agenttesla | c5abfa80cf40d138887ae52cd441797c0e549af02c352f39451693cf597d184e

General

Target

RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe
Size

2.0MB
MD5

2a6cec53f04f431e88734606cc170575
SHA1

9c34a820806f306345f86db72bc0f3ae8ae7dfbf
SHA256

1296fea5be2ddeca7afbb565183c83b9a5660eb1fe98942bb2f048be7b237f6c
SHA512

83de8bc6688cd87d3596438f52f7cb5630d47bfa1546b38de6b4d8886a13290d7575f610d460fbcd287a4e4823db64892b64399fc59afa258b5448dbf807f7d1

Score

10^/10

agenttesla collection evasion keylogger persistence rezer0 spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.parshavayealborz.com
Port:
587
Username:
[email protected]
Password:
P@rshava123456

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/704-89-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/704-94-0x000000000044C43E-mapping.dmp	family_agenttesla
behavioral1/memory/704-95-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/704-96-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

ReZer0 packer 2 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1280-56-0x0000000007F20000-0x00000000080DA000-memory.dmp	rezer0
behavioral1/memory/1208-69-0x0000000007C10000-0x0000000007D90000-memory.dmp	rezer0

Disables Task Manager via registry modification
evasion
Drops file in Drivers directory 1 IoCs

Processes:

MSBuild.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts MSBuild.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	MSBuild.exe

Drops startup file 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReAgentc.url	RegSvcs.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe"	MSBuild.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/304-75-0x0000000000400000-0x0000000000579000-memory.dmp	autoit_exe
behavioral1/memory/304-77-0x0000000000400000-0x0000000000579000-memory.dmp	autoit_exe
behavioral1/memory/304-79-0x0000000000400000-0x0000000000579000-memory.dmp	autoit_exe
behavioral1/memory/304-81-0x0000000000400000-0x0000000000579000-memory.dmp	autoit_exe
behavioral1/memory/304-82-0x000000000042800A-mapping.dmp	autoit_exe
behavioral1/memory/304-85-0x0000000000400000-0x0000000000579000-memory.dmp	autoit_exe
behavioral1/memory/304-86-0x0000000000400000-0x0000000000579000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exeRegSvcs.exeRegSvcs.exe

description	pid	process	target process
PID 1280 set thread context of 1208	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1208 set thread context of 304	1208	RegSvcs.exe	RegSvcs.exe
PID 304 set thread context of 704	304	RegSvcs.exe	MSBuild.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

284 REG.exe

pid	process
284	REG.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exeMSBuild.exeRegSvcs.exe

pid	process
1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe
704	MSBuild.exe
704	MSBuild.exe
304	RegSvcs.exe
304	RegSvcs.exe
304	RegSvcs.exe
304	RegSvcs.exe
304	RegSvcs.exe
304	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 1280 RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe
Token: SeDebugPrivilege 704 MSBuild.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

RegSvcs.exe

pid process

304 RegSvcs.exe
304 RegSvcs.exe
304 RegSvcs.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

RegSvcs.exe

pid process

304 RegSvcs.exe
304 RegSvcs.exe
304 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe
Token: SeDebugPrivilege	704	MSBuild.exe

pid	process
304	RegSvcs.exe
304	RegSvcs.exe
304	RegSvcs.exe

pid	process
304	RegSvcs.exe
304	RegSvcs.exe
304	RegSvcs.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exeRegSvcs.exeRegSvcs.exeMSBuild.exe

