Overview

overview

10

Static

static

PO_001412.doc

windows7_x64

10

PO_001412.doc

windows10_x64

1

Analysis

  • max time kernel
    149s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    04-05-2021 15:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO_001412.doc

  • Size

    445KB

  • MD5

    7eb650183d4d3a9c79d897d11d54547d

  • SHA1

    7a4f83f1fcacc6402032bdc309dd91d3e36c2549

  • SHA256

    4a97062cd26aaa6430826f03ab22cd25668218b53b34c374e885e5820ee264f2

  • SHA512

    c4ecfe0a6a2a48691278d44a198d2826b7fa5246da9ff2c93086b490e6dbdfcd7ffdc7763c96e8cae9fddefb7633884e02f58a8934f156b44543403e96f4e061

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.phuboatrading-vn.com
  • Port:
    587
  • Username:
    logs@phuboatrading-vn.com
  • Password:
    of2ZCW1li4ipTfyE

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO_001412.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1732
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Users\Admin\AppData\Roaming\ashley85323.exe
        "C:\Users\Admin\AppData\Roaming\ashley85323.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1316
        • C:\Users\Admin\AppData\Roaming\ashley85323.exe
          "{path}"
          3⤵
          • Executes dropped EXE
          PID:1400
        • C:\Users\Admin\AppData\Roaming\ashley85323.exe
          "{path}"
          3⤵
          • Executes dropped EXE
          PID:988
        • C:\Users\Admin\AppData\Roaming\ashley85323.exe
          "{path}"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:528

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\ashley85323.exe
      MD5

      34d4452c1b344685e3f5fd7d0e9640a1

      SHA1

      bb42e71329d2ad4baff54600020eb7053cc53026

      SHA256

      65e210b78d73141c61b7087dce60499ca6c225e1b028d3951589c93baa8f0668

      SHA512

      516b564b12a80d67cd4437af8ca86acd65b3ad8536786da3e6851cbbf8ffad33f47ca1f0c9dcd8e83002d4c1dc6d387aa6dc5759be04da782e8d1e99b0b1fde9

      Download Submit
    • C:\Users\Admin\AppData\Roaming\ashley85323.exe
      MD5

      34d4452c1b344685e3f5fd7d0e9640a1

      SHA1

      bb42e71329d2ad4baff54600020eb7053cc53026

      SHA256

      65e210b78d73141c61b7087dce60499ca6c225e1b028d3951589c93baa8f0668

      SHA512

      516b564b12a80d67cd4437af8ca86acd65b3ad8536786da3e6851cbbf8ffad33f47ca1f0c9dcd8e83002d4c1dc6d387aa6dc5759be04da782e8d1e99b0b1fde9

      Download Submit
    • C:\Users\Admin\AppData\Roaming\ashley85323.exe
      MD5

      34d4452c1b344685e3f5fd7d0e9640a1

      SHA1

      bb42e71329d2ad4baff54600020eb7053cc53026

      SHA256

      65e210b78d73141c61b7087dce60499ca6c225e1b028d3951589c93baa8f0668

      SHA512

      516b564b12a80d67cd4437af8ca86acd65b3ad8536786da3e6851cbbf8ffad33f47ca1f0c9dcd8e83002d4c1dc6d387aa6dc5759be04da782e8d1e99b0b1fde9

      Download Submit
    • C:\Users\Admin\AppData\Roaming\ashley85323.exe
      MD5

      34d4452c1b344685e3f5fd7d0e9640a1

      SHA1

      bb42e71329d2ad4baff54600020eb7053cc53026

      SHA256

      65e210b78d73141c61b7087dce60499ca6c225e1b028d3951589c93baa8f0668

      SHA512

      516b564b12a80d67cd4437af8ca86acd65b3ad8536786da3e6851cbbf8ffad33f47ca1f0c9dcd8e83002d4c1dc6d387aa6dc5759be04da782e8d1e99b0b1fde9

      Download Submit
    • C:\Users\Admin\AppData\Roaming\ashley85323.exe
      MD5

      34d4452c1b344685e3f5fd7d0e9640a1

      SHA1

      bb42e71329d2ad4baff54600020eb7053cc53026

      SHA256

      65e210b78d73141c61b7087dce60499ca6c225e1b028d3951589c93baa8f0668

      SHA512

      516b564b12a80d67cd4437af8ca86acd65b3ad8536786da3e6851cbbf8ffad33f47ca1f0c9dcd8e83002d4c1dc6d387aa6dc5759be04da782e8d1e99b0b1fde9

      Download Submit
    • \Users\Admin\AppData\Roaming\ashley85323.exe
      MD5

      34d4452c1b344685e3f5fd7d0e9640a1

      SHA1

      bb42e71329d2ad4baff54600020eb7053cc53026

      SHA256

      65e210b78d73141c61b7087dce60499ca6c225e1b028d3951589c93baa8f0668

      SHA512

      516b564b12a80d67cd4437af8ca86acd65b3ad8536786da3e6851cbbf8ffad33f47ca1f0c9dcd8e83002d4c1dc6d387aa6dc5759be04da782e8d1e99b0b1fde9

      Download Submit
    • memory/524-63-0x0000000075D11000-0x0000000075D13000-memory.dmp
      Filesize

      8KB

      Download
    • memory/528-79-0x000000000043767E-mapping.dmp
      Download
    • memory/528-81-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/528-85-0x0000000004B21000-0x0000000004B22000-memory.dmp
      Filesize

      4KB

      Download
    • memory/528-83-0x0000000004B20000-0x0000000004B21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/528-78-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1316-70-0x0000000004D40000-0x0000000004D41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1316-71-0x00000000005D0000-0x00000000005DE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1316-68-0x0000000000030000-0x0000000000031000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1316-74-0x0000000007D80000-0x0000000007E23000-memory.dmp
      Filesize

      652KB

      Download
    • memory/1316-75-0x0000000005950000-0x00000000059B1000-memory.dmp
      Filesize

      388KB

      Download
    • memory/1316-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1732-73-0x000007FEFC251000-0x000007FEFC253000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1732-72-0x0000000000000000-mapping.dmp
      Download
    • memory/1768-61-0x00000000707D1000-0x00000000707D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1768-60-0x0000000072D51000-0x0000000072D54000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1768-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1768-84-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download