agenttesla | dae10b4be19f81707d8c9b2fab7539a0f5a9c82ef37f5c0ee3500c161c68fb20

General

Target

Invoice#P.O474746.xlsx
Size

602KB
MD5

80126b0c7190360c63cdfc0b57839920
SHA1

191ffb490653ca129ed7fe603f2d7734d3d0c157
SHA256

dae10b4be19f81707d8c9b2fab7539a0f5a9c82ef37f5c0ee3500c161c68fb20
SHA512

6ccb4cf91abfa2693b79099d9e498aa24658fb1a5c6f85420487fa8998208fc6ac9caf4ca1053179e0c331cabaf411607a8e0344654c920f67d991b0a6fa0979

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.simpleitalian.com.au
Port:
587
Username:
[email protected]
Password:
SIpassword101$

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1628-73-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1628-74-0x00000000004374CE-mapping.dmp	family_agenttesla
behavioral1/memory/1628-76-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/300-70-0x0000000000330000-0x000000000033B000-memory.dmp	CustAttr

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 1732 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

ashlye51.exeashlye51.exe

pid process

300 ashlye51.exe
1628 ashlye51.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1732 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

ashlye51.exe

description pid process target process

PID 300 set thread context of 1628 300 ashlye51.exe ashlye51.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1732 EQNEDT32.EXE

flow	pid	process
6	1732	EQNEDT32.EXE

pid	process
300	ashlye51.exe
1628	ashlye51.exe

pid	process
1732	EQNEDT32.EXE

description	pid	process	target process
PID 300 set thread context of 1628	300	ashlye51.exe	ashlye51.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1732	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1996 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ashlye51.exe

pid process

1628 ashlye51.exe
1628 ashlye51.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ashlye51.exe

description pid process

Token: SeDebugPrivilege 1628 ashlye51.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1996 EXCEL.EXE
1996 EXCEL.EXE
1996 EXCEL.EXE

pid	process
1996	EXCEL.EXE

pid	process
1628	ashlye51.exe
1628	ashlye51.exe

description	pid	process
Token: SeDebugPrivilege	1628	ashlye51.exe

pid	process
1996	EXCEL.EXE
1996	EXCEL.EXE
1996	EXCEL.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

EQNEDT32.EXEashlye51.exe

description	pid	process	target process
PID 1732 wrote to memory of 300	1732	EQNEDT32.EXE	ashlye51.exe
PID 1732 wrote to memory of 300	1732	EQNEDT32.EXE	ashlye51.exe
PID 1732 wrote to memory of 300	1732	EQNEDT32.EXE	ashlye51.exe
PID 1732 wrote to memory of 300	1732	EQNEDT32.EXE	ashlye51.exe
PID 300 wrote to memory of 1628	300	ashlye51.exe	ashlye51.exe
PID 300 wrote to memory of 1628	300	ashlye51.exe	ashlye51.exe
PID 300 wrote to memory of 1628	300	ashlye51.exe	ashlye51.exe
PID 300 wrote to memory of 1628	300	ashlye51.exe	ashlye51.exe
PID 300 wrote to memory of 1628	300	ashlye51.exe	ashlye51.exe
PID 300 wrote to memory of 1628	300	ashlye51.exe	ashlye51.exe
PID 300 wrote to memory of 1628	300	ashlye51.exe	ashlye51.exe
PID 300 wrote to memory of 1628	300	ashlye51.exe	ashlye51.exe
PID 300 wrote to memory of 1628	300	ashlye51.exe	ashlye51.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice#P.O474746.xlsx
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Roaming\ashlye51.exe
"C:\Users\Admin\AppData\Roaming\ashlye51.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:300

C:\Users\Admin\AppData\Roaming\ashlye51.exe
"C:\Users\Admin\AppData\Roaming\ashlye51.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ashlye51.exe
MD5
dfcca1c0512fb60c55bc167340b8e653

SHA1
95931116c675f2b616c169c2bd62af810751ce22

SHA256
d2ac9d14c748cb3068f47fb3b8e0c30466f14a706eb17737b9122a8f8a023f0c

SHA512
e76a9c15f77173ea568b912260ff970420dbdd962d46fc2575491257cd45a684c2f0577eafc15aa693c6fe46738487a86b64933c2c17ea062ebdf96fe7ec080e

Download Submit
C:\Users\Admin\AppData\Roaming\ashlye51.exe
MD5
dfcca1c0512fb60c55bc167340b8e653

SHA1
95931116c675f2b616c169c2bd62af810751ce22

SHA256
d2ac9d14c748cb3068f47fb3b8e0c30466f14a706eb17737b9122a8f8a023f0c

SHA512
e76a9c15f77173ea568b912260ff970420dbdd962d46fc2575491257cd45a684c2f0577eafc15aa693c6fe46738487a86b64933c2c17ea062ebdf96fe7ec080e

Download Submit
C:\Users\Admin\AppData\Roaming\ashlye51.exe
MD5
dfcca1c0512fb60c55bc167340b8e653

SHA1
95931116c675f2b616c169c2bd62af810751ce22

SHA256
d2ac9d14c748cb3068f47fb3b8e0c30466f14a706eb17737b9122a8f8a023f0c

SHA512
e76a9c15f77173ea568b912260ff970420dbdd962d46fc2575491257cd45a684c2f0577eafc15aa693c6fe46738487a86b64933c2c17ea062ebdf96fe7ec080e

Download Submit
\Users\Admin\AppData\Roaming\ashlye51.exe
MD5
dfcca1c0512fb60c55bc167340b8e653

SHA1
95931116c675f2b616c169c2bd62af810751ce22

SHA256
d2ac9d14c748cb3068f47fb3b8e0c30466f14a706eb17737b9122a8f8a023f0c

SHA512
e76a9c15f77173ea568b912260ff970420dbdd962d46fc2575491257cd45a684c2f0577eafc15aa693c6fe46738487a86b64933c2c17ea062ebdf96fe7ec080e

Download Submit
memory/300-70-0x0000000000330000-0x000000000033B000-memory.dmp

Filesize
44KB

Download
memory/300-71-0x0000000004DB0000-0x0000000004E2B000-memory.dmp

Filesize
492KB

Download
memory/300-72-0x00000000004A0000-0x00000000004DD000-memory.dmp

Filesize
244KB

Download
memory/300-64-0x0000000000000000-mapping.dmp

Download
memory/300-67-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/300-69-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/1628-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1628-74-0x00000000004374CE-mapping.dmp

Download
memory/1628-76-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1628-78-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/1628-80-0x0000000004BA1000-0x0000000004BA2000-memory.dmp

Filesize
4KB

Download
memory/1732-62-0x0000000075D41000-0x0000000075D43000-memory.dmp

Filesize
8KB

Download
memory/1996-59-0x000000002F561000-0x000000002F564000-memory.dmp

Filesize
12KB

Download
memory/1996-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1996-60-0x0000000070F91000-0x0000000070F93000-memory.dmp

Filesize
8KB

Download
memory/1996-79-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads