agenttesla | 1c409fee36dda5337ef340dd480d92fbf68da68bee2a28f267def6bbb63755f6

Analysis

max time kernel
148s
max time network
99s
platform
windows7_x64
resource
win7v20210410
submitted
10-05-2021 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA May.xlt
Size

708KB
MD5

eab9dd0c6c9970b12851dc56c8e77ebb
SHA1

0ce87f1116fe287bc9415a051af23c81d27449c1
SHA256

1c409fee36dda5337ef340dd480d92fbf68da68bee2a28f267def6bbb63755f6
SHA512

fc619429f3ff49df839345f754ada67b35960c015b0be84289ae9aad8174142f4b6bce067bcb7babefd6aac65399806c528417329eb3dc1c87f0073e08bdb4cb

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.tractorandinas.com/
Port:
21
Username:
[email protected]
Password:
~P*xO7vPBc-o

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1704-84-0x0000000001F30000-0x0000000001F7D000-memory.dmp	family_agenttesla
behavioral1/memory/1704-85-0x0000000004710000-0x000000000475C000-memory.dmp	family_agenttesla

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

ctci.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts ctci.exe
Executes dropped EXE 4 IoCs

Processes:

ctci.exectci.exeNetplwiz.exeNetplwiz.exe

pid process

776 ctci.exe
1704 ctci.exe
804 Netplwiz.exe
1352 Netplwiz.exe
Loads dropped DLL 2 IoCs

Processes:

EXCEL.EXE

pid process

1084 EXCEL.EXE
1084 EXCEL.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ctci.exe

pid	process
776	ctci.exe
1704	ctci.exe
804	Netplwiz.exe
1352	Netplwiz.exe

pid	process
1084	EXCEL.EXE
1084	EXCEL.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ctci.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vaijia = "C:\\Users\\Public\\aijiaV.url"	ctci.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ctci.exe

description pid process target process

PID 776 set thread context of 1704 776 ctci.exe ctci.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	pid	process	target process
PID 776 set thread context of 1704	776	ctci.exe	ctci.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1084 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ctci.exe

pid process

1704 ctci.exe
1704 ctci.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ctci.exe

description pid process

Token: SeDebugPrivilege 1704 ctci.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1084 EXCEL.EXE
1084 EXCEL.EXE
1084 EXCEL.EXE
1084 EXCEL.EXE
1084 EXCEL.EXE

pid	process
1084	EXCEL.EXE

pid	process
1704	ctci.exe
1704	ctci.exe

description	pid	process
Token: SeDebugPrivilege	1704	ctci.exe

pid	process
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

EXCEL.EXEctci.execmd.exe

description	pid	process	target process
PID 1084 wrote to memory of 776	1084	EXCEL.EXE	ctci.exe
PID 1084 wrote to memory of 776	1084	EXCEL.EXE	ctci.exe
PID 1084 wrote to memory of 776	1084	EXCEL.EXE	ctci.exe
PID 1084 wrote to memory of 776	1084	EXCEL.EXE	ctci.exe
PID 776 wrote to memory of 1704	776	ctci.exe	ctci.exe
PID 776 wrote to memory of 1704	776	ctci.exe	ctci.exe
PID 776 wrote to memory of 1704	776	ctci.exe	ctci.exe
PID 776 wrote to memory of 1704	776	ctci.exe	ctci.exe
PID 776 wrote to memory of 1704	776	ctci.exe	ctci.exe
PID 776 wrote to memory of 1704	776	ctci.exe	ctci.exe
PID 776 wrote to memory of 536	776	ctci.exe	cmd.exe
PID 776 wrote to memory of 536	776	ctci.exe	cmd.exe
PID 776 wrote to memory of 536	776	ctci.exe	cmd.exe
PID 776 wrote to memory of 536	776	ctci.exe	cmd.exe
PID 536 wrote to memory of 760	536	cmd.exe	cmd.exe
PID 536 wrote to memory of 760	536	cmd.exe	cmd.exe
PID 536 wrote to memory of 760	536	cmd.exe	cmd.exe
PID 536 wrote to memory of 760	536	cmd.exe	cmd.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\SOA May.xlt"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\ctci.exe
"C:\Users\Admin\ctci.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\ctci.exe
C:\Users\Admin\ctci.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\stt.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat
4⤵
PID:760

C:\Windows \System32\Netplwiz.exe
"C:\Windows \System32\Netplwiz.exe"
5⤵
- Executes dropped EXE
PID:804

C:\Windows \System32\Netplwiz.exe
"C:\Windows \System32\Netplwiz.exe"
5⤵
- Executes dropped EXE
PID:1352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
ee39890cf2ac1134e91f967a286238a8

SHA1
ed7eeed55721ed8a998849058a98e45fe9eb7ff4

SHA256
a7a2f46c789843d626fa725e98056ba8842ceaac2e5713348f9a95079ae9e74a

SHA512
3fd90ecb260e44133521a194ec4b2bdbc1fd15360e9e2155902a8180bfac9816d24facebbf70b25ca616297d1065b880b358cc8bc63f6015c9f208e9235b5800

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
d63d3f66dc2f09a012ead70ecd273cea

SHA1
6683e3c2e5ed9230782af445f2600a35bc7974a9

SHA256
78951e0ee92e02dc91370c33862018fa66474140d80009ec9da6740faa719740

SHA512
2978c3dfd4f815edc8ed51bec4d24ae4706391180fccb2d95f5d7b19e2c6e750a45f6da125041ebcfcd9eb7b6745620296421067b53e02c517ffe52ca927c2db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
5b2dc75ac257f93ea2692effa0220d8f

SHA1
d8668195b0d79c65b9c576562a9d6625c5c18eb3

SHA256
f573ecb9c9b50c088fe3117a4e2d41d97c6e1d81f0ae6a3afe8984e6f391438a

SHA512
f33745ee86b77f20626f4670ccb581145efd3d0bdd2ac1e06ad1dc57a2c162f16b98f80d9b7acb3173c8b2e956a6ecfddd0386686ab29b7454cbb48d842827be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\G1DIJXM8.txt
MD5
fa92502acabc8ed7a392aa907693a17f

SHA1
007fd70083ade8fcf2e68d9e1213968f146d0c95

SHA256
54cd03a56f60d47dfab9af3dd8ffcea189eb9ae7c01f708c61e6db190fc351f0

SHA512
85acc4d6c3a4471c3845a43c8bb414813cb37029eb86c19dfcfee5cd3ac5f8178e54f6e53c9f8f591916d6a74bd050f76b8d644c80291adac6e69fcbb6bb9a01

Download Submit
C:\Users\Admin\ctci.exe
MD5
3ba367bb53bc5ad7c0e8d7f5a9d33532

SHA1
974c0e32a4480927f27daec1f65ce9bf23ff0e0a

SHA256
33ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f

SHA512
c595d47918ca1a3facba0003cf1dd245e10aad78b190fe5715904c16fb13052e41a3a807da113ef46c7ea4688e01f7136b9ddeda0792398a5bc872a69628294e

Download Submit
C:\Users\Admin\ctci.exe
MD5
3ba367bb53bc5ad7c0e8d7f5a9d33532

SHA1
974c0e32a4480927f27daec1f65ce9bf23ff0e0a

SHA256
33ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f

SHA512
c595d47918ca1a3facba0003cf1dd245e10aad78b190fe5715904c16fb13052e41a3a807da113ef46c7ea4688e01f7136b9ddeda0792398a5bc872a69628294e

Download Submit
C:\Users\Admin\ctci.exe
MD5
3ba367bb53bc5ad7c0e8d7f5a9d33532

SHA1
974c0e32a4480927f27daec1f65ce9bf23ff0e0a

SHA256
33ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f

SHA512
c595d47918ca1a3facba0003cf1dd245e10aad78b190fe5715904c16fb13052e41a3a807da113ef46c7ea4688e01f7136b9ddeda0792398a5bc872a69628294e

Download Submit
C:\Users\Public\NETUTILS.dll
MD5
39507d772c63ca496a25a14a8b5d14b2

SHA1
5b603f5c11eb9ab4313694315b4d4894ff4641d4

SHA256
36d1fa474cd8271f9b74b9481025614b6ff309f767f69d9f1ff3960c7205ad12

SHA512
0c740fd7b6d67d9938b0d8e1ea7d6c41910dd6d0b85b4ec8b6015ff8c0c73798dee01f01da0b5b0c07038663aca7945faca0e2b5afc1cb751aaba7567d332f5f

Download Submit
C:\Users\Public\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
C:\Users\Public\PXOR.bat
MD5
0d8aef656413642f55e0902cc5df5e6f

SHA1
73ec56d08bd9b3c45d55c97bd1c1286b77c8ff49

SHA256
670f94b92f45bc2f3f44a80c7f3021f874aa16fde38ed7d7f3ebed13ae09fa11

SHA512
efe690b1bcf06e16be469622b45c98b5dc1f1e06410cbf7e7dccb2975524c4d6bc7e23de9a129d50d73cd924f02e23f925555894f2c7da1064dcc57151f50876

Download Submit
C:\Users\Public\stt.bat
MD5
8a850253c31df9a7e1c00c80df2630d5

SHA1
e3da74081b027a3b591488b28da22742bcfe8495

SHA256
8fdeba3ec903bde700342083d16f72452366aa0b1b30d0e58dee0af74cebfa35

SHA512
30510bdc34680a0865a0811d9be29dec91c74717feccd58c9b4d88e77be9e5d13a539806a1b2901aff595b2fe2cc45926b69ed42e899d2dd2913c78a732e84d1

Download Submit
C:\Windows \System32\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
C:\Windows \System32\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
\Users\Admin\ctci.exe
MD5
3ba367bb53bc5ad7c0e8d7f5a9d33532

SHA1
974c0e32a4480927f27daec1f65ce9bf23ff0e0a

SHA256
33ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f

SHA512
c595d47918ca1a3facba0003cf1dd245e10aad78b190fe5715904c16fb13052e41a3a807da113ef46c7ea4688e01f7136b9ddeda0792398a5bc872a69628294e

Download Submit
\Users\Admin\ctci.exe
MD5
3ba367bb53bc5ad7c0e8d7f5a9d33532

SHA1
974c0e32a4480927f27daec1f65ce9bf23ff0e0a

SHA256
33ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f

SHA512
c595d47918ca1a3facba0003cf1dd245e10aad78b190fe5715904c16fb13052e41a3a807da113ef46c7ea4688e01f7136b9ddeda0792398a5bc872a69628294e

Download Submit
memory/536-75-0x0000000000000000-mapping.dmp

Download
memory/760-82-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download
memory/760-77-0x0000000000000000-mapping.dmp

Download
memory/760-88-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/776-66-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/776-64-0x0000000000000000-mapping.dmp

Download
memory/1084-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1084-60-0x00000000715A1000-0x00000000715A3000-memory.dmp

Filesize
8KB

Download
memory/1084-59-0x000000002FF31000-0x000000002FF34000-memory.dmp

Filesize
12KB

Download
memory/1704-73-0x000000000040CD2F-mapping.dmp

Download
memory/1704-84-0x0000000001F30000-0x0000000001F7D000-memory.dmp

Filesize
308KB

Download
memory/1704-85-0x0000000004710000-0x000000000475C000-memory.dmp

Filesize
304KB

Download
memory/1704-87-0x0000000004871000-0x0000000004872000-memory.dmp

Filesize
4KB

Download
memory/1704-89-0x0000000004872000-0x0000000004873000-memory.dmp

Filesize
4KB

Download
memory/1704-72-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1704-86-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1704-90-0x0000000004873000-0x0000000004874000-memory.dmp

Filesize
4KB

Download
memory/1704-91-0x0000000004874000-0x0000000004876000-memory.dmp

Filesize
8KB

Download