agenttesla | 8e97e85fd5881e5f4f31f95f5bc13de014ab3a3f278fec651f5208a73f22259e

General

Target

RFQ No3756368.doc
Size

75KB
MD5

b156ed4230557289721a0256a6aa23ea
SHA1

59d8da9d1c4ec783f59d9c6ba330e4392151cb9a
SHA256

8e97e85fd5881e5f4f31f95f5bc13de014ab3a3f278fec651f5208a73f22259e
SHA512

8c1e68f8f497becf235c453c23eab1638ca4ceb283e92ab221ec366ed24b10152e4e2301fbf3739f095dc32c4b3f6fcec3432d587440fe54d4e2d6e7c6ef2d91

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.camerapro.co.za
Port:
587
Username:
orders@camerapro.co.za
Password:
JJJ65259sss

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1644-77-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1644-78-0x000000000043762E-mapping.dmp	family_agenttesla
behavioral1/memory/1644-80-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1216 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

odogwu98741.exeodogwu98741.exe

pid process

1692 odogwu98741.exe
1644 odogwu98741.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1216 EQNEDT32.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

odogwu98741.exe

description pid process target process

PID 1692 set thread context of 1644 1692 odogwu98741.exe odogwu98741.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1216 EQNEDT32.EXE

flow	pid	process
7	1216	EQNEDT32.EXE

pid	process
1692	odogwu98741.exe
1644	odogwu98741.exe

pid	process
1216	EQNEDT32.EXE

description	pid	process	target process
PID 1692 set thread context of 1644	1692	odogwu98741.exe	odogwu98741.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1216	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1832 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

odogwu98741.exe

pid process

1644 odogwu98741.exe
1644 odogwu98741.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

odogwu98741.exeodogwu98741.exe

description pid process

Token: SeDebugPrivilege 1692 odogwu98741.exe
Token: SeDebugPrivilege 1644 odogwu98741.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1832 WINWORD.EXE
1832 WINWORD.EXE

pid	process
1832	WINWORD.EXE

pid	process
1644	odogwu98741.exe
1644	odogwu98741.exe

description	pid	process
Token: SeDebugPrivilege	1692	odogwu98741.exe
Token: SeDebugPrivilege	1644	odogwu98741.exe

pid	process
1832	WINWORD.EXE
1832	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEodogwu98741.exe

description	pid	process	target process
PID 1216 wrote to memory of 1692	1216	EQNEDT32.EXE	odogwu98741.exe
PID 1216 wrote to memory of 1692	1216	EQNEDT32.EXE	odogwu98741.exe
PID 1216 wrote to memory of 1692	1216	EQNEDT32.EXE	odogwu98741.exe
PID 1216 wrote to memory of 1692	1216	EQNEDT32.EXE	odogwu98741.exe
PID 1832 wrote to memory of 1552	1832	WINWORD.EXE	splwow64.exe
PID 1832 wrote to memory of 1552	1832	WINWORD.EXE	splwow64.exe
PID 1832 wrote to memory of 1552	1832	WINWORD.EXE	splwow64.exe
PID 1832 wrote to memory of 1552	1832	WINWORD.EXE	splwow64.exe
PID 1692 wrote to memory of 1644	1692	odogwu98741.exe	odogwu98741.exe
PID 1692 wrote to memory of 1644	1692	odogwu98741.exe	odogwu98741.exe
PID 1692 wrote to memory of 1644	1692	odogwu98741.exe	odogwu98741.exe
PID 1692 wrote to memory of 1644	1692	odogwu98741.exe	odogwu98741.exe
PID 1692 wrote to memory of 1644	1692	odogwu98741.exe	odogwu98741.exe
PID 1692 wrote to memory of 1644	1692	odogwu98741.exe	odogwu98741.exe
PID 1692 wrote to memory of 1644	1692	odogwu98741.exe	odogwu98741.exe
PID 1692 wrote to memory of 1644	1692	odogwu98741.exe	odogwu98741.exe
PID 1692 wrote to memory of 1644	1692	odogwu98741.exe	odogwu98741.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ No3756368.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1552

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Roaming\odogwu98741.exe
"C:\Users\Admin\AppData\Roaming\odogwu98741.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Roaming\odogwu98741.exe
"C:\Users\Admin\AppData\Roaming\odogwu98741.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\odogwu98741.exe
MD5
9c0421b87aa0703d72fe9b405938eecc

SHA1
40c2016e003fc0c1268251aba63bbcffd7658280

SHA256
8b987ac35e194eb8c98666431ac30a66c4daae15e605679390dea2e72d9199eb

SHA512
fcf8a240df4de33c2515ee1f87d0bcfe0f01be36167686b15484a2a0b1e9ec281887c0589c673aace65bc113706a51f83beafbc496607c68be10bcf40c36024a

Download Submit
C:\Users\Admin\AppData\Roaming\odogwu98741.exe
MD5
9c0421b87aa0703d72fe9b405938eecc

SHA1
40c2016e003fc0c1268251aba63bbcffd7658280

SHA256
8b987ac35e194eb8c98666431ac30a66c4daae15e605679390dea2e72d9199eb

SHA512
fcf8a240df4de33c2515ee1f87d0bcfe0f01be36167686b15484a2a0b1e9ec281887c0589c673aace65bc113706a51f83beafbc496607c68be10bcf40c36024a

Download Submit
C:\Users\Admin\AppData\Roaming\odogwu98741.exe
MD5
9c0421b87aa0703d72fe9b405938eecc

SHA1
40c2016e003fc0c1268251aba63bbcffd7658280

SHA256
8b987ac35e194eb8c98666431ac30a66c4daae15e605679390dea2e72d9199eb

SHA512
fcf8a240df4de33c2515ee1f87d0bcfe0f01be36167686b15484a2a0b1e9ec281887c0589c673aace65bc113706a51f83beafbc496607c68be10bcf40c36024a

Download Submit
\Users\Admin\AppData\Roaming\odogwu98741.exe
MD5
9c0421b87aa0703d72fe9b405938eecc

SHA1
40c2016e003fc0c1268251aba63bbcffd7658280

SHA256
8b987ac35e194eb8c98666431ac30a66c4daae15e605679390dea2e72d9199eb

SHA512
fcf8a240df4de33c2515ee1f87d0bcfe0f01be36167686b15484a2a0b1e9ec281887c0589c673aace65bc113706a51f83beafbc496607c68be10bcf40c36024a

Download Submit
memory/1552-73-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp

Filesize
8KB

Download
memory/1552-72-0x0000000000000000-mapping.dmp

Download
memory/1644-77-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1644-78-0x000000000043762E-mapping.dmp

Download
memory/1644-82-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/1644-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-75-0x00000000053B0000-0x000000000542A000-memory.dmp

Filesize
488KB

Download
memory/1692-74-0x00000000004E0000-0x000000000050D000-memory.dmp

Filesize
180KB

Download
memory/1692-66-0x0000000000000000-mapping.dmp

Download
memory/1692-76-0x0000000000610000-0x0000000000649000-memory.dmp

Filesize
228KB

Download
memory/1692-71-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/1692-69-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/1832-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1832-60-0x0000000072FA1000-0x0000000072FA4000-memory.dmp

Filesize
12KB

Download
memory/1832-63-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/1832-61-0x0000000070A21000-0x0000000070A23000-memory.dmp

Filesize
8KB

Download
memory/1832-83-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads