Overview

overview

10

Static

static

Request fo...F.xlsx

windows7_x64

10

Request fo...F.xlsx

windows10_x64

1

Analysis

  • max time kernel
    137s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    20-09-2021 16:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Request for Quotation - P75(D53 )- FATP- RF.xlsx

  • Size

    363KB

  • MD5

    6081759506cc8cc4aade4e617b019a1d

  • SHA1

    25157cf5fac85a628ad9e60196714623040576d9

  • SHA256

    115a683b3b8b8b83c691c3fc65ce2e72db2525db43bd27296ee54e967fe386c6

  • SHA512

    91022c8b70840e8a1a24b788afb1516cbe60a3ce51579cd4d7a645d8d3df2cb79df4eb68a918a7fdb4a303204652b1846bb2f88144d18cba10c899ab1f1782ba

Score
10/10
agentteslaneshtakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    CXXOxCs5

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect Neshta Payload 5 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • AgentTesla Payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Request for Quotation - P75(D53 )- FATP- RF.xlsx"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1072
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      2⤵
      • Modifies system executable filetype association
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1540
        • C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
          "C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:880

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\K8CH4PHC\OHMS_1~1.EXE
    MD5

    2029e8bcdaa99a883f61290d69db6bbd

    SHA1

    41b727e2ec28d0a5fb835bfc273960e69a456057

    SHA256

    d4d57e199af8c8195880fd4b50013ff1ec9d6cc6bdd8dac93825e2f3764edfa4

    SHA512

    4604c4447b977a362b929ba7cae29cedb43b735856b32fcccdb9247460b3a4df8453c263b05c434ce31812601c52afba2446df1f9395bf5e9f922d1aab27ec31

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
    MD5

    1a109111cf4f1d0446d88b27188a1489

    SHA1

    4c4a2400cc546a3141fabd8d331fc7424509415e

    SHA256

    365826c0e8c910ca10d5d9c8144f026e7078064e14be2e9ee862d6fb3cadd112

    SHA512

    cf48991a1d5e1ef0e28e5c622be217fe57246f54960fe187e8751a9194bdc9ff73a3800be6a7e028ef933c5cf49405ba87d2b959724d86e4790e17587acc150f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
    MD5

    1a109111cf4f1d0446d88b27188a1489

    SHA1

    4c4a2400cc546a3141fabd8d331fc7424509415e

    SHA256

    365826c0e8c910ca10d5d9c8144f026e7078064e14be2e9ee862d6fb3cadd112

    SHA512

    cf48991a1d5e1ef0e28e5c622be217fe57246f54960fe187e8751a9194bdc9ff73a3800be6a7e028ef933c5cf49405ba87d2b959724d86e4790e17587acc150f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
    MD5

    1a109111cf4f1d0446d88b27188a1489

    SHA1

    4c4a2400cc546a3141fabd8d331fc7424509415e

    SHA256

    365826c0e8c910ca10d5d9c8144f026e7078064e14be2e9ee862d6fb3cadd112

    SHA512

    cf48991a1d5e1ef0e28e5c622be217fe57246f54960fe187e8751a9194bdc9ff73a3800be6a7e028ef933c5cf49405ba87d2b959724d86e4790e17587acc150f

    Download Submit
  • C:\Users\Public\vbc.exe
    MD5

    2029e8bcdaa99a883f61290d69db6bbd

    SHA1

    41b727e2ec28d0a5fb835bfc273960e69a456057

    SHA256

    d4d57e199af8c8195880fd4b50013ff1ec9d6cc6bdd8dac93825e2f3764edfa4

    SHA512

    4604c4447b977a362b929ba7cae29cedb43b735856b32fcccdb9247460b3a4df8453c263b05c434ce31812601c52afba2446df1f9395bf5e9f922d1aab27ec31

    Download Submit
  • C:\Users\Public\vbc.exe
    MD5

    2029e8bcdaa99a883f61290d69db6bbd

    SHA1

    41b727e2ec28d0a5fb835bfc273960e69a456057

    SHA256

    d4d57e199af8c8195880fd4b50013ff1ec9d6cc6bdd8dac93825e2f3764edfa4

    SHA512

    4604c4447b977a362b929ba7cae29cedb43b735856b32fcccdb9247460b3a4df8453c263b05c434ce31812601c52afba2446df1f9395bf5e9f922d1aab27ec31

    Download Submit
  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit
  • \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
    MD5

    1a109111cf4f1d0446d88b27188a1489

    SHA1

    4c4a2400cc546a3141fabd8d331fc7424509415e

    SHA256

    365826c0e8c910ca10d5d9c8144f026e7078064e14be2e9ee862d6fb3cadd112

    SHA512

    cf48991a1d5e1ef0e28e5c622be217fe57246f54960fe187e8751a9194bdc9ff73a3800be6a7e028ef933c5cf49405ba87d2b959724d86e4790e17587acc150f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
    MD5

    1a109111cf4f1d0446d88b27188a1489

    SHA1

    4c4a2400cc546a3141fabd8d331fc7424509415e

    SHA256

    365826c0e8c910ca10d5d9c8144f026e7078064e14be2e9ee862d6fb3cadd112

    SHA512

    cf48991a1d5e1ef0e28e5c622be217fe57246f54960fe187e8751a9194bdc9ff73a3800be6a7e028ef933c5cf49405ba87d2b959724d86e4790e17587acc150f

    Download Submit
  • \Users\Public\vbc.exe
    MD5

    2029e8bcdaa99a883f61290d69db6bbd

    SHA1

    41b727e2ec28d0a5fb835bfc273960e69a456057

    SHA256

    d4d57e199af8c8195880fd4b50013ff1ec9d6cc6bdd8dac93825e2f3764edfa4

    SHA512

    4604c4447b977a362b929ba7cae29cedb43b735856b32fcccdb9247460b3a4df8453c263b05c434ce31812601c52afba2446df1f9395bf5e9f922d1aab27ec31

    Download Submit
  • \Users\Public\vbc.exe
    MD5

    2029e8bcdaa99a883f61290d69db6bbd

    SHA1

    41b727e2ec28d0a5fb835bfc273960e69a456057

    SHA256

    d4d57e199af8c8195880fd4b50013ff1ec9d6cc6bdd8dac93825e2f3764edfa4

    SHA512

    4604c4447b977a362b929ba7cae29cedb43b735856b32fcccdb9247460b3a4df8453c263b05c434ce31812601c52afba2446df1f9395bf5e9f922d1aab27ec31

    Download Submit
  • memory/880-77-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/880-78-0x000000000043759E-mapping.dmp
    Download
  • memory/880-84-0x0000000000611000-0x0000000000612000-memory.dmp
    Filesize

    4KB

    Download
  • memory/880-82-0x0000000000610000-0x0000000000611000-memory.dmp
    Filesize

    4KB

    Download
  • memory/880-80-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1072-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1072-54-0x000000002F7C1000-0x000000002F7C4000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1072-55-0x0000000070D31000-0x0000000070D33000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1072-83-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1080-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1540-74-0x00000000053F0000-0x0000000005462000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1540-75-0x0000000000B00000-0x0000000000B42000-memory.dmp
    Filesize

    264KB

    Download
  • memory/1540-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1540-71-0x0000000000660000-0x0000000000661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1540-70-0x0000000000640000-0x000000000065D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/1540-68-0x0000000000B50000-0x0000000000B51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1580-57-0x0000000075871000-0x0000000075873000-memory.dmp
    Filesize

    8KB

    Download