agenttesla | 3936c2bfa7b6ad5e67b8abd8228c633f77302f5f6883162ac8a0f5ae72a24702

Analysis

max time kernel
1s
max time network
122s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
07-12-2023 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nueva Orden.xls
Size

391KB
MD5

20d7b7e70ea53065f8f5cbf5f2abde62
SHA1

1574428c29f993ba3efa4dca4d7e493cd15bf605
SHA256

3936c2bfa7b6ad5e67b8abd8228c633f77302f5f6883162ac8a0f5ae72a24702
SHA512

021e165fbb621b8da8d3d2a2b9dea95910c37803dd865f0cb600a837fa1400249d393f7cf1fb2e97872e1eb1c54e157138206ce07c340c9dd375767da55bf41e
SSDEEP

12288:UOergqKjij4a3DjM1+UT3A/6IGsIHOgEnVu:UOeDEezjs+UUSnHwn

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.elquijotebanquetes.com
Port:
21
Username:
[email protected]
Password:
kFxADjwNBm$_

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Downloads MZ/PE file
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1764 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1764	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2940 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

2940 EXCEL.EXE
2940 EXCEL.EXE
2940 EXCEL.EXE

pid	process
2940	EXCEL.EXE

pid	process
2940	EXCEL.EXE
2940	EXCEL.EXE
2940	EXCEL.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Nueva Orden.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2940

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
PID:2100

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1256

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
PID:1764

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
2⤵
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{221A14A5-F401-41D7-98E3-267F83DFDBBB}.FSD

Filesize
128KB

MD5
b080b18e211ebbc1b2900f5de3c4ef86

SHA1
6c35afbb53c042a2b478712e0eb0364592e1c272

SHA256
2434c1b4cf7953626c04d9064cc6dddf82fb1f54203b22047deb0575698384db

SHA512
6795b96eb4da77df6fae86a51e2e4c893bc3f2bbfb59c7aa5ffda96e5304bbdb5f4a9fdbd3fcda47d589d0b649beb1463282ab8d05dee6182bdad0db04fec508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
159d5f82a21e872ac2c27a367fd0e019

SHA1
ac14df46b5948522a4322e13c266d813409af7fe

SHA256
173d69c4d4bc9bec361dd51bc6ff4068cb7d0d75ca769b9b4c2c482a3f6a200d

SHA512
92e6394e077f32815d8813d86de11941df5424f2a27074f86faa524e9ecce6753e00b9f938309dc49e125ebb341085a54ef46139c285685caffbb24ebc49d9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
5b3823820564ab618b485a7e37453b2e

SHA1
d8901820a23e73ca415faf22b268e93680daff55

SHA256
9350629712258da90d48279b183063e974a604b72ee902d548c2597411a464ff

SHA512
fa13c3c1e619726e640ef4e2bae1efb31eb9375a37db21e5716059933165ebe87a7dc26f877700d1ad31ddaaa273795e1d35c2d9bba5195590ad1760ab4ea243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{60513F00-EFCA-4717-88C6-0051C2D65C9C}.FSD

Filesize
128KB

MD5
0d471e21a9100c1f5f3948b21fbfb65f

SHA1
b2e03fcc1e0f85809a3e3b76359c4f50cb81003a

SHA256
e74788c3c59310951ab819b5da7fd073b36fc869f9c16919ce2cd1e681b0e386

SHA512
acff277d20db12adc335c7e9524c1477e0d84cae88714c4e3b9aa62115321c4fe19a4a5956bea263e1ef66d8d8e71aff6fff15b282260ffacce9d8a1c1c8b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MZR5AQIV\newmicrosoftunderstandhowimportanttodeletehistorycookiecacheeverythingfromthepc[1].doc

Filesize
53KB

MD5
460857b142873aecf2a7fb03c03ad16c

SHA1
7dea4f943df7b874475531318592f3a7cee39119

SHA256
ec4035e087e6bfb7e4ed8de073512ff89c251a322b228ccf60dd96ff43c7f63a

SHA512
a4b4df83a88c7af7e25f5d94efb24c077112659fb91bd9eb53994eb55f506871d33c4efefc62b39b2abab42fd8074c30196d9761de028e968f5b8d992f235889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1E7DB7ED.doc

Filesize
53KB

MD5
460857b142873aecf2a7fb03c03ad16c

SHA1
7dea4f943df7b874475531318592f3a7cee39119

SHA256
ec4035e087e6bfb7e4ed8de073512ff89c251a322b228ccf60dd96ff43c7f63a

SHA512
a4b4df83a88c7af7e25f5d94efb24c077112659fb91bd9eb53994eb55f506871d33c4efefc62b39b2abab42fd8074c30196d9761de028e968f5b8d992f235889

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E5B02F29-366A-44E9-AD16-609A207561E6}

Filesize
128KB

MD5
c3c55d2ed201fe337720db1c0dffc592

SHA1
a1d61c84e44545ea6586d99902f294228d7655bc

SHA256
0a3ee8387831ffe1b73b6ab2407a293b9d8b587acc66358feaad13ff2b04c84f

SHA512
3f0e2cb8e6d8ee2b20935529bd1416db08964dd9c3c1bd22b222d9ef97f5c268e4e10f5d59578498890f8c4bd57d11bb09b64c7f8042fdb50091094b625f7fd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
4e4909411c207247e8f599daecfa2ded

SHA1
95c78dc69383947e2595d7eedbbee2a6376812e5

SHA256
09f3c8e967e02c11f28406cfc8e8f2cd92a64f9da7cba5d1e12c9f975c710dd4

SHA512
d1a8f8ed5d6e309d51a432dab801d9c0ca7d066a1d84eadf921c574b49033abd603b9d0bc21f9ada50eb8b5820271599eeaa12502e34caf0bcc50d63219ae4a2

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
661KB

MD5
a6f825c7bd99b1e08271022933e4c0e4

SHA1
6e9e3bef43c86e0a561f84b41f5d90cd38108c6f

SHA256
547d7284d2ab147e1ca48bc9d11a784edc0fa3e26f397afc1e0642bae869ca01

SHA512
1dd921e7bcc35ffca012b6f8771d620ed8f91f15b32ea529a0dcb37b29b88b0e545dca4bdc61e385c25d6298af6a253ea9bb6c6f084545d7558b82eee0a957a4

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
661KB

MD5
a6f825c7bd99b1e08271022933e4c0e4

SHA1
6e9e3bef43c86e0a561f84b41f5d90cd38108c6f

SHA256
547d7284d2ab147e1ca48bc9d11a784edc0fa3e26f397afc1e0642bae869ca01

SHA512
1dd921e7bcc35ffca012b6f8771d620ed8f91f15b32ea529a0dcb37b29b88b0e545dca4bdc61e385c25d6298af6a253ea9bb6c6f084545d7558b82eee0a957a4

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
661KB

MD5
a6f825c7bd99b1e08271022933e4c0e4

SHA1
6e9e3bef43c86e0a561f84b41f5d90cd38108c6f

SHA256
547d7284d2ab147e1ca48bc9d11a784edc0fa3e26f397afc1e0642bae869ca01

SHA512
1dd921e7bcc35ffca012b6f8771d620ed8f91f15b32ea529a0dcb37b29b88b0e545dca4bdc61e385c25d6298af6a253ea9bb6c6f084545d7558b82eee0a957a4

Download Submit
\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
661KB

MD5
a6f825c7bd99b1e08271022933e4c0e4

SHA1
6e9e3bef43c86e0a561f84b41f5d90cd38108c6f

SHA256
547d7284d2ab147e1ca48bc9d11a784edc0fa3e26f397afc1e0642bae869ca01

SHA512
1dd921e7bcc35ffca012b6f8771d620ed8f91f15b32ea529a0dcb37b29b88b0e545dca4bdc61e385c25d6298af6a253ea9bb6c6f084545d7558b82eee0a957a4

Download Submit
memory/2100-106-0x0000000071F0D000-0x0000000071F18000-memory.dmp

Filesize
44KB

Download
memory/2100-7-0x0000000002E10000-0x0000000002E12000-memory.dmp

Filesize
8KB

Download
memory/2100-130-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2100-132-0x0000000071F0D000-0x0000000071F18000-memory.dmp

Filesize
44KB

Download
memory/2100-5-0x0000000071F0D000-0x0000000071F18000-memory.dmp

Filesize
44KB

Download
memory/2100-3-0x000000002F731000-0x000000002F732000-memory.dmp

Filesize
4KB

Download
memory/2744-102-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2744-108-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/2744-99-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/2744-96-0x0000000000B80000-0x0000000000C2C000-memory.dmp

Filesize
688KB

Download
memory/2744-103-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download
memory/2744-97-0x000000006A310000-0x000000006A9FE000-memory.dmp

Filesize
6.9MB

Download
memory/2744-104-0x00000000053A0000-0x000000000541E000-memory.dmp

Filesize
504KB

Download
memory/2744-100-0x0000000000380000-0x000000000039A000-memory.dmp

Filesize
104KB

Download
memory/2744-105-0x0000000000700000-0x0000000000742000-memory.dmp

Filesize
264KB

Download
memory/2744-107-0x000000006A310000-0x000000006A9FE000-memory.dmp

Filesize
6.9MB

Download
memory/2940-8-0x0000000002480000-0x0000000002482000-memory.dmp

Filesize
8KB

Download
memory/2940-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2940-138-0x0000000071F0D000-0x0000000071F18000-memory.dmp

Filesize
44KB

Download
memory/2940-1-0x0000000071F0D000-0x0000000071F18000-memory.dmp

Filesize
44KB

Download
memory/2940-101-0x0000000071F0D000-0x0000000071F18000-memory.dmp

Filesize
44KB

Download