agenttesla | 1ee34dc849cd10bab8d08dec7076ab644851c55a1765de44e8187a53c137569b

General

Target

3.rtf
Size

65KB
MD5

a1816ace062bdbcb202e580810d5aceb
SHA1

d58ffa926fe4a58bf7ac76d994f9a576cf62fd1d
SHA256

1ee34dc849cd10bab8d08dec7076ab644851c55a1765de44e8187a53c137569b
SHA512

630f871ce4505f0d881a43ab540a1b92ec9d1be6a47f68c30f6fc110e4dae9d40672d4560c7b10cd8168d923f5292b4d285d99bd7377a57d681cf06ed6331625
SSDEEP

1536:TwAlReA72q/FbwzaXXJY7JrZC2KPJAOQnnYA+1xt7tuTQj0VEba2Uy0wddJaps:TwAln//FbwzaXXJQJrZC2KPjQnn9kxtj

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
server320.web-hosting.com
Port:
587
Username:
[email protected]
Password:
B5TEK}%;g6L7
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2960	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2944	nellytm47568.exe
2132	nellytm47568.exe

Loads dropped DLL 2 IoCs

pid	Process
2960	EQNEDT32.EXE
2960	EQNEDT32.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\RMBJLaF = "C:\\Users\\Admin\\AppData\\Roaming\\RMBJLaF\\RMBJLaF.exe"	nellytm47568.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	api.ipify.org
7	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2944 set thread context of 2132	2944	nellytm47568.exe	35

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2960	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2536	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2132	nellytm47568.exe
2132	nellytm47568.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	nellytm47568.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2536	WINWORD.EXE
2536	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2944	2960	EQNEDT32.EXE	29
PID 2960 wrote to memory of 2944	2960	EQNEDT32.EXE	29
PID 2960 wrote to memory of 2944	2960	EQNEDT32.EXE	29
PID 2960 wrote to memory of 2944	2960	EQNEDT32.EXE	29
PID 2536 wrote to memory of 1644	2536	WINWORD.EXE	34
PID 2536 wrote to memory of 1644	2536	WINWORD.EXE	34
PID 2536 wrote to memory of 1644	2536	WINWORD.EXE	34
PID 2536 wrote to memory of 1644	2536	WINWORD.EXE	34
PID 2944 wrote to memory of 2132	2944	nellytm47568.exe	35
PID 2944 wrote to memory of 2132	2944	nellytm47568.exe	35
PID 2944 wrote to memory of 2132	2944	nellytm47568.exe	35
PID 2944 wrote to memory of 2132	2944	nellytm47568.exe	35
PID 2944 wrote to memory of 2132	2944	nellytm47568.exe	35
PID 2944 wrote to memory of 2132	2944	nellytm47568.exe	35
PID 2944 wrote to memory of 2132	2944	nellytm47568.exe	35
PID 2944 wrote to memory of 2132	2944	nellytm47568.exe	35
PID 2944 wrote to memory of 2132	2944	nellytm47568.exe	35

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1644

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Roaming\nellytm47568.exe
  "C:\Users\Admin\AppData\Roaming\nellytm47568.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Roaming\nellytm47568.exe
    "C:\Users\Admin\AppData\Roaming\nellytm47568.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
c9cbb43099ea4e8ed5272d7b6fb13e45

SHA1
dc80003a0e342dec811f31600b942559f41455be

SHA256
6d6bc23de4bf14e61f35cc066deab9000db3fe4b6f54eb102b6b13eedd4049fd

SHA512
d08a3b230dcfb9ee9db53784c5e582c2631f758871f6f68ebcb894efa859243344d4a5258d70a2ed85d9ab5410d4febe1df152ec67db5496d2b56126798efba3

Download Submit
C:\Users\Admin\AppData\Roaming\nellytm47568.exe

Filesize
790KB

MD5
07926f7473fff4bb9d41b460cb71b550

SHA1
fb0edc87b5b710f76da29bdd5b5ec73285f7c1e8

SHA256
5eafaa5f16cc37fad487678452867359480a85a78a82e7521aae029f426e69f0

SHA512
c8ff2fd52be69960856ec00c252470105c7312648d4edf9fbfe1e9e56f0b2bca4d48435c384e02b0fe7f41394edea55b9ee8e8200f2b031fadef9150f530a4cf

Download Submit
C:\Users\Admin\AppData\Roaming\nellytm47568.exe

Filesize
790KB

MD5
07926f7473fff4bb9d41b460cb71b550

SHA1
fb0edc87b5b710f76da29bdd5b5ec73285f7c1e8

SHA256
5eafaa5f16cc37fad487678452867359480a85a78a82e7521aae029f426e69f0

SHA512
c8ff2fd52be69960856ec00c252470105c7312648d4edf9fbfe1e9e56f0b2bca4d48435c384e02b0fe7f41394edea55b9ee8e8200f2b031fadef9150f530a4cf

Download Submit
C:\Users\Admin\AppData\Roaming\nellytm47568.exe

Filesize
790KB

MD5
07926f7473fff4bb9d41b460cb71b550

SHA1
fb0edc87b5b710f76da29bdd5b5ec73285f7c1e8

SHA256
5eafaa5f16cc37fad487678452867359480a85a78a82e7521aae029f426e69f0

SHA512
c8ff2fd52be69960856ec00c252470105c7312648d4edf9fbfe1e9e56f0b2bca4d48435c384e02b0fe7f41394edea55b9ee8e8200f2b031fadef9150f530a4cf

Download Submit
C:\Users\Admin\AppData\Roaming\nellytm47568.exe

Filesize
790KB

MD5
07926f7473fff4bb9d41b460cb71b550

SHA1
fb0edc87b5b710f76da29bdd5b5ec73285f7c1e8

SHA256
5eafaa5f16cc37fad487678452867359480a85a78a82e7521aae029f426e69f0

SHA512
c8ff2fd52be69960856ec00c252470105c7312648d4edf9fbfe1e9e56f0b2bca4d48435c384e02b0fe7f41394edea55b9ee8e8200f2b031fadef9150f530a4cf

Download Submit
\Users\Admin\AppData\Roaming\nellytm47568.exe

Filesize
790KB

MD5
07926f7473fff4bb9d41b460cb71b550

SHA1
fb0edc87b5b710f76da29bdd5b5ec73285f7c1e8

SHA256
5eafaa5f16cc37fad487678452867359480a85a78a82e7521aae029f426e69f0

SHA512
c8ff2fd52be69960856ec00c252470105c7312648d4edf9fbfe1e9e56f0b2bca4d48435c384e02b0fe7f41394edea55b9ee8e8200f2b031fadef9150f530a4cf

Download Submit
\Users\Admin\AppData\Roaming\nellytm47568.exe

Filesize
790KB

MD5
07926f7473fff4bb9d41b460cb71b550

SHA1
fb0edc87b5b710f76da29bdd5b5ec73285f7c1e8

SHA256
5eafaa5f16cc37fad487678452867359480a85a78a82e7521aae029f426e69f0

SHA512
c8ff2fd52be69960856ec00c252470105c7312648d4edf9fbfe1e9e56f0b2bca4d48435c384e02b0fe7f41394edea55b9ee8e8200f2b031fadef9150f530a4cf

Download Submit
memory/2132-53-0x0000000004B10000-0x0000000004B50000-memory.dmp

Filesize
256KB

Download
memory/2132-38-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-45-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-42-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2132-52-0x000000006B520000-0x000000006BC0E000-memory.dmp

Filesize
6.9MB

Download
memory/2132-50-0x0000000004B10000-0x0000000004B50000-memory.dmp

Filesize
256KB

Download
memory/2132-49-0x000000006B520000-0x000000006BC0E000-memory.dmp

Filesize
6.9MB

Download
memory/2132-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2536-26-0x000000002FEF0000-0x000000003004D000-memory.dmp

Filesize
1.4MB

Download
memory/2536-0-0x000000002FEF0000-0x000000003004D000-memory.dmp

Filesize
1.4MB

Download
memory/2536-27-0x000000007137D000-0x0000000071388000-memory.dmp

Filesize
44KB

Download
memory/2536-71-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2536-72-0x000000007137D000-0x0000000071388000-memory.dmp

Filesize
44KB

Download
memory/2536-2-0x000000007137D000-0x0000000071388000-memory.dmp

Filesize
44KB

Download
memory/2536-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2944-33-0x00000000057D0000-0x000000000584C000-memory.dmp

Filesize
496KB

Download
memory/2944-47-0x000000006B520000-0x000000006BC0E000-memory.dmp

Filesize
6.9MB

Download
memory/2944-32-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download
memory/2944-31-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/2944-29-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/2944-28-0x000000006B520000-0x000000006BC0E000-memory.dmp

Filesize
6.9MB

Download
memory/2944-25-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/2944-20-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/2944-19-0x000000006B520000-0x000000006BC0E000-memory.dmp

Filesize
6.9MB

Download
memory/2944-18-0x00000000009F0000-0x0000000000ABA000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads