agenttesla | 92f98059db2e215ef3ff991be89504eafea4e08c66753c9a480d03cdb0b9add9

General

Target

US 74,100.50 .xlsx
Size

1.1MB
MD5

b8e12d23fa9780efb407c51dd8a3767f
SHA1

110487c60cd6507687a5d93b9fa2ce6e5dbd46b7
SHA256

92f98059db2e215ef3ff991be89504eafea4e08c66753c9a480d03cdb0b9add9
SHA512

01d11839f2339188490b518fd66baf7840c0b48d91891828107b74aa5e2ec9c5df0c8bb7b2a091e025ebbf62de47e73b7692fab62e1a9b4ee78e992cff4d0053

Score

10^/10

agenttesla keylogger persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.cisburo.com
Port:
587
Username:
elie@cisburo.com
Password:
Essaab1967#

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2040-80-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2040-81-0x00000000004375EE-mapping.dmp	family_agenttesla
behavioral1/memory/2040-83-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 1676 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1760 vbc.exe
2040 vbc.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1676 EQNEDT32.EXE
1676 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
6	1676	EQNEDT32.EXE

pid	process
1760	vbc.exe
2040	vbc.exe

pid	process
1676	EQNEDT32.EXE
1676	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 1760 set thread context of 2040 1760 vbc.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1864 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1676 EQNEDT32.EXE

description	pid	process	target process
PID 1760 set thread context of 2040	1760	vbc.exe	vbc.exe

pid	process
1864	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1676	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2032 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

vbc.exevbc.exe

pid process

1760 vbc.exe
2040 vbc.exe
2040 vbc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exevbc.exe

description pid process

Token: SeDebugPrivilege 1760 vbc.exe
Token: SeDebugPrivilege 2040 vbc.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

2032 EXCEL.EXE
2032 EXCEL.EXE
2032 EXCEL.EXE

pid	process
2032	EXCEL.EXE

pid	process
1760	vbc.exe
2040	vbc.exe
2040	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1760	vbc.exe
Token: SeDebugPrivilege	2040	vbc.exe

pid	process
2032	EXCEL.EXE
2032	EXCEL.EXE
2032	EXCEL.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEvbc.exe

description	pid	process	target process
PID 1676 wrote to memory of 1760	1676	EQNEDT32.EXE	vbc.exe
PID 1676 wrote to memory of 1760	1676	EQNEDT32.EXE	vbc.exe
PID 1676 wrote to memory of 1760	1676	EQNEDT32.EXE	vbc.exe
PID 1676 wrote to memory of 1760	1676	EQNEDT32.EXE	vbc.exe
PID 1760 wrote to memory of 1864	1760	vbc.exe	schtasks.exe
PID 1760 wrote to memory of 1864	1760	vbc.exe	schtasks.exe
PID 1760 wrote to memory of 1864	1760	vbc.exe	schtasks.exe
PID 1760 wrote to memory of 1864	1760	vbc.exe	schtasks.exe
PID 1760 wrote to memory of 2040	1760	vbc.exe	vbc.exe
PID 1760 wrote to memory of 2040	1760	vbc.exe	vbc.exe
PID 1760 wrote to memory of 2040	1760	vbc.exe	vbc.exe
PID 1760 wrote to memory of 2040	1760	vbc.exe	vbc.exe
PID 1760 wrote to memory of 2040	1760	vbc.exe	vbc.exe
PID 1760 wrote to memory of 2040	1760	vbc.exe	vbc.exe
PID 1760 wrote to memory of 2040	1760	vbc.exe	vbc.exe
PID 1760 wrote to memory of 2040	1760	vbc.exe	vbc.exe
PID 1760 wrote to memory of 2040	1760	vbc.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\US 74,100.50 .xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tnSAYdHPXvYHNv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDCA9.tmp"
3⤵
- Creates scheduled task(s)
PID:1864

C:\Users\Public\vbc.exe
"{path}"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Exploitation for Client Execution

1

T1203

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDCA9.tmp
MD5
1604f75bfe2dd9d41d09ff62a6f81689

SHA1
9f8fc57042c7b600dd085877072202a72653eb09

SHA256
41a81af3cab9604bdfdfe5d971ea57d4d546601b960744dbac2881c6f88ca2cf

SHA512
b12d621f1cdca585e4ddae44ff235c704c4ba13a87b791a73dcd04629af9c9fbb5ee8e9aed5b4b7405789d16926a9cac14a8ee82acb941b5fca7865511fb81c2

Download Submit
C:\Users\Public\vbc.exe
MD5
91be015e2c0c979a2a5b84fc81164538

SHA1
14b768716368e0dbbd188d2aad80eaff8340f912

SHA256
25ed1a3e7245151fbb0d15d7561a97be5d29c6571a8d6ccacfbaac4f22577f60

SHA512
adc479641a712764b71f26bc6f3f00c8e2959f29f645e8ed68a115a84afe583d7c72dcb47b99dc09007608c21cda27c99bc9946d3685fe486689dd8b4dd96c85

Download Submit
C:\Users\Public\vbc.exe
MD5
91be015e2c0c979a2a5b84fc81164538

SHA1
14b768716368e0dbbd188d2aad80eaff8340f912

SHA256
25ed1a3e7245151fbb0d15d7561a97be5d29c6571a8d6ccacfbaac4f22577f60

SHA512
adc479641a712764b71f26bc6f3f00c8e2959f29f645e8ed68a115a84afe583d7c72dcb47b99dc09007608c21cda27c99bc9946d3685fe486689dd8b4dd96c85

Download Submit
C:\Users\Public\vbc.exe
MD5
91be015e2c0c979a2a5b84fc81164538

SHA1
14b768716368e0dbbd188d2aad80eaff8340f912

SHA256
25ed1a3e7245151fbb0d15d7561a97be5d29c6571a8d6ccacfbaac4f22577f60

SHA512
adc479641a712764b71f26bc6f3f00c8e2959f29f645e8ed68a115a84afe583d7c72dcb47b99dc09007608c21cda27c99bc9946d3685fe486689dd8b4dd96c85

Download Submit
\Users\Public\vbc.exe
MD5
91be015e2c0c979a2a5b84fc81164538

SHA1
14b768716368e0dbbd188d2aad80eaff8340f912

SHA256
25ed1a3e7245151fbb0d15d7561a97be5d29c6571a8d6ccacfbaac4f22577f60

SHA512
adc479641a712764b71f26bc6f3f00c8e2959f29f645e8ed68a115a84afe583d7c72dcb47b99dc09007608c21cda27c99bc9946d3685fe486689dd8b4dd96c85

Download Submit
\Users\Public\vbc.exe
MD5
91be015e2c0c979a2a5b84fc81164538

SHA1
14b768716368e0dbbd188d2aad80eaff8340f912

SHA256
25ed1a3e7245151fbb0d15d7561a97be5d29c6571a8d6ccacfbaac4f22577f60

SHA512
adc479641a712764b71f26bc6f3f00c8e2959f29f645e8ed68a115a84afe583d7c72dcb47b99dc09007608c21cda27c99bc9946d3685fe486689dd8b4dd96c85

Download Submit
memory/1676-63-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1760-66-0x0000000000000000-mapping.dmp

Download
memory/1760-76-0x0000000005030000-0x00000000050AE000-memory.dmp

Filesize
504KB

Download
memory/1760-69-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1760-71-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/1760-72-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1760-77-0x0000000004C60000-0x0000000004C9B000-memory.dmp

Filesize
236KB

Download
memory/1864-78-0x0000000000000000-mapping.dmp

Download
memory/2032-74-0x00000000060E0000-0x0000000006D2A000-memory.dmp

Filesize
12.3MB

Download
memory/2032-73-0x00000000060E0000-0x0000000006D2A000-memory.dmp

Filesize
12.3MB

Download
memory/2032-75-0x00000000060E0000-0x0000000006D2A000-memory.dmp

Filesize
12.3MB

Download
memory/2032-60-0x000000002F691000-0x000000002F694000-memory.dmp

Filesize
12KB

Download
memory/2032-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2032-61-0x0000000070F81000-0x0000000070F83000-memory.dmp

Filesize
8KB

Download
memory/2032-86-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2040-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2040-81-0x00000000004375EE-mapping.dmp

Download
memory/2040-83-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2040-85-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads