agenttesla | 314ebae4b7fc2a469b7de3aea6246db22cc31f2e7ee443b6126cee0b8a10566a

General

Target

86c6b589396bd7069c39b4dc6578b1ad.rtf
Size

45KB
MD5

86c6b589396bd7069c39b4dc6578b1ad
SHA1

f74ab2fadf5bd8b3ceed9cb2909f1920435d414f
SHA256

314ebae4b7fc2a469b7de3aea6246db22cc31f2e7ee443b6126cee0b8a10566a
SHA512

76a0f63f04f668f7a9d26389ec589bf7a9d28b55736839f7e26a2d4c4f69fd17c725f9baa749bee4dcee5dc46295086864cd0ccfb319c5cb421819a38fec839d
SSDEEP

768:YFx0XaIsnPRIa4fwJMGlMZVCA5iZv+nbV9XdGSgudgutrbdYd2b+y:Yf0Xvx3EMGEiZ2bDMFudguNbdYde

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://valvulasthermovalve.cl
Port:
21
Username:
[email protected]
Password:
LILKOOLL14!!

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2332	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2524	damianoen587138.exe
2964	damianoen587138.exe
3012	damianoen587138.exe

Loads dropped DLL 1 IoCs

pid	Process
2332	EQNEDT32.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	damianoen587138.exe
Key opened	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	damianoen587138.exe
Key opened	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	damianoen587138.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org
6	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 3012	2524	damianoen587138.exe	36

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2332	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2096	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2524	damianoen587138.exe
2524	damianoen587138.exe
3012	damianoen587138.exe
3012	damianoen587138.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	damianoen587138.exe
Token: SeDebugPrivilege	3012	damianoen587138.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2096	WINWORD.EXE
2096	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2524	2332	EQNEDT32.EXE	29
PID 2332 wrote to memory of 2524	2332	EQNEDT32.EXE	29
PID 2332 wrote to memory of 2524	2332	EQNEDT32.EXE	29
PID 2332 wrote to memory of 2524	2332	EQNEDT32.EXE	29
PID 2096 wrote to memory of 1472	2096	WINWORD.EXE	34
PID 2096 wrote to memory of 1472	2096	WINWORD.EXE	34
PID 2096 wrote to memory of 1472	2096	WINWORD.EXE	34
PID 2096 wrote to memory of 1472	2096	WINWORD.EXE	34
PID 2524 wrote to memory of 2964	2524	damianoen587138.exe	35
PID 2524 wrote to memory of 2964	2524	damianoen587138.exe	35
PID 2524 wrote to memory of 2964	2524	damianoen587138.exe	35
PID 2524 wrote to memory of 2964	2524	damianoen587138.exe	35
PID 2524 wrote to memory of 3012	2524	damianoen587138.exe	36
PID 2524 wrote to memory of 3012	2524	damianoen587138.exe	36
PID 2524 wrote to memory of 3012	2524	damianoen587138.exe	36
PID 2524 wrote to memory of 3012	2524	damianoen587138.exe	36
PID 2524 wrote to memory of 3012	2524	damianoen587138.exe	36
PID 2524 wrote to memory of 3012	2524	damianoen587138.exe	36
PID 2524 wrote to memory of 3012	2524	damianoen587138.exe	36
PID 2524 wrote to memory of 3012	2524	damianoen587138.exe	36
PID 2524 wrote to memory of 3012	2524	damianoen587138.exe	36

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	damianoen587138.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	damianoen587138.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\86c6b589396bd7069c39b4dc6578b1ad.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1472

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Roaming\damianoen587138.exe
  "C:\Users\Admin\AppData\Roaming\damianoen587138.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Roaming\damianoen587138.exe
    "C:\Users\Admin\AppData\Roaming\damianoen587138.exe"
    3⤵
    - Executes dropped EXE
    PID:2964
- - C:\Users\Admin\AppData\Roaming\damianoen587138.exe
    "C:\Users\Admin\AppData\Roaming\damianoen587138.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:3012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
db9c1baab1ee38df6b2640d703b78117

SHA1
da84b8eb80dfc4ac5a0aec4046a92e373f46070c

SHA256
9812a63bc7aaf3022168da0685bd1d8e140983eea65551083836d4e34988f2bf

SHA512
74ac6990c3e3edb39bc896bc5fe1667c7fcc6fb0fd22ff93e9ed1c1296c5a80e37869bcb11d2a5ccccccae448ea333fc7ee354a934e0ba6c9841beeac8659216

Download Submit
C:\Users\Admin\AppData\Roaming\damianoen587138.exe

Filesize
733KB

MD5
81f3216baebcf184942d243662a0cd25

SHA1
60eb433c1a41df7aadd5a49f121bcebf2112d2e9

SHA256
8fd3fe63894b618245c1f7ae22b1c53e7a7fadfc009bac8de2c33b4a53e75a05

SHA512
a4e0c35286930cdbe6cde4bec944cc0c7816e81cec99e2bfb2780e5a2e0ec320fc07139073d7d9b36eeb3567530407cf15203cfb9715470f834d53547c59aab1

Download Submit
C:\Users\Admin\AppData\Roaming\damianoen587138.exe

Filesize
733KB

MD5
81f3216baebcf184942d243662a0cd25

SHA1
60eb433c1a41df7aadd5a49f121bcebf2112d2e9

SHA256
8fd3fe63894b618245c1f7ae22b1c53e7a7fadfc009bac8de2c33b4a53e75a05

SHA512
a4e0c35286930cdbe6cde4bec944cc0c7816e81cec99e2bfb2780e5a2e0ec320fc07139073d7d9b36eeb3567530407cf15203cfb9715470f834d53547c59aab1

Download Submit
C:\Users\Admin\AppData\Roaming\damianoen587138.exe

Filesize
733KB

MD5
81f3216baebcf184942d243662a0cd25

SHA1
60eb433c1a41df7aadd5a49f121bcebf2112d2e9

SHA256
8fd3fe63894b618245c1f7ae22b1c53e7a7fadfc009bac8de2c33b4a53e75a05

SHA512
a4e0c35286930cdbe6cde4bec944cc0c7816e81cec99e2bfb2780e5a2e0ec320fc07139073d7d9b36eeb3567530407cf15203cfb9715470f834d53547c59aab1

Download Submit
C:\Users\Admin\AppData\Roaming\damianoen587138.exe

Filesize
733KB

MD5
81f3216baebcf184942d243662a0cd25

SHA1
60eb433c1a41df7aadd5a49f121bcebf2112d2e9

SHA256
8fd3fe63894b618245c1f7ae22b1c53e7a7fadfc009bac8de2c33b4a53e75a05

SHA512
a4e0c35286930cdbe6cde4bec944cc0c7816e81cec99e2bfb2780e5a2e0ec320fc07139073d7d9b36eeb3567530407cf15203cfb9715470f834d53547c59aab1

Download Submit
C:\Users\Admin\AppData\Roaming\damianoen587138.exe

Filesize
733KB

MD5
81f3216baebcf184942d243662a0cd25

SHA1
60eb433c1a41df7aadd5a49f121bcebf2112d2e9

SHA256
8fd3fe63894b618245c1f7ae22b1c53e7a7fadfc009bac8de2c33b4a53e75a05

SHA512
a4e0c35286930cdbe6cde4bec944cc0c7816e81cec99e2bfb2780e5a2e0ec320fc07139073d7d9b36eeb3567530407cf15203cfb9715470f834d53547c59aab1

Download Submit
\Users\Admin\AppData\Roaming\damianoen587138.exe

Filesize
733KB

MD5
81f3216baebcf184942d243662a0cd25

SHA1
60eb433c1a41df7aadd5a49f121bcebf2112d2e9

SHA256
8fd3fe63894b618245c1f7ae22b1c53e7a7fadfc009bac8de2c33b4a53e75a05

SHA512
a4e0c35286930cdbe6cde4bec944cc0c7816e81cec99e2bfb2780e5a2e0ec320fc07139073d7d9b36eeb3567530407cf15203cfb9715470f834d53547c59aab1

Download Submit
memory/2096-55-0x000000007182D000-0x0000000071838000-memory.dmp

Filesize
44KB

Download
memory/2096-119-0x000000007182D000-0x0000000071838000-memory.dmp

Filesize
44KB

Download
memory/2096-53-0x000000002F820000-0x000000002F97D000-memory.dmp

Filesize
1.4MB

Download
memory/2096-118-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2096-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2096-76-0x000000002F820000-0x000000002F97D000-memory.dmp

Filesize
1.4MB

Download
memory/2096-77-0x000000007182D000-0x0000000071838000-memory.dmp

Filesize
44KB

Download
memory/2524-69-0x000000006B940000-0x000000006C02E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-78-0x000000006B940000-0x000000006C02E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-82-0x00000000053B0000-0x000000000541A000-memory.dmp

Filesize
424KB

Download
memory/2524-79-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/2524-68-0x0000000000FF0000-0x00000000010AE000-memory.dmp

Filesize
760KB

Download
memory/2524-70-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/2524-81-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/2524-75-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2524-93-0x000000006B940000-0x000000006C02E000-memory.dmp

Filesize
6.9MB

Download
memory/3012-86-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3012-90-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3012-88-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3012-94-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3012-96-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3012-97-0x000000006B940000-0x000000006C02E000-memory.dmp

Filesize
6.9MB

Download
memory/3012-98-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/3012-99-0x000000006B940000-0x000000006C02E000-memory.dmp

Filesize
6.9MB

Download
memory/3012-100-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/3012-87-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3012-85-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3012-84-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing