agenttesla | 227f928eab84ca0736d1059cec135eb48996136d98c251ace0cd29d8c139471b

General

Target

Payment Advice.xlsx
Size

3.7MB
MD5

5e1e64b617b1c40cf151b5d06e1beec5
SHA1

24d6ac44e463d05cb2f224123f0bfae3e7780181
SHA256

227f928eab84ca0736d1059cec135eb48996136d98c251ace0cd29d8c139471b
SHA512

aaad618656ab34b001772341a0f45036323a5422193e6262028013feaa7c1d0714d46c77fdf27667f76e742a9d6e18a30b20a67eeeb3095cfc0d7aabbb8b0eb2

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1712271713:AAGJzuYypM3OwZho3Ow-PgwvbQRhZlQBGFk/sendDocument

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1376-77-0x0000000004F60000-0x0000000004F96000-memory.dmp	family_agenttesla

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 992 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

zerohostz15agz.exe

pid process

1376 zerohostz15agz.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

992 EQNEDT32.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

960 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

992 EQNEDT32.EXE

flow	pid	process
4	992	EQNEDT32.EXE

pid	process
1376	zerohostz15agz.exe

pid	process
992	EQNEDT32.EXE

pid	process
960	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
992	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1608 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

zerohostz15agz.exe

pid process

1376 zerohostz15agz.exe
1376 zerohostz15agz.exe
1376 zerohostz15agz.exe
1376 zerohostz15agz.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

zerohostz15agz.exe

description pid process

Token: SeDebugPrivilege 1376 zerohostz15agz.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1608 EXCEL.EXE
1608 EXCEL.EXE
1608 EXCEL.EXE
1608 EXCEL.EXE
1608 EXCEL.EXE

pid	process
1608	EXCEL.EXE

pid	process
1376	zerohostz15agz.exe
1376	zerohostz15agz.exe
1376	zerohostz15agz.exe
1376	zerohostz15agz.exe

description	pid	process
Token: SeDebugPrivilege	1376	zerohostz15agz.exe

pid	process
1608	EXCEL.EXE
1608	EXCEL.EXE
1608	EXCEL.EXE
1608	EXCEL.EXE
1608	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EQNEDT32.EXEzerohostz15agz.exe

description	pid	process	target process
PID 992 wrote to memory of 1376	992	EQNEDT32.EXE	zerohostz15agz.exe
PID 992 wrote to memory of 1376	992	EQNEDT32.EXE	zerohostz15agz.exe
PID 992 wrote to memory of 1376	992	EQNEDT32.EXE	zerohostz15agz.exe
PID 992 wrote to memory of 1376	992	EQNEDT32.EXE	zerohostz15agz.exe
PID 1376 wrote to memory of 960	1376	zerohostz15agz.exe	schtasks.exe
PID 1376 wrote to memory of 960	1376	zerohostz15agz.exe	schtasks.exe
PID 1376 wrote to memory of 960	1376	zerohostz15agz.exe	schtasks.exe
PID 1376 wrote to memory of 960	1376	zerohostz15agz.exe	schtasks.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Payment Advice.xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Local\Temp\zerohostz15agz.exe
"C:\Users\Admin\AppData\Local\Temp\zerohostz15agz.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WnRCLcGk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC284.tmp"
3⤵
- Creates scheduled task(s)
PID:960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Exploitation for Client Execution

1

T1203

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC284.tmp
MD5
1a31333ee46c6ff55b6c176907fd43f1

SHA1
c89062b1ec444d0dec2221e1ccc2bc459791deec

SHA256
b6724aa4826953f439e76b8219be9ec70b30df359deba514519725893398f77f

SHA512
b297bc4cb64a64b8fc5f1040c37b8ceb75d406fa331ef06fc0f2482dabb26cb8c0a8c686211c31188c7b6a4662493bf16e23a4e6abc8f27338a35d64bebe9ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zerohostz15agz.exe
MD5
02cfffb4f0237ed12a4b89e241c6276e

SHA1
22a6830516f61b0f50b82bf860deb66bf403a2d1

SHA256
a9e89aa79f71caff5fc6b20d16623c7f3d089235def31b5d4599af5cfd211fb4

SHA512
9f7e5a00dd3e57fc68eae426aacb99f031428554aabd764de6a0abef5e22588ae9ea3ab0afce0f9b849590009aec2e89a2a9ac27d3aab47b8aa7418297e91002

Download Submit
C:\Users\Admin\AppData\Local\Temp\zerohostz15agz.exe
MD5
02cfffb4f0237ed12a4b89e241c6276e

SHA1
22a6830516f61b0f50b82bf860deb66bf403a2d1

SHA256
a9e89aa79f71caff5fc6b20d16623c7f3d089235def31b5d4599af5cfd211fb4

SHA512
9f7e5a00dd3e57fc68eae426aacb99f031428554aabd764de6a0abef5e22588ae9ea3ab0afce0f9b849590009aec2e89a2a9ac27d3aab47b8aa7418297e91002

Download Submit
\Users\Admin\AppData\Local\Temp\zerohostz15agz.exe
MD5
02cfffb4f0237ed12a4b89e241c6276e

SHA1
22a6830516f61b0f50b82bf860deb66bf403a2d1

SHA256
a9e89aa79f71caff5fc6b20d16623c7f3d089235def31b5d4599af5cfd211fb4

SHA512
9f7e5a00dd3e57fc68eae426aacb99f031428554aabd764de6a0abef5e22588ae9ea3ab0afce0f9b849590009aec2e89a2a9ac27d3aab47b8aa7418297e91002

Download Submit
memory/960-75-0x0000000000000000-mapping.dmp

Download
memory/992-63-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1376-68-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1376-65-0x0000000000000000-mapping.dmp

Download
memory/1376-70-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/1376-71-0x0000000000510000-0x0000000000519000-memory.dmp

Filesize
36KB

Download
memory/1376-72-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/1376-73-0x0000000005160000-0x00000000051D4000-memory.dmp

Filesize
464KB

Download
memory/1376-74-0x0000000004340000-0x000000000437C000-memory.dmp

Filesize
240KB

Download
memory/1376-77-0x0000000004F60000-0x0000000004F96000-memory.dmp

Filesize
216KB

Download
memory/1608-60-0x000000002F601000-0x000000002F604000-memory.dmp

Filesize
12KB

Download
memory/1608-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1608-61-0x0000000070E31000-0x0000000070E33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads