agenttesla | 42b0a4e1c478f7f525758ad8cf77c3e070c76435d76aa2fb5b5fc668929eb7a9

Resubmissions

06/07/2023, 11:55

230706-n3f57abh7s 10

06/07/2023, 11:51

230706-n1ffwaae69 1

Analysis

max time kernel
261s
max time network
76s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

476d26810e91e137d1e3325bd66e6432ac6f9941b179cce9297bbcad2c823851.xls
Size

1.1MB
MD5

8240ac402de015516cc0ac72b075fe10
SHA1

5840469aee41db6480a5ba2dfa481a325f9bd50f
SHA256

476d26810e91e137d1e3325bd66e6432ac6f9941b179cce9297bbcad2c823851
SHA512

9f9a4e0ea26c20c830c0285b57cb310ff8c2dc2017be531729ed64a64389eef150876ffc3bbc2d13d131fa0998423cb861c71af8fee50b426df25c9aca7473fc
SSDEEP

24576:Az0w6sYz+o0xfsjcUos+xK5w6sAzKo0xfsjcUos+xKY3mYj3qJPR6wdB:AT6sYOxfsjdos+xKS6sAyxfsjdos+xKh

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2992	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
868	IBM_Centos.exe
2204	IBM_Centos.exe

Loads dropped DLL 3 IoCs

pid	Process
2992	EQNEDT32.EXE
868	IBM_Centos.exe
868	IBM_Centos.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	IBM_Centos.exe
Key opened	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	IBM_Centos.exe
Key opened	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	IBM_Centos.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Windows\CurrentVersion\Run\sOFvE = "C:\\Users\\Admin\\AppData\\Roaming\\sOFvE\\sOFvE.exe"	IBM_Centos.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Documents\My Data Sources\DESKTOP.INI	EXCEL.EXE
File opened for modification	C:\Users\Admin\Documents\My Data Sources\DESKTOP.INI	EXCEL.EXE

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org
4	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 868 set thread context of 2204	868	IBM_Centos.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2992	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2308	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2204	IBM_Centos.exe
2204	IBM_Centos.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
868	IBM_Centos.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	IBM_Centos.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2308	EXCEL.EXE
2308	EXCEL.EXE
2308	EXCEL.EXE
2308	EXCEL.EXE
2308	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 868	2992	EQNEDT32.EXE	30
PID 2992 wrote to memory of 868	2992	EQNEDT32.EXE	30
PID 2992 wrote to memory of 868	2992	EQNEDT32.EXE	30
PID 2992 wrote to memory of 868	2992	EQNEDT32.EXE	30
PID 868 wrote to memory of 2204	868	IBM_Centos.exe	31
PID 868 wrote to memory of 2204	868	IBM_Centos.exe	31
PID 868 wrote to memory of 2204	868	IBM_Centos.exe	31
PID 868 wrote to memory of 2204	868	IBM_Centos.exe	31
PID 868 wrote to memory of 2204	868	IBM_Centos.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	IBM_Centos.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	IBM_Centos.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\476d26810e91e137d1e3325bd66e6432ac6f9941b179cce9297bbcad2c823851.xls
1⤵
- Drops desktop.ini file(s)
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\IBM_Centos.exe
  "C:\Users\Admin\AppData\Local\Temp\IBM_Centos.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\IBM_Centos.exe
    "C:\Users\Admin\AppData\Local\Temp\IBM_Centos.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FD647910.emf

Filesize
1.4MB

MD5
1fcb3f34b5588f6a647a06dff1811bf9

SHA1
1f5ef0e6e41c14795decedcefc883ab9000fac9a

SHA256
a99e8172248dac0b2a6243d06a862901989857b0c2ecbed5f25ddb0d1a95154e

SHA512
47e951583afff444f9adb09beab0d83f9792b46d3e1fabf05d21068218d64b3cba48e2dc22fe0a7bd3252a0e0c8866faa244b5dc3784bd336ecbc9f2924fb2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBM_Centos.exe