description	pid	process	target process
PID 1280 wrote to memory of 1556	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1556	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1556	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1556	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1556	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1556	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1556	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1208	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1208	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1208	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1208	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1208	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1208	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1208	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1208	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1208	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1208	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1208	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1280 wrote to memory of 1208	1280	RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe	RegSvcs.exe
PID 1208 wrote to memory of 304	1208	RegSvcs.exe	RegSvcs.exe
PID 1208 wrote to memory of 304	1208	RegSvcs.exe	RegSvcs.exe
PID 1208 wrote to memory of 304	1208	RegSvcs.exe	RegSvcs.exe
PID 1208 wrote to memory of 304	1208	RegSvcs.exe	RegSvcs.exe
PID 1208 wrote to memory of 304	1208	RegSvcs.exe	RegSvcs.exe
PID 1208 wrote to memory of 304	1208	RegSvcs.exe	RegSvcs.exe
PID 1208 wrote to memory of 304	1208	RegSvcs.exe	RegSvcs.exe
PID 1208 wrote to memory of 304	1208	RegSvcs.exe	RegSvcs.exe
PID 1208 wrote to memory of 304	1208	RegSvcs.exe	RegSvcs.exe
PID 1208 wrote to memory of 304	1208	RegSvcs.exe	RegSvcs.exe
PID 1208 wrote to memory of 304	1208	RegSvcs.exe	RegSvcs.exe
PID 1208 wrote to memory of 304	1208	RegSvcs.exe	RegSvcs.exe
PID 1208 wrote to memory of 304	1208	RegSvcs.exe	RegSvcs.exe
PID 1208 wrote to memory of 304	1208	RegSvcs.exe	RegSvcs.exe
PID 304 wrote to memory of 704	304	RegSvcs.exe	MSBuild.exe
PID 304 wrote to memory of 704	304	RegSvcs.exe	MSBuild.exe
PID 304 wrote to memory of 704	304	RegSvcs.exe	MSBuild.exe
PID 304 wrote to memory of 704	304	RegSvcs.exe	MSBuild.exe
PID 304 wrote to memory of 704	304	RegSvcs.exe	MSBuild.exe
PID 304 wrote to memory of 704	304	RegSvcs.exe	MSBuild.exe
PID 704 wrote to memory of 284	704	MSBuild.exe	REG.exe
PID 704 wrote to memory of 284	704	MSBuild.exe	REG.exe
PID 704 wrote to memory of 284	704	MSBuild.exe	REG.exe
PID 704 wrote to memory of 284	704	MSBuild.exe	REG.exe
PID 704 wrote to memory of 1264	704	MSBuild.exe	netsh.exe
PID 704 wrote to memory of 1264	704	MSBuild.exe	netsh.exe
PID 704 wrote to memory of 1264	704	MSBuild.exe	netsh.exe
PID 704 wrote to memory of 1264	704	MSBuild.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ- PT MULYA MANDIRI NEW ORDER PO 02.27.20.doc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:704

C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
5⤵
- Modifies registry key
PID:284

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
5⤵
PID:1264

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/284-100-0x0000000000000000-mapping.dmp

Download
memory/304-84-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/304-99-0x0000000002C10000-0x0000000002CA7000-memory.dmp

Filesize
604KB

Download
memory/304-98-0x0000000000F90000-0x0000000001027000-memory.dmp

Filesize
604KB

Download
memory/304-86-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/304-85-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/304-73-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/304-82-0x000000000042800A-mapping.dmp

Download
memory/304-81-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/304-79-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/304-77-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/304-75-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/304-70-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/304-71-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/704-87-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/704-89-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/704-96-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/704-95-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/704-94-0x000000000044C43E-mapping.dmp

Download
memory/1208-62-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/1208-67-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/1208-58-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/1208-61-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/1208-60-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/1208-57-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/1208-69-0x0000000007C10000-0x0000000007D90000-memory.dmp

Filesize
1.5MB

Download
memory/1208-63-0x00000000005AD5E6-mapping.dmp

Download
memory/1208-65-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/1208-68-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/1264-101-0x0000000000000000-mapping.dmp

Download
memory/1280-54-0x00000000003D0000-0x00000000005DE000-memory.dmp

Filesize
2.1MB

Download
memory/1280-56-0x0000000007F20000-0x00000000080DA000-memory.dmp

Filesize
1.7MB

Download
memory/1280-55-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads