agenttesla | ac07988ba9649741c59d16698f8c33295b3ff7943eeccbafe6f988e3e3c10908

Analysis

max time kernel
0s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07-12-2023 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

orden de compra.xla.xls
Size

391KB
MD5

060f999d180fb2c37059815ebd76e38e
SHA1

605c01289d5b683a3d5b5eb17ebef72bfc388f91
SHA256

ac07988ba9649741c59d16698f8c33295b3ff7943eeccbafe6f988e3e3c10908
SHA512

a4449aa855a6426106516bf11499902f402ed4589fa7f11e628fec9efbcd6b8a6fcabdfb02d2fe3bf20a41889c734538e77194a011112b4dc06ae94e6b9c066e
SSDEEP

6144:Vn1m9kdbXgb8y3ZetJs0hdMJUXTdU5u/LbquQFBql4yUhNttSMS6EgU0rh:VOesblwtqSdLTdoaNQO6hQX+h

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.siscop.com.co
Port:
21
Username:
[email protected]
Password:
+5s48Ia2&-(t

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Downloads MZ/PE file
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1596 EQNEDT32.EXE

flow	ioc
11	ip-api.com

pid	process
1596	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\orden de compra.xla.xls"
1⤵
- Modifies Internet Explorer settings
PID:1220

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
PID:2292

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1664

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
PID:1596

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
2⤵
PID:328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{87AAB88C-56AF-47B6-B075-77A26D485B50}.FSD

Filesize
128KB

MD5
74d8625bbf8e1419e9139b7b67da555a

SHA1
e5a354755f0ce842ec90d21f1d91d3d27729427d

SHA256
bb00585d96d183cdc89d1478bff3edd9e1e9976fffa2f3eb086624e7f312bd7c

SHA512
c00451063f236ed08c90c9e7640b61552762b4c283e6acfc18c5002149ff8b731d1b473decb714f3c4adf1ef5ab2c7cffb472c2d2ad4f4c09712d3b16d5f4605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
6378fbe953dc3896bfaf440d4178d04b

SHA1
1e881567147bb32dd0697debed01825d8faa9dfd

SHA256
6344f943a947cc86726e50c83e325a3791616d59e49dbec054a76d1e33d4d2df

SHA512
2504e9e8f17c6124cd075005f38a273239594e840871c21dbd660b937dca9b2fbbd2c7080d434ef12ace6f57761934b82bc6696e9fdcd3f2e2966c512317e895

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
70c213303b48371bf0fc242c4288610d

SHA1
64207a00777c26325e1de3f93dda5e90988f77a2

SHA256
81d6880fe493385a5a80e7f5c90d50c48e4e58b7e45b1f1f1a83b18ef5d1a456

SHA512
399ab1a86c667a20e16901e2b8c245ecce9cd3de9ccdfec4443c33a0c9479e4b03d74568cc5307bd2745f51323681bfc030fb4f957e610a4ca28c14611d094cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{2B2B30E7-1D10-466E-BD34-8AFEE2B9DACF}.FSD

Filesize
128KB

MD5
101db6e15b7212f900fab9d98707ac01

SHA1
37886c2cfe9d84d02a4ac482784344a4fa13db17

SHA256
40e1bce8318ec2b20e0e42695e37fde96b9f099b94b01832982c890a58e99f60

SHA512
9fb5b518e49160ef840b905d21547eb9c70253dabd9dfc322a2b23e88f6f4d6fdbe8622dc179415c9253543693a27d23bdc8f9be190ab5c642eea3a4ab1d064c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HZPADLGW\microsoftunderstandwhyneedtodeleteentirehistorycachecookieverything[1].doc

Filesize
59KB

MD5
ed5d8e3f7b96288d349f167b737b0e32

SHA1
d855f8bac1e28f42abe38db048e8839615db1be4

SHA256
f118d7b310e09917603c15c5e6199f0bc04848ff9b3042b04fc8a94720a55d44

SHA512
4b7a378ef8c805342b993129911f020b8a81eaada910329cedab1755177098a46d7c0bdea84451c8fb5801e5a998a8786a0ef57576edca169f55373ff0960037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\82B9B5D3.doc

Filesize
59KB

MD5
ed5d8e3f7b96288d349f167b737b0e32

SHA1
d855f8bac1e28f42abe38db048e8839615db1be4

SHA256
f118d7b310e09917603c15c5e6199f0bc04848ff9b3042b04fc8a94720a55d44

SHA512
4b7a378ef8c805342b993129911f020b8a81eaada910329cedab1755177098a46d7c0bdea84451c8fb5801e5a998a8786a0ef57576edca169f55373ff0960037

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BEF1C1C1-F5CC-4962-821C-C12425810329}

Filesize
128KB

MD5
1dd95424f685720280bd503728c52521

SHA1
fabdb6e19e40868fb9981ca7d42e86c0503bd6ee

SHA256
6dffc8714888ab0c69fdeb9d4359a683b17e66bbf775513fa9f64ac234ba50e0

SHA512
dfd85be0dfe07514f12af36b97136d2727229c52d23c2769bcc3ae23dcf9b4ff517f313d32f160b5e7bad3e0092cbf409807139867b1a683d994d253e340db54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
1ea99b26b3ffc464c52043c084aa34e0

SHA1
d18be6b04ceb2dea931a67d5e05da400f7ce1c99

SHA256
90467efe408ee89720b341dddc2f1db4823185ae6468b398a1c30088962e560d

SHA512
777ed60e7b8bc97e849ef7a212dbc80bbdc3fbd867aab68285527ac8ff6ca5cb272711f80b5db36b90f5d31874208b6ccb986cb1257e4c096abb28c788c63502

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
666KB

MD5
e81d3a6286beea59a2fe264b2b4ee156

SHA1
acbff15ea6b56cb04810e826bfb555b5c2b7efae

SHA256
808dc37ef54a4c95bb66f4773d8a84d9b6f548b00bae26ee514996a7f46d2a04

SHA512
5239f0f66a3d2b2855d104ebd2e4f3f30766a7fb04f1fc4c6d93139f43ee3e8befd6fd2043d1bcd5a3860af96f0527fb7e784162fbc32367fcb27da80db27d6b

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
666KB

MD5
e81d3a6286beea59a2fe264b2b4ee156

SHA1
acbff15ea6b56cb04810e826bfb555b5c2b7efae

SHA256
808dc37ef54a4c95bb66f4773d8a84d9b6f548b00bae26ee514996a7f46d2a04

SHA512
5239f0f66a3d2b2855d104ebd2e4f3f30766a7fb04f1fc4c6d93139f43ee3e8befd6fd2043d1bcd5a3860af96f0527fb7e784162fbc32367fcb27da80db27d6b

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
666KB

MD5
e81d3a6286beea59a2fe264b2b4ee156

SHA1
acbff15ea6b56cb04810e826bfb555b5c2b7efae

SHA256
808dc37ef54a4c95bb66f4773d8a84d9b6f548b00bae26ee514996a7f46d2a04

SHA512
5239f0f66a3d2b2855d104ebd2e4f3f30766a7fb04f1fc4c6d93139f43ee3e8befd6fd2043d1bcd5a3860af96f0527fb7e784162fbc32367fcb27da80db27d6b

Download Submit
\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
666KB

MD5
e81d3a6286beea59a2fe264b2b4ee156

SHA1
acbff15ea6b56cb04810e826bfb555b5c2b7efae

SHA256
808dc37ef54a4c95bb66f4773d8a84d9b6f548b00bae26ee514996a7f46d2a04

SHA512
5239f0f66a3d2b2855d104ebd2e4f3f30766a7fb04f1fc4c6d93139f43ee3e8befd6fd2043d1bcd5a3860af96f0527fb7e784162fbc32367fcb27da80db27d6b

Download Submit
memory/328-100-0x0000000000460000-0x000000000047A000-memory.dmp

Filesize
104KB

Download
memory/328-102-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/328-96-0x0000000000800000-0x00000000008AC000-memory.dmp

Filesize
688KB

Download
memory/328-97-0x000000006B070000-0x000000006B75E000-memory.dmp

Filesize
6.9MB

Download
memory/328-108-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/328-107-0x000000006B070000-0x000000006B75E000-memory.dmp

Filesize
6.9MB

Download
memory/328-99-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/328-104-0x00000000052E0000-0x000000000535E000-memory.dmp

Filesize
504KB

Download
memory/328-105-0x0000000001E40000-0x0000000001E82000-memory.dmp

Filesize
264KB

Download
memory/328-103-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/1220-101-0x0000000072C6D000-0x0000000072C78000-memory.dmp

Filesize
44KB

Download
memory/1220-8-0x0000000002390000-0x0000000002392000-memory.dmp

Filesize
8KB

Download
memory/1220-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1220-1-0x0000000072C6D000-0x0000000072C78000-memory.dmp

Filesize
44KB

Download
memory/1220-135-0x0000000072C6D000-0x0000000072C78000-memory.dmp

Filesize
44KB

Download
memory/2292-5-0x0000000072C6D000-0x0000000072C78000-memory.dmp

Filesize
44KB

Download
memory/2292-7-0x0000000003640000-0x0000000003642000-memory.dmp

Filesize
8KB

Download
memory/2292-106-0x0000000072C6D000-0x0000000072C78000-memory.dmp

Filesize
44KB

Download
memory/2292-3-0x000000002F711000-0x000000002F712000-memory.dmp

Filesize
4KB

Download
memory/2292-132-0x0000000072C6D000-0x0000000072C78000-memory.dmp

Filesize
44KB

Download
memory/2292-130-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download