agenttesla | 4caa64908b36893b18dca45402ee03d15381c605b6c0f07497f209f73a1c038d

General

Target

LM Approved Invoice-04-05-2021.doc
Size

3.8MB
MD5

95f8e935279c289154b784d37bfdbae7
SHA1

3e711dc23a09ef291f95b7e06c9ba708e35dbe95
SHA256

4caa64908b36893b18dca45402ee03d15381c605b6c0f07497f209f73a1c038d
SHA512

cb7d9d0849087f0800fb1dec9185debe1b3baae0244ac62e32adcf49e2058df29514b801b2802a35c4acc33c2d142a84ebbc27f91e8f95f104d4a519b8efc5bb

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.nilkarnal.com
Port:
587
Username:
logs@nilkarnal.com
Password:
company1960

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1980-81-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1980-82-0x00000000004375FE-mapping.dmp	family_agenttesla
behavioral1/memory/1980-84-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1156 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

KSDHFU.exeKSDHFU.exe

pid process

748 KSDHFU.exe
1980 KSDHFU.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1156 EQNEDT32.EXE
1156 EQNEDT32.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

KSDHFU.exe

description pid process target process

PID 748 set thread context of 1980 748 KSDHFU.exe KSDHFU.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

384 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1156 EQNEDT32.EXE

flow	pid	process
7	1156	EQNEDT32.EXE

pid	process
748	KSDHFU.exe
1980	KSDHFU.exe

pid	process
1156	EQNEDT32.EXE
1156	EQNEDT32.EXE

description	pid	process	target process
PID 748 set thread context of 1980	748	KSDHFU.exe	KSDHFU.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
384	schtasks.exe

pid	process
1156	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1088 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

KSDHFU.exe

pid process

1980 KSDHFU.exe
1980 KSDHFU.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

KSDHFU.exe

description pid process

Token: SeDebugPrivilege 1980 KSDHFU.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXEKSDHFU.exe

pid process

1088 WINWORD.EXE
1088 WINWORD.EXE
748 KSDHFU.exe
748 KSDHFU.exe

pid	process
1088	WINWORD.EXE

pid	process
1980	KSDHFU.exe
1980	KSDHFU.exe

description	pid	process
Token: SeDebugPrivilege	1980	KSDHFU.exe

pid	process
1088	WINWORD.EXE
1088	WINWORD.EXE
748	KSDHFU.exe
748	KSDHFU.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEKSDHFU.exe

description	pid	process	target process
PID 1156 wrote to memory of 748	1156	EQNEDT32.EXE	KSDHFU.exe
PID 1156 wrote to memory of 748	1156	EQNEDT32.EXE	KSDHFU.exe
PID 1156 wrote to memory of 748	1156	EQNEDT32.EXE	KSDHFU.exe
PID 1156 wrote to memory of 748	1156	EQNEDT32.EXE	KSDHFU.exe
PID 1088 wrote to memory of 1612	1088	WINWORD.EXE	splwow64.exe
PID 1088 wrote to memory of 1612	1088	WINWORD.EXE	splwow64.exe
PID 1088 wrote to memory of 1612	1088	WINWORD.EXE	splwow64.exe
PID 1088 wrote to memory of 1612	1088	WINWORD.EXE	splwow64.exe
PID 748 wrote to memory of 384	748	KSDHFU.exe	schtasks.exe
PID 748 wrote to memory of 384	748	KSDHFU.exe	schtasks.exe
PID 748 wrote to memory of 384	748	KSDHFU.exe	schtasks.exe
PID 748 wrote to memory of 384	748	KSDHFU.exe	schtasks.exe
PID 748 wrote to memory of 1980	748	KSDHFU.exe	KSDHFU.exe
PID 748 wrote to memory of 1980	748	KSDHFU.exe	KSDHFU.exe
PID 748 wrote to memory of 1980	748	KSDHFU.exe	KSDHFU.exe
PID 748 wrote to memory of 1980	748	KSDHFU.exe	KSDHFU.exe
PID 748 wrote to memory of 1980	748	KSDHFU.exe	KSDHFU.exe
PID 748 wrote to memory of 1980	748	KSDHFU.exe	KSDHFU.exe
PID 748 wrote to memory of 1980	748	KSDHFU.exe	KSDHFU.exe
PID 748 wrote to memory of 1980	748	KSDHFU.exe	KSDHFU.exe
PID 748 wrote to memory of 1980	748	KSDHFU.exe	KSDHFU.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\LM Approved Invoice-04-05-2021.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1612

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Roaming\KSDHFU.exe
C:\Users\Admin\AppData\Roaming\KSDHFU.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AhuFCWIiU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp45C7.tmp"
3⤵
- Creates scheduled task(s)
PID:384

