Overview

overview

10

Static

static

1

New Order doc.rtf

windows7-x64

10

New Order doc.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    138s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2023 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Order doc.rtf

  • Size

    77KB

  • MD5

    5f794bed7fe4620ecf5f348acb9c126c

  • SHA1

    ab9d0b014eabdfcb46480882bd0390db14d39565

  • SHA256

    f40634df7d95e40866241f72fc2f1c36cebe90304662b81fa4332b0c19f81f0a

  • SHA512

    4ac0046153db56bb4ef5be26189a097d004ffca0848fd82a03a3d268b8e8ecbb880d62488d0a050f7f88c10b5ea7d01f0fcb8368b9abf35a8927b9755961de97

  • SSDEEP

    768:ZwAbZSibMX9gRWj/C0+vqACfHaJniz/y0etRUF5xcDKhSkDEJKbi/:ZwAlRvZvTnizK0B/TSkgJ3

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    cp5ua.hyperhost.ua
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@#$

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\New Order doc.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2652
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Users\Admin\AppData\Roaming\wealthebnf5896.exe
        "C:\Users\Admin\AppData\Roaming\wealthebnf5896.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Users\Admin\AppData\Roaming\wealthebnf5896.exe
          "C:\Users\Admin\AppData\Roaming\wealthebnf5896.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:368

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\CabB492.tmp
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarB560.tmp
      Filesize

      163KB

      MD5

      9441737383d21192400eca82fda910ec

      SHA1

      725e0d606a4fc9ba44aa8ffde65bed15e65367e4

      SHA256

      bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

      SHA512

      7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      bebe46cade2e8ecf40c1434e858e348f

      SHA1

      c82cbfdd5303b072c5fb1d8ae8643b544896c11c

      SHA256

      1a6df7288f9907193a344c72cd8d92f6def6ff45b2de60df69a15fdef3c788f7

      SHA512

      af9364da384b7b4a957ed3e091a10eeb04f95521ce446c11906ad05491d41388cc016ab7068da2160ee626b0bf5caad505338a3317a43b704fdf081e0b64dc40

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wealthebnf5896.exe
      Filesize

      589KB

      MD5

      14f95a9216cfb77e249291e3899f69ae

      SHA1

      9b9dd12cc2ad58c362411b8326c974d0cbce4a66

      SHA256

      ea76d84bffa9794fe86505016d0370dd29db84fbdff79a26bfee30be32a7a0a8

      SHA512

      9b758fbee366247e507588018595fa13ceca1264fa4103002dc555cc8b6fb5dc2fb410e706d25ef0194cdf5176315a2c4b5343d1728a8bcea84710fdbf3ceca4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wealthebnf5896.exe
      Filesize

      589KB

      MD5

      14f95a9216cfb77e249291e3899f69ae

      SHA1

      9b9dd12cc2ad58c362411b8326c974d0cbce4a66

      SHA256

      ea76d84bffa9794fe86505016d0370dd29db84fbdff79a26bfee30be32a7a0a8

      SHA512

      9b758fbee366247e507588018595fa13ceca1264fa4103002dc555cc8b6fb5dc2fb410e706d25ef0194cdf5176315a2c4b5343d1728a8bcea84710fdbf3ceca4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wealthebnf5896.exe
      Filesize

      589KB

      MD5

      14f95a9216cfb77e249291e3899f69ae

      SHA1

      9b9dd12cc2ad58c362411b8326c974d0cbce4a66

      SHA256

      ea76d84bffa9794fe86505016d0370dd29db84fbdff79a26bfee30be32a7a0a8

      SHA512

      9b758fbee366247e507588018595fa13ceca1264fa4103002dc555cc8b6fb5dc2fb410e706d25ef0194cdf5176315a2c4b5343d1728a8bcea84710fdbf3ceca4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wealthebnf5896.exe
      Filesize

      589KB

      MD5

      14f95a9216cfb77e249291e3899f69ae

      SHA1

      9b9dd12cc2ad58c362411b8326c974d0cbce4a66

      SHA256

      ea76d84bffa9794fe86505016d0370dd29db84fbdff79a26bfee30be32a7a0a8

      SHA512

      9b758fbee366247e507588018595fa13ceca1264fa4103002dc555cc8b6fb5dc2fb410e706d25ef0194cdf5176315a2c4b5343d1728a8bcea84710fdbf3ceca4

      Download Submit

    • \Users\Admin\AppData\Roaming\wealthebnf5896.exe
      Filesize

      589KB

      MD5

      14f95a9216cfb77e249291e3899f69ae

      SHA1

      9b9dd12cc2ad58c362411b8326c974d0cbce4a66

      SHA256

      ea76d84bffa9794fe86505016d0370dd29db84fbdff79a26bfee30be32a7a0a8

      SHA512

      9b758fbee366247e507588018595fa13ceca1264fa4103002dc555cc8b6fb5dc2fb410e706d25ef0194cdf5176315a2c4b5343d1728a8bcea84710fdbf3ceca4

      Download Submit

    • memory/368-63-0x0000000001230000-0x0000000001270000-memory.dmp

      Filesize

      256KB

      Download

    • memory/368-61-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/368-99-0x0000000001230000-0x0000000001270000-memory.dmp

      Filesize

      256KB

      Download

    • memory/368-55-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/368-53-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/368-62-0x0000000074A60000-0x000000007514E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/368-52-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/368-51-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/368-50-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/368-98-0x0000000074A60000-0x000000007514E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/368-49-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/368-58-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2136-0-0x000000002F6B1000-0x000000002F6B2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2136-45-0x000000007184D000-0x0000000071858000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2136-44-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2136-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2136-2-0x000000007184D000-0x0000000071858000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2136-5-0x000000007184D000-0x0000000071858000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2620-47-0x0000000000480000-0x000000000048C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2620-59-0x000000006BA00000-0x000000006C0EE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2620-48-0x00000000050E0000-0x000000000515E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/2620-46-0x0000000000470000-0x0000000000478000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2620-25-0x0000000000260000-0x0000000000272000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2620-24-0x00000000048F0000-0x0000000004930000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2620-23-0x00000000048F0000-0x0000000004930000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2620-18-0x000000006BA00000-0x000000006C0EE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2620-16-0x0000000001310000-0x00000000013AA000-memory.dmp

      Filesize

      616KB

      Download

    • memory/2620-15-0x000000006BA00000-0x000000006C0EE000-memory.dmp

      Filesize

      6.9MB

      Download