Filesize
373KB

MD5
96747c013d4d5da97af5acb7bce91c33

SHA1
ea768268680d272283f9acfd7d7bf1f6bc12bca6

SHA256
7c611258c4817d2bb7307a1d837b68e1f2805f65ed1f1918f759786ec4809eb7

SHA512
5d68bd1a2920597387635b71ae685e21db305703d9330307287772dfe5aeb98add349ff7bb74ccfaa81283a9bb390896d0a10412d095c014fbbc19ee5659bb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBM_Centos.exe

Filesize
373KB

MD5
96747c013d4d5da97af5acb7bce91c33

SHA1
ea768268680d272283f9acfd7d7bf1f6bc12bca6

SHA256
7c611258c4817d2bb7307a1d837b68e1f2805f65ed1f1918f759786ec4809eb7

SHA512
5d68bd1a2920597387635b71ae685e21db305703d9330307287772dfe5aeb98add349ff7bb74ccfaa81283a9bb390896d0a10412d095c014fbbc19ee5659bb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBM_Centos.exe

Filesize
373KB

MD5
96747c013d4d5da97af5acb7bce91c33

SHA1
ea768268680d272283f9acfd7d7bf1f6bc12bca6

SHA256
7c611258c4817d2bb7307a1d837b68e1f2805f65ed1f1918f759786ec4809eb7

SHA512
5d68bd1a2920597387635b71ae685e21db305703d9330307287772dfe5aeb98add349ff7bb74ccfaa81283a9bb390896d0a10412d095c014fbbc19ee5659bb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBM_Centos.exe

Filesize
373KB

MD5
96747c013d4d5da97af5acb7bce91c33

SHA1
ea768268680d272283f9acfd7d7bf1f6bc12bca6

SHA256
7c611258c4817d2bb7307a1d837b68e1f2805f65ed1f1918f759786ec4809eb7

SHA512
5d68bd1a2920597387635b71ae685e21db305703d9330307287772dfe5aeb98add349ff7bb74ccfaa81283a9bb390896d0a10412d095c014fbbc19ee5659bb93

Download Submit
\Users\Admin\AppData\Local\Temp\IBM_Centos.exe

Filesize
373KB

MD5
96747c013d4d5da97af5acb7bce91c33

SHA1
ea768268680d272283f9acfd7d7bf1f6bc12bca6

SHA256
7c611258c4817d2bb7307a1d837b68e1f2805f65ed1f1918f759786ec4809eb7

SHA512
5d68bd1a2920597387635b71ae685e21db305703d9330307287772dfe5aeb98add349ff7bb74ccfaa81283a9bb390896d0a10412d095c014fbbc19ee5659bb93

Download Submit
\Users\Admin\AppData\Local\Temp\IBM_Centos.exe

Filesize
373KB

MD5
96747c013d4d5da97af5acb7bce91c33

SHA1
ea768268680d272283f9acfd7d7bf1f6bc12bca6

SHA256
7c611258c4817d2bb7307a1d837b68e1f2805f65ed1f1918f759786ec4809eb7

SHA512
5d68bd1a2920597387635b71ae685e21db305703d9330307287772dfe5aeb98add349ff7bb74ccfaa81283a9bb390896d0a10412d095c014fbbc19ee5659bb93

Download Submit
\Users\Admin\AppData\Local\Temp\nst5CB3.tmp\bjdisxw.dll

Filesize
255KB

MD5
e0bc4b64ecd0c9c3df778bbe8f5ee0f4

SHA1
fd8a4f7dab49ccc3616a08d80c0cb8a8dd26ce1a

SHA256
b7e6efee8f1c7a8ac1b42a436b03534e03d9ab4693e8aeecfc606126ade42137

SHA512
1af6be2b5ff66466c351b925c2bfbbe049f8e5ba9eda4dfd3730e032b6e87cafbf74fceff7639834a58ccfe3fdf391e95681756dd0c226a0f23d58b2b39652f2

Download Submit
memory/2204-77-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-81-0x0000000000560000-0x0000000000590000-memory.dmp

Filesize
192KB

Download
memory/2204-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-83-0x00000000045C0000-0x0000000004600000-memory.dmp

Filesize
256KB

Download
memory/2308-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download