Overview

overview

10

Static

static

1

list items.rtf

windows7-x64

10

list items.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2023, 13:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    list items.rtf

  • Size

    70KB

  • MD5

    47134ca4d7a6fc6a015113fc7db53b05

  • SHA1

    10eac55afddc0120ff49d4cb9239f2d9110eaac8

  • SHA256

    29f40b440f9ba83b9840828e3fadbcf22697008bb52befef98c834008da6616c

  • SHA512

    bc7a0ff39cd46efbf55a17b112658038830c3b548933acb52eef4bab55b6684f7b32a45bca2568762f03abaf7df76099f88039d9ac8d05c39d16f31059ba8ffb

  • SSDEEP

    768:NwAbZSibMX9gRWjc1n5RYddbxHRcgYxESDSVu+N6MoUe47:NwAlRP5R6bxxcN2Vu+2Rs

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    cp5ua.hyperhost.ua
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@#$

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\list items.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3024
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Users\Admin\AppData\Roaming\arinzeebnf5896.exe
        "C:\Users\Admin\AppData\Roaming\arinzeebnf5896.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Users\Admin\AppData\Roaming\arinzeebnf5896.exe
          "C:\Users\Admin\AppData\Roaming\arinzeebnf5896.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:3036

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\CabF9FA.tmp
            Filesize

            61KB

            MD5

            f3441b8572aae8801c04f3060b550443

            SHA1

            4ef0a35436125d6821831ef36c28ffaf196cda15

            SHA256

            6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

            SHA512

            5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\TarFA2C.tmp
            Filesize

            163KB

            MD5

            9441737383d21192400eca82fda910ec

            SHA1

            725e0d606a4fc9ba44aa8ffde65bed15e65367e4

            SHA256

            bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

            SHA512

            7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
            Filesize

            20KB

            MD5

            4710c3304ec60e73c2600a3facc315c8

            SHA1

            29d1e2cf4d700eb8160681bf2d0fc4b1d256a361

            SHA256

            8714a94cc707e0369191db4652d6aee0ffe630914f6ec9bddb836daf5de782a3

            SHA512

            3d0b8b44e17e1a2e2a48c1ea7259c802d98380bdb5636cdeddeff5245fdcb878f440bf1df04b05b32a1d54496e88fd09a051129e67738c1246d5512daa7c59ac

            Download Submit

          • C:\Users\Admin\AppData\Roaming\arinzeebnf5896.exe
            Filesize

            753KB

            MD5

            c50a1f24e712ad6da1652271fcee3224

            SHA1

            be420eca7a0a8a09574e276a6d48c834847e62e2

            SHA256

            9f1328fa230383c7e126d5e7b20896476d36a4dd0ba7c2e8cb5c2474b8bb0141

            SHA512

            74cbac99b1609b8d86a9e0031800ef4b616576bc6a53948db2b7e2bf546a8662df7340c54a2a11b714520dbc06ce5fc2f6dd5a472280a397d26783aaa7ebc333

            Download Submit

          • C:\Users\Admin\AppData\Roaming\arinzeebnf5896.exe
            Filesize

            753KB

            MD5

            c50a1f24e712ad6da1652271fcee3224

            SHA1

            be420eca7a0a8a09574e276a6d48c834847e62e2

            SHA256

            9f1328fa230383c7e126d5e7b20896476d36a4dd0ba7c2e8cb5c2474b8bb0141

            SHA512

            74cbac99b1609b8d86a9e0031800ef4b616576bc6a53948db2b7e2bf546a8662df7340c54a2a11b714520dbc06ce5fc2f6dd5a472280a397d26783aaa7ebc333

            Download Submit

          • C:\Users\Admin\AppData\Roaming\arinzeebnf5896.exe
            Filesize

            753KB

            MD5

            c50a1f24e712ad6da1652271fcee3224

            SHA1

            be420eca7a0a8a09574e276a6d48c834847e62e2

            SHA256

            9f1328fa230383c7e126d5e7b20896476d36a4dd0ba7c2e8cb5c2474b8bb0141

            SHA512

            74cbac99b1609b8d86a9e0031800ef4b616576bc6a53948db2b7e2bf546a8662df7340c54a2a11b714520dbc06ce5fc2f6dd5a472280a397d26783aaa7ebc333

            Download Submit

          • C:\Users\Admin\AppData\Roaming\arinzeebnf5896.exe
            Filesize

            753KB

            MD5

            c50a1f24e712ad6da1652271fcee3224

            SHA1

            be420eca7a0a8a09574e276a6d48c834847e62e2

            SHA256

            9f1328fa230383c7e126d5e7b20896476d36a4dd0ba7c2e8cb5c2474b8bb0141

            SHA512

            74cbac99b1609b8d86a9e0031800ef4b616576bc6a53948db2b7e2bf546a8662df7340c54a2a11b714520dbc06ce5fc2f6dd5a472280a397d26783aaa7ebc333

            Download Submit

          • \Users\Admin\AppData\Roaming\arinzeebnf5896.exe
            Filesize

            753KB

            MD5

            c50a1f24e712ad6da1652271fcee3224

            SHA1

            be420eca7a0a8a09574e276a6d48c834847e62e2

            SHA256

            9f1328fa230383c7e126d5e7b20896476d36a4dd0ba7c2e8cb5c2474b8bb0141

            SHA512

            74cbac99b1609b8d86a9e0031800ef4b616576bc6a53948db2b7e2bf546a8662df7340c54a2a11b714520dbc06ce5fc2f6dd5a472280a397d26783aaa7ebc333

            Download Submit

          • memory/2056-0-0x000000002F7D1000-0x000000002F7D2000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2056-2-0x0000000070CDD000-0x0000000070CE8000-memory.dmp

            Filesize

            44KB

            Download

          • memory/2056-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2056-23-0x0000000070CDD000-0x0000000070CE8000-memory.dmp

            Filesize

            44KB

            Download

          • memory/2056-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2056-98-0x0000000070CDD000-0x0000000070CE8000-memory.dmp

            Filesize

            44KB

            Download

          • memory/2748-22-0x00000000008D0000-0x00000000008E8000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2748-28-0x0000000005BB0000-0x0000000005C2E000-memory.dmp

            Filesize

            504KB

            Download

          • memory/2748-27-0x00000000008A0000-0x00000000008AA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2748-25-0x0000000004C30000-0x0000000004C70000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2748-24-0x000000006A760000-0x000000006AE4E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2748-42-0x000000006A760000-0x000000006AE4E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2748-17-0x0000000004C30000-0x0000000004C70000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2748-16-0x000000006A760000-0x000000006AE4E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2748-15-0x00000000011D0000-0x0000000001292000-memory.dmp

            Filesize

            776KB

            Download

          • memory/3036-29-0x0000000000400000-0x0000000000444000-memory.dmp

            Filesize

            272KB

            Download

          • memory/3036-38-0x0000000000400000-0x0000000000444000-memory.dmp

            Filesize

            272KB

            Download

          • memory/3036-41-0x000000006A760000-0x000000006AE4E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/3036-40-0x0000000000400000-0x0000000000444000-memory.dmp

            Filesize

            272KB

            Download

          • memory/3036-43-0x0000000004C80000-0x0000000004CC0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/3036-35-0x0000000000400000-0x0000000000444000-memory.dmp

            Filesize

            272KB

            Download

          • memory/3036-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3036-78-0x000000006A760000-0x000000006AE4E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/3036-79-0x0000000004C80000-0x0000000004CC0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/3036-32-0x0000000000400000-0x0000000000444000-memory.dmp

            Filesize

            272KB

            Download

          • memory/3036-31-0x0000000000400000-0x0000000000444000-memory.dmp

            Filesize

            272KB

            Download

          • memory/3036-30-0x0000000000400000-0x0000000000444000-memory.dmp

            Filesize

            272KB

            Download