Overview

overview

10

Static

static

ac83d6b235...6e.rtf

windows7-x64

10

ac83d6b235...6e.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    105s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06/01/2023, 13:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ac83d6b235460fb3516e0efb7b91d2159ab4636e.rtf

  • Size

    26KB

  • MD5

    051873c5ce8770dd82270d6ac13e3061

  • SHA1

    ac83d6b235460fb3516e0efb7b91d2159ab4636e

  • SHA256

    5f8573d933fb9af96a8e7fb3ad4083e7d5fdad2c4a5960b7dc7f79bb788b6658

  • SHA512

    b424ea79c54f3743692d7831154cbb123f204a6ab41a889c6d7f39f17d8ee6122b3e2782b253266b2186383afae2afd96bc05d1f0ba33b6b5db432444bfa0f4d

  • SSDEEP

    768:4Fx0XaIsnPRIa4fwJMRoSaDlnc1pzULHCdn+az:4f0Xvx3EMRodlgp5Iaz

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    hnxqezadblabdsss

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ac83d6b235460fb3516e0efb7b91d2159ab4636e.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1740
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Users\Admin\AppData\Roaming\obiyu6581.exe
        "C:\Users\Admin\AppData\Roaming\obiyu6581.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Users\Admin\AppData\Local\Temp\pxlbegicoi.exe
          "C:\Users\Admin\AppData\Local\Temp\pxlbegicoi.exe" C:\Users\Admin\AppData\Local\Temp\dhvsiqlnof.chn
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:536
          • C:\Users\Admin\AppData\Local\Temp\pxlbegicoi.exe
            "C:\Users\Admin\AppData\Local\Temp\pxlbegicoi.exe"
            4⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • outlook_office_path
            • outlook_win_path
            PID:1348

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\btjlomezd.de
            Filesize

            294KB

            MD5

            9a3100fbf00249776c39703d74c86bcb

            SHA1

            9308566b4f0cf8785801514b6c09c27ad545b5bb

            SHA256

            3d63c09cc48a8e04833c25ca7505d092e96c9239c486d00f1f19a32e776f55d2

            SHA512

            daccf35446fc9efed13227a40c0264f3968eb0efb8dd8f98eef4efc32b66f38aa3519ac3bb85d407ecde1d241c7dddbd2f455535ae53803c2c0a84992068fe1d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\dhvsiqlnof.chn
            Filesize

            5KB

            MD5

            093ea54ba6d9c524c8e4f208c1140716

            SHA1

            4a4e416313436fb0030bfd693b5880b1e883a05f

            SHA256

            df7f5bed79354218b633634b66b21ed1c0a8321835b446374f3f5192d0a84f3e

            SHA512

            cb44bcc354de2bcd7e5c193ee374d8db07de41c39a8b8d2620156b40c7266e754cc48a9c24119f909312760d550fac1374adca52a7855e12502049e861e8cb9a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\pxlbegicoi.exe
            Filesize

            56KB

            MD5

            b069fb341bd1f8f8141f261579101873

            SHA1

            f05df7d06aef2bd280cd6c890c6e0149128e8bb9

            SHA256

            7dacabdcc2d40579d3b95da51e702c1c561a42723955670d3b52e5801594612e

            SHA512

            00be98133467a7af257f18abf6b8d08fdfd072998ccc4deda1047624c5e3510ff0856a1d1cf0daaf133cd170dd461a3431cce246bf4aa5e3fa239afa7ac10748

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\pxlbegicoi.exe
            Filesize

            56KB

            MD5

            b069fb341bd1f8f8141f261579101873

            SHA1

            f05df7d06aef2bd280cd6c890c6e0149128e8bb9

            SHA256

            7dacabdcc2d40579d3b95da51e702c1c561a42723955670d3b52e5801594612e

            SHA512

            00be98133467a7af257f18abf6b8d08fdfd072998ccc4deda1047624c5e3510ff0856a1d1cf0daaf133cd170dd461a3431cce246bf4aa5e3fa239afa7ac10748

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\pxlbegicoi.exe
            Filesize

            56KB

            MD5

            b069fb341bd1f8f8141f261579101873

            SHA1

            f05df7d06aef2bd280cd6c890c6e0149128e8bb9

            SHA256

            7dacabdcc2d40579d3b95da51e702c1c561a42723955670d3b52e5801594612e

            SHA512

            00be98133467a7af257f18abf6b8d08fdfd072998ccc4deda1047624c5e3510ff0856a1d1cf0daaf133cd170dd461a3431cce246bf4aa5e3fa239afa7ac10748

