agenttesla | 8c7d8fc2a97430056c231bcc2e3601fd27718e08c105171175789a6d86921cea

General

Target

presupuesto.xlsx
Size

1.6MB
MD5

0c44a9fa4ce2184c319d7d2b1dc6e319
SHA1

fb24049452c8a31eab37ef00099b0604bd40cd95
SHA256

8c7d8fc2a97430056c231bcc2e3601fd27718e08c105171175789a6d86921cea
SHA512

a823ed02ed0129d55711b401ad175f877d4828e3c1040cad5cb83f04742d32ecf7b988ab8ba208af8f3a9226381377f953b1ca1bfdd22c96bda364c1ba13ca92

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.kaeiser.com
Port:
587
Username:
sergio.arroyo@kaeiser.com
Password:
QIErWCn3

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/832-75-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/832-76-0x00000000004375EE-mapping.dmp	family_agenttesla
behavioral1/memory/832-78-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Blocklisted process makes network request 2 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 2036 EQNEDT32.EXE
9 2036 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

904 vbc.exe
832 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

2036 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 904 set thread context of 832 904 vbc.exe vbc.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2036 EQNEDT32.EXE

flow	pid	process
7	2036	EQNEDT32.EXE
9	2036	EQNEDT32.EXE

pid	process
904	vbc.exe
832	vbc.exe

pid	process
2036	EQNEDT32.EXE

description	pid	process	target process
PID 904 set thread context of 832	904	vbc.exe	vbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2036	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1096 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid process

832 vbc.exe
832 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 832 vbc.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1096 EXCEL.EXE
1096 EXCEL.EXE
1096 EXCEL.EXE

pid	process
1096	EXCEL.EXE

pid	process
832	vbc.exe
832	vbc.exe

description	pid	process
Token: SeDebugPrivilege	832	vbc.exe

pid	process
1096	EXCEL.EXE
1096	EXCEL.EXE
1096	EXCEL.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

EQNEDT32.EXEvbc.exe

description	pid	process	target process
PID 2036 wrote to memory of 904	2036	EQNEDT32.EXE	vbc.exe
PID 2036 wrote to memory of 904	2036	EQNEDT32.EXE	vbc.exe
PID 2036 wrote to memory of 904	2036	EQNEDT32.EXE	vbc.exe
PID 2036 wrote to memory of 904	2036	EQNEDT32.EXE	vbc.exe
PID 904 wrote to memory of 832	904	vbc.exe	vbc.exe
PID 904 wrote to memory of 832	904	vbc.exe	vbc.exe
PID 904 wrote to memory of 832	904	vbc.exe	vbc.exe
PID 904 wrote to memory of 832	904	vbc.exe	vbc.exe
PID 904 wrote to memory of 832	904	vbc.exe	vbc.exe
PID 904 wrote to memory of 832	904	vbc.exe	vbc.exe
PID 904 wrote to memory of 832	904	vbc.exe	vbc.exe
PID 904 wrote to memory of 832	904	vbc.exe	vbc.exe
PID 904 wrote to memory of 832	904	vbc.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\presupuesto.xlsx
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
4c73eb0cc8484548f61fc47dbda9ce79

SHA1
f2fb44b8f77faa60883c615d355aebe67fcb5b7a

SHA256
e362a12bb6f319448ea193d84be1c4bf36f0c44f6e1229136d618ad4fb072fca

SHA512
ad87cf5504fefe90c5f8e047606e9ea9ac19bfd6f855560507c1ebebde24ca338b4d563f7a537578b7a1779e5cfb36d30a14fea934a257cf3d93bb6ab318e364

Download Submit
C:\Users\Public\vbc.exe
MD5
4c73eb0cc8484548f61fc47dbda9ce79

SHA1
f2fb44b8f77faa60883c615d355aebe67fcb5b7a

SHA256
e362a12bb6f319448ea193d84be1c4bf36f0c44f6e1229136d618ad4fb072fca

SHA512
ad87cf5504fefe90c5f8e047606e9ea9ac19bfd6f855560507c1ebebde24ca338b4d563f7a537578b7a1779e5cfb36d30a14fea934a257cf3d93bb6ab318e364

Download Submit
C:\Users\Public\vbc.exe
MD5
4c73eb0cc8484548f61fc47dbda9ce79

SHA1
f2fb44b8f77faa60883c615d355aebe67fcb5b7a

SHA256
e362a12bb6f319448ea193d84be1c4bf36f0c44f6e1229136d618ad4fb072fca

SHA512
ad87cf5504fefe90c5f8e047606e9ea9ac19bfd6f855560507c1ebebde24ca338b4d563f7a537578b7a1779e5cfb36d30a14fea934a257cf3d93bb6ab318e364

Download Submit
\Users\Public\vbc.exe
MD5
4c73eb0cc8484548f61fc47dbda9ce79

SHA1
f2fb44b8f77faa60883c615d355aebe67fcb5b7a

SHA256
e362a12bb6f319448ea193d84be1c4bf36f0c44f6e1229136d618ad4fb072fca

SHA512
ad87cf5504fefe90c5f8e047606e9ea9ac19bfd6f855560507c1ebebde24ca338b4d563f7a537578b7a1779e5cfb36d30a14fea934a257cf3d93bb6ab318e364

Download Submit
memory/832-75-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/832-80-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/832-78-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/832-76-0x00000000004375EE-mapping.dmp

Download
memory/904-68-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/904-70-0x0000000000370000-0x0000000000374000-memory.dmp

Filesize
16KB

Download
memory/904-71-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/904-73-0x00000000052E0000-0x00000000053AA000-memory.dmp

Filesize
808KB

Download
memory/904-74-0x0000000004B00000-0x0000000004B91000-memory.dmp

Filesize
580KB

Download
memory/904-65-0x0000000000000000-mapping.dmp

Download
memory/1096-72-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1096-60-0x000000002FBC1000-0x000000002FBC4000-memory.dmp

Filesize
12KB

Download
memory/1096-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1096-61-0x0000000070EB1000-0x0000000070EB3000-memory.dmp

Filesize
8KB

Download
memory/2036-63-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads