Overview

overview

10

Static

static

8

SOA May.xlt

windows7_x64

10

SOA May.xlt

windows10_x64

1

Analysis

  • max time kernel
    148s
  • max time network
    107s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    10-05-2021 06:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SOA May.xlt

  • Size

    708KB

  • MD5

    eab9dd0c6c9970b12851dc56c8e77ebb

  • SHA1

    0ce87f1116fe287bc9415a051af23c81d27449c1

  • SHA256

    1c409fee36dda5337ef340dd480d92fbf68da68bee2a28f267def6bbb63755f6

  • SHA512

    fc619429f3ff49df839345f754ada67b35960c015b0be84289ae9aad8174142f4b6bce067bcb7babefd6aac65399806c528417329eb3dc1c87f0073e08bdb4cb

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.tractorandinas.com/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ~P*xO7vPBc-o

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • AgentTesla Payload 2 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\SOA May.xlt"
    1⤵
    • Loads dropped DLL
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Users\Admin\ctci.exe
      "C:\Users\Admin\ctci.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:736
      • C:\Users\Admin\ctci.exe
        C:\Users\Admin\ctci.exe
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1600
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Public\stt.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:304
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat
          4⤵
            PID:1408
            • C:\Windows \System32\Netplwiz.exe
              "C:\Windows \System32\Netplwiz.exe"
              5⤵
              • Executes dropped EXE
              PID:1828
            • C:\Windows \System32\Netplwiz.exe
              "C:\Windows \System32\Netplwiz.exe"
              5⤵
              • Executes dropped EXE
              PID:1020

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/736-66-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1028-60-0x00000000713C1000-0x00000000713C3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1028-59-0x000000002FF61000-0x000000002FF64000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1028-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1408-83-0x0000000075801000-0x0000000075803000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1408-86-0x00000000021A0000-0x0000000002295000-memory.dmp

      Filesize

      980KB

      Download

    • memory/1600-81-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/1600-72-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/1600-85-0x0000000001F30000-0x0000000001F7D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1600-87-0x0000000001FF1000-0x0000000001FF2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1600-88-0x0000000001FF2000-0x0000000001FF3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1600-89-0x0000000001FF3000-0x0000000001FF4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1600-90-0x0000000004720000-0x000000000476C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1600-91-0x0000000001FF4000-0x0000000001FF6000-memory.dmp

      Filesize

      8KB

      Download