            Download Submit

          • C:\Users\Admin\AppData\Roaming\obiyu6581.exe
            Filesize

            463KB

            MD5

            7d8b4ff9fc0226efd409c8162928efaa

            SHA1

            7877ccd3084da333c77b353a6dc65b8e00b0a393

            SHA256

            04698304959253365ac8015e9af904b4be0e1938c63a5b91276028636a90cbbc

            SHA512

            9b1c5642f9044719a7456826dea490b329775258e84e47ac48f7563792fe466062b0a0566bda57e8755ba23982e154c2f967e5ed61dee84469f5ac3246b08fe1

            Download Submit

          • C:\Users\Admin\AppData\Roaming\obiyu6581.exe
            Filesize

            463KB

            MD5

            7d8b4ff9fc0226efd409c8162928efaa

            SHA1

            7877ccd3084da333c77b353a6dc65b8e00b0a393

            SHA256

            04698304959253365ac8015e9af904b4be0e1938c63a5b91276028636a90cbbc

            SHA512

            9b1c5642f9044719a7456826dea490b329775258e84e47ac48f7563792fe466062b0a0566bda57e8755ba23982e154c2f967e5ed61dee84469f5ac3246b08fe1

            Download Submit

          • \Users\Admin\AppData\Local\Temp\pxlbegicoi.exe
            Filesize

            56KB

            MD5

            b069fb341bd1f8f8141f261579101873

            SHA1

            f05df7d06aef2bd280cd6c890c6e0149128e8bb9

            SHA256

            7dacabdcc2d40579d3b95da51e702c1c561a42723955670d3b52e5801594612e

            SHA512

            00be98133467a7af257f18abf6b8d08fdfd072998ccc4deda1047624c5e3510ff0856a1d1cf0daaf133cd170dd461a3431cce246bf4aa5e3fa239afa7ac10748

            Download Submit

          • \Users\Admin\AppData\Local\Temp\pxlbegicoi.exe
            Filesize

            56KB

            MD5

            b069fb341bd1f8f8141f261579101873

            SHA1

            f05df7d06aef2bd280cd6c890c6e0149128e8bb9

            SHA256

            7dacabdcc2d40579d3b95da51e702c1c561a42723955670d3b52e5801594612e

            SHA512

            00be98133467a7af257f18abf6b8d08fdfd072998ccc4deda1047624c5e3510ff0856a1d1cf0daaf133cd170dd461a3431cce246bf4aa5e3fa239afa7ac10748

            Download Submit

          • \Users\Admin\AppData\Local\Temp\pxlbegicoi.exe
            Filesize

            56KB

            MD5

            b069fb341bd1f8f8141f261579101873

            SHA1

            f05df7d06aef2bd280cd6c890c6e0149128e8bb9

            SHA256

            7dacabdcc2d40579d3b95da51e702c1c561a42723955670d3b52e5801594612e

            SHA512

            00be98133467a7af257f18abf6b8d08fdfd072998ccc4deda1047624c5e3510ff0856a1d1cf0daaf133cd170dd461a3431cce246bf4aa5e3fa239afa7ac10748

            Download Submit

          • \Users\Admin\AppData\Roaming\obiyu6581.exe
            Filesize

            463KB

            MD5

            7d8b4ff9fc0226efd409c8162928efaa

            SHA1

            7877ccd3084da333c77b353a6dc65b8e00b0a393

            SHA256

            04698304959253365ac8015e9af904b4be0e1938c63a5b91276028636a90cbbc

            SHA512

            9b1c5642f9044719a7456826dea490b329775258e84e47ac48f7563792fe466062b0a0566bda57e8755ba23982e154c2f967e5ed61dee84469f5ac3246b08fe1

            Download Submit

          • memory/1348-78-0x0000000000400000-0x0000000000449000-memory.dmp

            Filesize

            292KB

            Download

          • memory/1348-77-0x0000000004480000-0x00000000044B8000-memory.dmp

            Filesize

            224KB

            Download

          • memory/1552-54-0x0000000072951000-0x0000000072954000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1552-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1552-57-0x0000000075241000-0x0000000075243000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1552-55-0x00000000703D1000-0x00000000703D3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1552-58-0x00000000713BD000-0x00000000713C8000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1552-79-0x00000000713BD000-0x00000000713C8000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1552-82-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1552-83-0x00000000713BD000-0x00000000713C8000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1740-81-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

            Filesize

            8KB

            Download