Overview

overview

10

Static

static

1

dd94c4c0dd...9c.xls

windows7-x64

10

dd94c4c0dd...9c.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    144s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd94c4c0dd46a40cb71f1b59b079577c8a4f6e4a1df88533d7edfea19099729c.xls

  • Size

    391KB

  • MD5

    2d6edf232ef2f4e9ac72de52b4b4efa5

  • SHA1

    2bbfb909e4e3bb1a1518e973afec5b587b59e426

  • SHA256

    dd94c4c0dd46a40cb71f1b59b079577c8a4f6e4a1df88533d7edfea19099729c

  • SHA512

    90cbe6288b682f688accd8a7493202d26f8a8614bc5a5bdc19743a4b8570bf7dfc47a1496f6fea759ba2319f2744e8bf17cdd6d859723cfee7ae3a4a2488c32e

  • SSDEEP

    6144:/n1m9kdbQS6vsB3qfLWnNnBkbE9UX3rhnpC3quvmb6SrnV3LYpMMAI:/OeuvsB351Bkr3rh9b9hr

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.experthvac.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    -8{jszMOY*Z8(~Za0#jyP%o7VoB.0)kk^)7_

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\dd94c4c0dd46a40cb71f1b59b079577c8a4f6e4a1df88533d7edfea19099729c.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1128
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1392
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Users\Admin\AppData\Roaming\wlanext.exe
        "C:\Users\Admin\AppData\Roaming\wlanext.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
            PID:2996
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            3⤵
            • Accesses Microsoft Outlook profiles
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:1924

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{044DBC2B-A115-4C7E-83D2-8984DE8C8424}.FSD
        Filesize

        128KB

        MD5

        26fc84c1ccd5367efc24d8fe6db1de7d

        SHA1

        a1b30e1484417f4243893d84fc3f5d7cee4f8067

        SHA256

        91cc185620d80b5756f20277d5fc11ab2163a2edc9fc139bd8bb94802f88514b

        SHA512

        4fb978e7dd4fd5443b4ff3038b5eef1e0b725cbcf1ee3be8b567b9bde43f8920882a69de56cd6d97ebedec498f7d2d9bd7bcc8584e06c116a8399302265a2baf

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
        Filesize

        128KB

        MD5

        840ecea7bf8028b4f535bec7c5a90f13

        SHA1

        a2c001dca69ad485429cb56bb940340d7ec088e9

        SHA256

        ac55e47f2810eb4f102dd9d6f87e9b1d8d3250bd5a57f693d0cdf24de3151c04

        SHA512

        cbe66f172fca436351a7f3c02ba15ff79c8fd003eefdb8140016a29e6fd47f3de6c2da90837656ae521603281df3928bc59f5880a3aad2de1023aacac1c5e0b5

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{51072660-B35E-449D-AE43-A974DCC683C2}.FSD
        Filesize

        128KB

        MD5

        0f4231385da704e130d0920eee61bd60

        SHA1

        9d2a2ad5c956d67fa08fc92eb19462821bfa357c

        SHA256

        7f40c0f0efca6b4aac310917afc17bea56e96e849bd7edfb3b6f91522617d4fa

        SHA512

        e82165bbd47ed7b8f43ca7cbe298d9c6b510ee878fab629cc9800f78a7fa4df0cf861ea33b1692762b810147b7f55163e80a448682a5218678166b4463dfd894

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G8QJ0N4\microsofttoldemetheywanttodeletehistorycatchcookiefrommypc[1].doc
        Filesize

        48KB

        MD5

        08568b90661f80313579e0c16c2737f0

        SHA1

        859aa8a945a3585bf777ef29bbfeaeba8bc22526

        SHA256

        0bad6a3f47fd9b9063f5c71609e68bd2de6f9d6e4cf1a183351ee8f2f7ebf32b

        SHA512

        f46cf40ef8199cfe58ebd0bc63a09aa70c4c6d6bda1a55bd0d3ef63e26ea3580c63d963d8d4c9af28981ce369edd62a88779dad1bd0f4192115e6f534cb625d8

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\64BEB20F.doc
        Filesize

