmp

Filesize
64KB

Download
memory/2100-20-0x0000000000A90000-0x0000000000A9B000-memory.dmp

Filesize
44KB

Download
memory/2100-12-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2100-17-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/2100-18-0x0000000006F20000-0x0000000006F21000-memory.dmp

Filesize
4KB

Download
memory/2100-19-0x0000000007030000-0x0000000007031000-memory.dmp

Filesize
4KB

Download
memory/2100-15-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/2100-21-0x0000000004DB0000-0x0000000004E24000-memory.dmp

Filesize
464KB

Download
memory/2100-8-0x0000000000000000-mapping.dmp

Download
memory/2100-14-0x0000000006E50000-0x0000000006E51000-memory.dmp

Filesize
4KB

Download
memory/2100-16-0x0000000006F90000-0x0000000006F91000-memory.dmp

Filesize
4KB

Download
memory/2100-11-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/3928-26-0x000000000043760E-mapping.dmp

Download
memory/3928-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3928-29-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/3928-34-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/3928-35-0x0000000005DD0000-0x0000000005DD1000-memory.dmp

Filesize
4KB

Download
memory/3928-36-0x0000000006570000-0x0000000006571000-memory.dmp

Filesize
4KB

Download
memory/4076-22-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads