agenttesla | 1c409fee36dda5337ef340dd480d92fbf68da68bee2a28f267def6bbb63755f6

Analysis

max time kernel
148s
max time network
107s
platform
windows7_x64
resource
win7v20210408
submitted
10-05-2021 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA May.xlt
Size

708KB
MD5

eab9dd0c6c9970b12851dc56c8e77ebb
SHA1

0ce87f1116fe287bc9415a051af23c81d27449c1
SHA256

1c409fee36dda5337ef340dd480d92fbf68da68bee2a28f267def6bbb63755f6
SHA512

fc619429f3ff49df839345f754ada67b35960c015b0be84289ae9aad8174142f4b6bce067bcb7babefd6aac65399806c528417329eb3dc1c87f0073e08bdb4cb

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.tractorandinas.com/
Port:
21
Username:
[email protected]
Password:
~P*xO7vPBc-o

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/1600-85-0x0000000001F30000-0x0000000001F7D000-memory.dmp	net_reactor
behavioral1/memory/1600-90-0x0000000004720000-0x000000000476C000-memory.dmp	net_reactor

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1600-85-0x0000000001F30000-0x0000000001F7D000-memory.dmp	family_agenttesla
behavioral1/memory/1600-90-0x0000000004720000-0x000000000476C000-memory.dmp	family_agenttesla

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

ctci.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts ctci.exe
Executes dropped EXE 4 IoCs

Processes:

ctci.exectci.exeNetplwiz.exeNetplwiz.exe

pid process

736 ctci.exe
1600 ctci.exe
1828 Netplwiz.exe
1020 Netplwiz.exe
Loads dropped DLL 2 IoCs

Processes:

EXCEL.EXE

pid process

1028 EXCEL.EXE
1028 EXCEL.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ctci.exe

pid	process
736	ctci.exe
1600	ctci.exe
1828	Netplwiz.exe
1020	Netplwiz.exe

pid	process
1028	EXCEL.EXE
1028	EXCEL.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ctci.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vaijia = "C:\\Users\\Public\\aijiaV.url"	ctci.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ctci.exe

description pid process target process

PID 736 set thread context of 1600 736 ctci.exe ctci.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	pid	process	target process
PID 736 set thread context of 1600	736	ctci.exe	ctci.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1028 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ctci.exe

pid process

1600 ctci.exe
1600 ctci.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ctci.exe

description pid process

Token: SeDebugPrivilege 1600 ctci.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1028 EXCEL.EXE
1028 EXCEL.EXE
1028 EXCEL.EXE
1028 EXCEL.EXE
1028 EXCEL.EXE

pid	process
1028	EXCEL.EXE

pid	process
1600	ctci.exe
1600	ctci.exe

description	pid	process
Token: SeDebugPrivilege	1600	ctci.exe

pid	process
1028	EXCEL.EXE
1028	EXCEL.EXE
1028	EXCEL.EXE
1028	EXCEL.EXE
1028	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

EXCEL.EXEctci.execmd.exe

description	pid	process	target process
PID 1028 wrote to memory of 736	1028	EXCEL.EXE	ctci.exe
PID 1028 wrote to memory of 736	1028	EXCEL.EXE	ctci.exe
PID 1028 wrote to memory of 736	1028	EXCEL.EXE	ctci.exe
PID 1028 wrote to memory of 736	1028	EXCEL.EXE	ctci.exe
PID 736 wrote to memory of 1600	736	ctci.exe	ctci.exe
PID 736 wrote to memory of 1600	736	ctci.exe	ctci.exe
PID 736 wrote to memory of 1600	736	ctci.exe	ctci.exe
PID 736 wrote to memory of 1600	736	ctci.exe	ctci.exe
PID 736 wrote to memory of 1600	736	ctci.exe	ctci.exe
PID 736 wrote to memory of 1600	736	ctci.exe	ctci.exe
PID 736 wrote to memory of 304	736	ctci.exe	cmd.exe
PID 736 wrote to memory of 304	736	ctci.exe	cmd.exe
PID 736 wrote to memory of 304	736	ctci.exe	cmd.exe
PID 736 wrote to memory of 304	736	ctci.exe	cmd.exe
PID 304 wrote to memory of 1408	304	cmd.exe	cmd.exe
PID 304 wrote to memory of 1408	304	cmd.exe	cmd.exe
PID 304 wrote to memory of 1408	304	cmd.exe	cmd.exe
PID 304 wrote to memory of 1408	304	cmd.exe	cmd.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\SOA May.xlt"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\ctci.exe
  "C:\Users\Admin\ctci.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Users\Admin\ctci.exe
    C:\Users\Admin\ctci.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Public\stt.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat
      4⤵
      PID:1408
    - - C:\Windows \System32\Netplwiz.exe
        
        "C:\Windows \System32\Netplwiz.exe"
        5⤵
        Executes dropped EXE
        
        PID:1828
    - - C:\Windows \System32\Netplwiz.exe
        
        "C:\Windows \System32\Netplwiz.exe"
        5⤵
        Executes dropped EXE
        
        PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

MD5
408939a9f3505f1514be577cdf707c03

SHA1
c1c5dce1638db0cafde4fa7a13e4213a63a825a4

SHA256
29bca0b440b50ec12c0693f49be7dd9e11be18275eb12b035de57c2e193f7c95

SHA512
d65bb465a661875d75c30a15e7a7deea519563ba23c8188f6edb1208adb6779baa1056422365e937faba34ee94e028ccd7774a08fbf44718c3868b53dbdaf8c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

MD5
d8bc1ae90d543dc999cd0acce35e3e6e

SHA1
d6357fa425bae81a638e1c95368f2950aaa84228

SHA256
ba3b356626f6e48c0faea73c91a17abd577d9200df5496d652caa623c598f7c4

SHA512
49b10c832df4b4b2c6044924c41220a2ea17e1f6a1607f524ecff607b1c4b8aa8f939e0f81f7a01af5b175ff61c334f584e1e88019ffc80aaf9ebe874add16a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
8171bf440779c7fbac3017dd88ca395b

SHA1
7ef9c815cb5c7493ef9bfb945315868d9e01f18f

SHA256
6c4c60f166ca4328235c63f1ebd3a6d213a24ee92d2864b1ce031ad5b58bc4eb

SHA512
392ae9af85de263014ad3026f9b9ed5f42bcea93be95af44fe8fee15f1452efe008843e672ad3b158284939c9e22b4f9aefc2963834bd6d6cbebc33e11c6184d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LH72S1L1.txt

MD5
69e39e8be454c090898798757cd6cbdc

SHA1
8485fd37c48e35a72cf4aec6b290eb280a2e70f0

SHA256
08618acc1ad6cf1321434797cdd70db8abc29bd3bf9ec9737e54979c04088b17

SHA512
1ace410d25fd30d266457a22f7c9fd2e47eeb13dc75a45224c2512815326880281b9471442d4092b5d9de2113809b158d162855ffb5a09de573ac6e7c203098a

Download Submit
C:\Users\Admin\ctci.exe

MD5
3ba367bb53bc5ad7c0e8d7f5a9d33532

SHA1
974c0e32a4480927f27daec1f65ce9bf23ff0e0a

SHA256
33ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f

SHA512
c595d47918ca1a3facba0003cf1dd245e10aad78b190fe5715904c16fb13052e41a3a807da113ef46c7ea4688e01f7136b9ddeda0792398a5bc872a69628294e

Download Submit
C:\Users\Admin\ctci.exe

MD5
3ba367bb53bc5ad7c0e8d7f5a9d33532

SHA1
974c0e32a4480927f27daec1f65ce9bf23ff0e0a

SHA256
33ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f

SHA512
c595d47918ca1a3facba0003cf1dd245e10aad78b190fe5715904c16fb13052e41a3a807da113ef46c7ea4688e01f7136b9ddeda0792398a5bc872a69628294e

Download Submit
C:\Users\Admin\ctci.exe

MD5
3ba367bb53bc5ad7c0e8d7f5a9d33532

SHA1
974c0e32a4480927f27daec1f65ce9bf23ff0e0a

SHA256
33ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f

SHA512
c595d47918ca1a3facba0003cf1dd245e10aad78b190fe5715904c16fb13052e41a3a807da113ef46c7ea4688e01f7136b9ddeda0792398a5bc872a69628294e

Download Submit
C:\Users\Public\NETUTILS.dll

MD5
39507d772c63ca496a25a14a8b5d14b2

SHA1
5b603f5c11eb9ab4313694315b4d4894ff4641d4

SHA256
36d1fa474cd8271f9b74b9481025614b6ff309f767f69d9f1ff3960c7205ad12

SHA512
0c740fd7b6d67d9938b0d8e1ea7d6c41910dd6d0b85b4ec8b6015ff8c0c73798dee01f01da0b5b0c07038663aca7945faca0e2b5afc1cb751aaba7567d332f5f

Download Submit
C:\Users\Public\Netplwiz.exe

MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
C:\Users\Public\PXOR.bat

MD5
0d8aef656413642f55e0902cc5df5e6f

SHA1
73ec56d08bd9b3c45d55c97bd1c1286b77c8ff49

SHA256
670f94b92f45bc2f3f44a80c7f3021f874aa16fde38ed7d7f3ebed13ae09fa11

SHA512
efe690b1bcf06e16be469622b45c98b5dc1f1e06410cbf7e7dccb2975524c4d6bc7e23de9a129d50d73cd924f02e23f925555894f2c7da1064dcc57151f50876

Download Submit
C:\Users\Public\stt.bat

MD5
8a850253c31df9a7e1c00c80df2630d5

SHA1
e3da74081b027a3b591488b28da22742bcfe8495

SHA256
8fdeba3ec903bde700342083d16f72452366aa0b1b30d0e58dee0af74cebfa35

SHA512
30510bdc34680a0865a0811d9be29dec91c74717feccd58c9b4d88e77be9e5d13a539806a1b2901aff595b2fe2cc45926b69ed42e899d2dd2913c78a732e84d1

Download Submit
C:\Windows \System32\Netplwiz.exe

MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
C:\Windows \System32\Netplwiz.exe

MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
\Users\Admin\ctci.exe

MD5
3ba367bb53bc5ad7c0e8d7f5a9d33532

SHA1
974c0e32a4480927f27daec1f65ce9bf23ff0e0a

SHA256
33ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f

SHA512
c595d47918ca1a3facba0003cf1dd245e10aad78b190fe5715904c16fb13052e41a3a807da113ef46c7ea4688e01f7136b9ddeda0792398a5bc872a69628294e

Download Submit
\Users\Admin\ctci.exe

MD5
3ba367bb53bc5ad7c0e8d7f5a9d33532

SHA1
974c0e32a4480927f27daec1f65ce9bf23ff0e0a

SHA256
33ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f

SHA512
c595d47918ca1a3facba0003cf1dd245e10aad78b190fe5715904c16fb13052e41a3a807da113ef46c7ea4688e01f7136b9ddeda0792398a5bc872a69628294e

Download Submit
memory/304-75-0x0000000000000000-mapping.dmp

Download
memory/736-64-0x0000000000000000-mapping.dmp

Download
memory/736-66-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1028-60-0x00000000713C1000-0x00000000713C3000-memory.dmp

Filesize
8KB

Download
memory/1028-59-0x000000002FF61000-0x000000002FF64000-memory.dmp

Filesize
12KB

Download
memory/1028-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1408-83-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1408-77-0x0000000000000000-mapping.dmp

Download
memory/1408-86-0x00000000021A0000-0x0000000002295000-memory.dmp

Filesize
980KB

Download
memory/1600-81-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1600-73-0x000000000040CD2F-mapping.dmp

Download
memory/1600-72-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1600-85-0x0000000001F30000-0x0000000001F7D000-memory.dmp

Filesize
308KB

Download
memory/1600-87-0x0000000001FF1000-0x0000000001FF2000-memory.dmp

Filesize
4KB

Download
memory/1600-88-0x0000000001FF2000-0x0000000001FF3000-memory.dmp

Filesize
4KB

Download
memory/1600-89-0x0000000001FF3000-0x0000000001FF4000-memory.dmp

Filesize
4KB

Download
memory/1600-90-0x0000000004720000-0x000000000476C000-memory.dmp

Filesize
304KB

Download
memory/1600-91-0x0000000001FF4000-0x0000000001FF6000-memory.dmp

Filesize
8KB

Download