        48KB

        MD5

        08568b90661f80313579e0c16c2737f0

        SHA1

        859aa8a945a3585bf777ef29bbfeaeba8bc22526

        SHA256

        0bad6a3f47fd9b9063f5c71609e68bd2de6f9d6e4cf1a183351ee8f2f7ebf32b

        SHA512

        f46cf40ef8199cfe58ebd0bc63a09aa70c4c6d6bda1a55bd0d3ef63e26ea3580c63d963d8d4c9af28981ce369edd62a88779dad1bd0f4192115e6f534cb625d8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{574B35C6-2719-43B7-9285-02D76E58DF52}
        Filesize

        128KB

        MD5

        c96214712a07c7507362359754e96c05

        SHA1

        d9c0745af3329a911a2855f544f6923ac9c9ed62

        SHA256

        6712c4adf0b8dc81974410045460d0ef1ad2442ca396b13190271f2b0780df4f

        SHA512

        86a4fbe5081e9c978b152e1d775670fb6f4b8833158e35f685b00528d6abe1c38a7129afc7ca3c6b784a16af32489ff37314ca4796d7a485bf0762b25206e2ea

        Download Submit

      • C:\Users\Admin\AppData\Roaming\wlanext.exe
        Filesize

        823KB

        MD5

        3713c253ab56bf85aaa806fc41cc6905

        SHA1

        cf59aac87590bb5f3bba092f20455b097a1ffab5

        SHA256

        ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17

        SHA512

        ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87

        Download Submit

      • C:\Users\Admin\AppData\Roaming\wlanext.exe
        Filesize

        823KB

        MD5

        3713c253ab56bf85aaa806fc41cc6905

        SHA1

        cf59aac87590bb5f3bba092f20455b097a1ffab5

        SHA256

        ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17

        SHA512

        ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87

        Download Submit

      • C:\Users\Admin\AppData\Roaming\wlanext.exe
        Filesize

        823KB

        MD5

        3713c253ab56bf85aaa806fc41cc6905

        SHA1

        cf59aac87590bb5f3bba092f20455b097a1ffab5

        SHA256

        ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17

        SHA512

        ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87

        Download Submit

      • \Users\Admin\AppData\Roaming\wlanext.exe
        Filesize

        823KB

        MD5

        3713c253ab56bf85aaa806fc41cc6905

        SHA1

        cf59aac87590bb5f3bba092f20455b097a1ffab5

        SHA256

        ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17

        SHA512

        ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87

        Download Submit

      • \Users\Admin\AppData\Roaming\wlanext.exe
        Filesize

        823KB

        MD5

        3713c253ab56bf85aaa806fc41cc6905

        SHA1

        cf59aac87590bb5f3bba092f20455b097a1ffab5

        SHA256

        ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17

        SHA512

        ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87

        Download Submit

      • memory/1128-104-0x00000000724DD000-0x00000000724E8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1128-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1128-8-0x0000000001F00000-0x0000000001F02000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1128-1-0x00000000724DD000-0x00000000724E8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1924-130-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/1924-128-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/1924-127-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/2652-105-0x00000000724DD000-0x00000000724E8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2652-3-0x000000002F811000-0x000000002F812000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2652-5-0x00000000724DD000-0x00000000724E8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2652-7-0x0000000003EB0000-0x0000000003EB2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2812-100-0x000000006A8A0000-0x000000006AF8E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2812-102-0x0000000000960000-0x00000000009A4000-memory.dmp

        Filesize

        272KB

        Download

      • memory/2812-107-0x0000000004D40000-0x0000000004D80000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2812-108-0x0000000004D40000-0x0000000004D80000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2812-109-0x00000000004A0000-0x00000000004BA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2812-110-0x00000000004C0000-0x00000000004C6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2812-99-0x0000000000150000-0x0000000000224000-memory.dmp

        Filesize

        848KB

        Download

      • memory/2812-106-0x000000006A8A0000-0x000000006AF8E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2812-101-0x0000000004D40000-0x0000000004D80000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2812-129-0x000000006A8A0000-0x000000006AF8E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2996-113-0x00000000000B0000-0x00000000000E0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/2996-117-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2996-116-0x00000000000B0000-0x00000000000E0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/2996-115-0x00000000000B0000-0x00000000000E0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/2996-111-0x00000000000B0000-0x00000000000E0000-memory.dmp

        Filesize

        192KB

        Download