C:\Users\Admin\AppData\Roaming\KSDHFU.exe
"C:\Users\Admin\AppData\Roaming\KSDHFU.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Exploitation for Client Execution

1

T1203

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp45C7.tmp
MD5
01dc1ed1183dc0aa981275637d3e81bf

SHA1
44b95374dd34571b7085e70c14fa4d04a4636942

SHA256
9295bd678071e53a8e22896a37191e2f573f3a479e03f718f9b3878435be33a1

SHA512
c92c63e99e3b6af93646976afce6776620effb64b35bbd5da77da6f1ae5aa2e3f1aed002fa81ef9cc06886d80cb620f639e64fe09ce2f529813fa6db67c5cec2

Download Submit
C:\Users\Admin\AppData\Roaming\KSDHFU.exe
MD5
9dfaa6afc47f0bf01155b7f8253f719b

SHA1
0e82d1395e219ed0400959e6315675fdd03f0a54

SHA256
fd0be553157fca2a0a5f4cc559d95a3d6ec4b27b6f1368cad25997cac0ccac8f

SHA512
95f379a10ffd895be1b653dfb32227be31764c13ce75f35f21be6472045e385bb0aca718a6a1b0c57158c1449094b409c3192f19c47900e2d3829588b9980e2e

Download Submit
C:\Users\Admin\AppData\Roaming\KSDHFU.exe
MD5
9dfaa6afc47f0bf01155b7f8253f719b

SHA1
0e82d1395e219ed0400959e6315675fdd03f0a54

SHA256
fd0be553157fca2a0a5f4cc559d95a3d6ec4b27b6f1368cad25997cac0ccac8f

SHA512
95f379a10ffd895be1b653dfb32227be31764c13ce75f35f21be6472045e385bb0aca718a6a1b0c57158c1449094b409c3192f19c47900e2d3829588b9980e2e

Download Submit
C:\Users\Admin\AppData\Roaming\KSDHFU.exe
MD5
9dfaa6afc47f0bf01155b7f8253f719b

SHA1
0e82d1395e219ed0400959e6315675fdd03f0a54

SHA256
fd0be553157fca2a0a5f4cc559d95a3d6ec4b27b6f1368cad25997cac0ccac8f

SHA512
95f379a10ffd895be1b653dfb32227be31764c13ce75f35f21be6472045e385bb0aca718a6a1b0c57158c1449094b409c3192f19c47900e2d3829588b9980e2e

Download Submit
\Users\Admin\AppData\Roaming\KSDHFU.exe
MD5
9dfaa6afc47f0bf01155b7f8253f719b

SHA1
0e82d1395e219ed0400959e6315675fdd03f0a54

SHA256
fd0be553157fca2a0a5f4cc559d95a3d6ec4b27b6f1368cad25997cac0ccac8f

SHA512
95f379a10ffd895be1b653dfb32227be31764c13ce75f35f21be6472045e385bb0aca718a6a1b0c57158c1449094b409c3192f19c47900e2d3829588b9980e2e

Download Submit
\Users\Admin\AppData\Roaming\KSDHFU.exe
MD5
9dfaa6afc47f0bf01155b7f8253f719b

SHA1
0e82d1395e219ed0400959e6315675fdd03f0a54

SHA256
fd0be553157fca2a0a5f4cc559d95a3d6ec4b27b6f1368cad25997cac0ccac8f

SHA512
95f379a10ffd895be1b653dfb32227be31764c13ce75f35f21be6472045e385bb0aca718a6a1b0c57158c1449094b409c3192f19c47900e2d3829588b9980e2e

Download Submit
memory/384-79-0x0000000000000000-mapping.dmp

Download
memory/748-71-0x0000000004B81000-0x0000000004B82000-memory.dmp

Filesize
4KB

Download
memory/748-65-0x0000000000000000-mapping.dmp

Download
memory/748-68-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/748-70-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/748-72-0x0000000004B82000-0x0000000004B83000-memory.dmp

Filesize
4KB

Download
memory/748-78-0x0000000004980000-0x00000000049BE000-memory.dmp

Filesize
248KB

Download
memory/748-73-0x00000000004E0000-0x00000000004EE000-memory.dmp

Filesize
56KB

Download
memory/748-77-0x0000000005190000-0x000000000520B000-memory.dmp

Filesize
492KB

Download
memory/1088-76-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1088-59-0x0000000072DB1000-0x0000000072DB4000-memory.dmp

Filesize
12KB

Download
memory/1088-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1088-60-0x0000000070831000-0x0000000070833000-memory.dmp

Filesize
8KB

Download
memory/1156-62-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1612-75-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

Filesize
8KB

Download
memory/1612-74-0x0000000000000000-mapping.dmp

Download
memory/1980-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1980-82-0x00000000004375FE-mapping.dmp

Download
memory/1980-84-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1980-86-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads