agenttesla | 1646017b8052c3ea33881beeb6c7e7755567eaa49c4eb2df8e7d89496af01f7d

General

Target

KSY Product Catalog.rtf
Size

39KB
MD5

cc47323a812b42250d34573c4b9f12e0
SHA1

2af65a3a53f0a39fe33c17aa43698c2d1a0bee61
SHA256

1646017b8052c3ea33881beeb6c7e7755567eaa49c4eb2df8e7d89496af01f7d
SHA512

ddb75c8b423ea343d6694ccee5e517a9936f3a93cff3c504e482f376c5925b1af1994d43feeb65bbfab7c78a2e9420c8f2d301fd6f2fe777a14f65b49a5ae4e4
SSDEEP

768:oFx0XaIsnPRIa4fwJMrhv97Lxub+x034EWa+fBV8kH:of0Xvx3EM19HxubBfWRBykH

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
cp5ua.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
7213575aceACE@#$

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
cp5ua.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
7213575aceACE@#$
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2340	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2388	yugokanf696178.exe
1100	yugokanf696178.exe

Loads dropped DLL 1 IoCs

pid	Process
2340	EQNEDT32.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	yugokanf696178.exe
Key opened	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	yugokanf696178.exe
Key opened	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	yugokanf696178.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2388 set thread context of 1100	2388	yugokanf696178.exe	35

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2340	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2556	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1100	yugokanf696178.exe
1100	yugokanf696178.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	yugokanf696178.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2556	WINWORD.EXE
2556	WINWORD.EXE
1100	yugokanf696178.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2388	2340	EQNEDT32.EXE	29
PID 2340 wrote to memory of 2388	2340	EQNEDT32.EXE	29
PID 2340 wrote to memory of 2388	2340	EQNEDT32.EXE	29
PID 2340 wrote to memory of 2388	2340	EQNEDT32.EXE	29
PID 2556 wrote to memory of 2728	2556	WINWORD.EXE	34
PID 2556 wrote to memory of 2728	2556	WINWORD.EXE	34
PID 2556 wrote to memory of 2728	2556	WINWORD.EXE	34
PID 2556 wrote to memory of 2728	2556	WINWORD.EXE	34
PID 2388 wrote to memory of 1100	2388	yugokanf696178.exe	35
PID 2388 wrote to memory of 1100	2388	yugokanf696178.exe	35
PID 2388 wrote to memory of 1100	2388	yugokanf696178.exe	35
PID 2388 wrote to memory of 1100	2388	yugokanf696178.exe	35
PID 2388 wrote to memory of 1100	2388	yugokanf696178.exe	35
PID 2388 wrote to memory of 1100	2388	yugokanf696178.exe	35
PID 2388 wrote to memory of 1100	2388	yugokanf696178.exe	35
PID 2388 wrote to memory of 1100	2388	yugokanf696178.exe	35
PID 2388 wrote to memory of 1100	2388	yugokanf696178.exe	35

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	yugokanf696178.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	yugokanf696178.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\KSY Product Catalog.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2728

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Roaming\yugokanf696178.exe
  "C:\Users\Admin\AppData\Roaming\yugokanf696178.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Roaming\yugokanf696178.exe
    "C:\Users\Admin\AppData\Roaming\yugokanf696178.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab25DA.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2679.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
26a2c690afb1713284cde5efb7981b0b

SHA1
35d173b008f9029b7c416a7cc607381067c3589f

SHA256
7536a178157f38becc7c8703eade129da1b9dd6d02c6bd47408403686d0503ca

SHA512
20fa70502114635a8b5228a6936bb66584bf56be316acaf57ee7669756a579ba56a227d3014cb1f52425de6d97d3f79e726060f65ee9f8d04009c41dbd6d035a

Download Submit
C:\Users\Admin\AppData\Roaming\yugokanf696178.exe

Filesize
633KB

MD5
764cb439deb85a06073c46f475956fc4

SHA1
cfd265f85f54b84b0ce27d9d3a68fef3d6974b49

SHA256
9db20870570e93875292e6a6a5f7683982cbe675135032c7dafc2b9704f3cb06

SHA512
109976d83b59dbf1045cf6ce0d4c813424e97318b66a56495858f2814d1f61a18cce4a996fae0d7b2f49af6b6e9e0dc12b139724dbaad07ac9904b6d4910cf02

Download Submit
C:\Users\Admin\AppData\Roaming\yugokanf696178.exe

Filesize
633KB

MD5
764cb439deb85a06073c46f475956fc4

SHA1
cfd265f85f54b84b0ce27d9d3a68fef3d6974b49

SHA256
9db20870570e93875292e6a6a5f7683982cbe675135032c7dafc2b9704f3cb06

SHA512
109976d83b59dbf1045cf6ce0d4c813424e97318b66a56495858f2814d1f61a18cce4a996fae0d7b2f49af6b6e9e0dc12b139724dbaad07ac9904b6d4910cf02

Download Submit
C:\Users\Admin\AppData\Roaming\yugokanf696178.exe

Filesize
633KB

MD5
764cb439deb85a06073c46f475956fc4

SHA1
cfd265f85f54b84b0ce27d9d3a68fef3d6974b49

SHA256
9db20870570e93875292e6a6a5f7683982cbe675135032c7dafc2b9704f3cb06

SHA512
109976d83b59dbf1045cf6ce0d4c813424e97318b66a56495858f2814d1f61a18cce4a996fae0d7b2f49af6b6e9e0dc12b139724dbaad07ac9904b6d4910cf02

Download Submit
C:\Users\Admin\AppData\Roaming\yugokanf696178.exe

Filesize
633KB

MD5
764cb439deb85a06073c46f475956fc4

SHA1
cfd265f85f54b84b0ce27d9d3a68fef3d6974b49

SHA256
9db20870570e93875292e6a6a5f7683982cbe675135032c7dafc2b9704f3cb06

SHA512
109976d83b59dbf1045cf6ce0d4c813424e97318b66a56495858f2814d1f61a18cce4a996fae0d7b2f49af6b6e9e0dc12b139724dbaad07ac9904b6d4910cf02

Download Submit
\Users\Admin\AppData\Roaming\yugokanf696178.exe

Filesize
633KB

MD5
764cb439deb85a06073c46f475956fc4

SHA1
cfd265f85f54b84b0ce27d9d3a68fef3d6974b49

SHA256
9db20870570e93875292e6a6a5f7683982cbe675135032c7dafc2b9704f3cb06

SHA512
109976d83b59dbf1045cf6ce0d4c813424e97318b66a56495858f2814d1f61a18cce4a996fae0d7b2f49af6b6e9e0dc12b139724dbaad07ac9904b6d4910cf02

Download Submit
memory/1100-98-0x0000000000620000-0x0000000000660000-memory.dmp

Filesize
256KB

Download
memory/1100-139-0x000000006AAD0000-0x000000006B1BE000-memory.dmp

Filesize
6.9MB

Download
memory/1100-86-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1100-97-0x000000006AAD0000-0x000000006B1BE000-memory.dmp

Filesize
6.9MB

Download
memory/1100-95-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1100-93-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1100-140-0x0000000000620000-0x0000000000660000-memory.dmp

Filesize
256KB

Download
memory/1100-90-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1100-88-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1100-84-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1100-85-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1100-87-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2388-71-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/2388-96-0x000000006AAD0000-0x000000006B1BE000-memory.dmp

Filesize
6.9MB

Download
memory/2388-82-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download
memory/2388-80-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/2388-79-0x000000006AAD0000-0x000000006B1BE000-memory.dmp

Filesize
6.9MB

Download
memory/2388-69-0x0000000001270000-0x0000000001314000-memory.dmp

Filesize
656KB

Download
memory/2388-70-0x000000006AAD0000-0x000000006B1BE000-memory.dmp

Filesize
6.9MB

Download
memory/2388-83-0x0000000005730000-0x000000000579A000-memory.dmp

Filesize
424KB

Download
memory/2388-76-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/2556-54-0x000000002F330000-0x000000002F48D000-memory.dmp

Filesize
1.4MB

Download
memory/2556-77-0x000000002F330000-0x000000002F48D000-memory.dmp

Filesize
1.4MB

Download
memory/2556-78-0x00000000710BD000-0x00000000710C8000-memory.dmp

Filesize
44KB

Download
memory/2556-56-0x00000000710BD000-0x00000000710C8000-memory.dmp

Filesize
44KB

Download
memory/2556-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2556-158-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2556-159-0x00000000710BD000-0x00000000710C8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads