agenttesla | 3936c2bfa7b6ad5e67b8abd8228c633f77302f5f6883162ac8a0f5ae72a24702

Analysis

max time kernel
0s
max time network
123s
platform
windows7_x64
resource
win7-20231201-en
resource tags

arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
submitted
07-12-2023 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nueva Orden.xla.xls
Size

391KB
MD5

20d7b7e70ea53065f8f5cbf5f2abde62
SHA1

1574428c29f993ba3efa4dca4d7e493cd15bf605
SHA256

3936c2bfa7b6ad5e67b8abd8228c633f77302f5f6883162ac8a0f5ae72a24702
SHA512

021e165fbb621b8da8d3d2a2b9dea95910c37803dd865f0cb600a837fa1400249d393f7cf1fb2e97872e1eb1c54e157138206ce07c340c9dd375767da55bf41e
SSDEEP

12288:UOergqKjij4a3DjM1+UT3A/6IGsIHOgEnVu:UOeDEezjs+UUSnHwn

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.elquijotebanquetes.com
Port:
21
Username:
[email protected]
Password:
kFxADjwNBm$_

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Downloads MZ/PE file
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2844 EQNEDT32.EXE

pid	process
2844	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Nueva Orden.xla.xls"
1⤵
- Modifies Internet Explorer settings
PID:1728

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
PID:2724

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1740

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
PID:2844

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
2⤵
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
bd2f5a764991c9eee464a415f3ae4d0f

SHA1
288b443f4a0a6dcf98950903bf7b8c6c0b853a90

SHA256
2135960ac5b792e49fa0ca41799e0c25a505d373cc6ea3abe82fe7b87f394efd

SHA512
a3482e5b6fdaec0518a9ad9eb695938436b84e5d69c7b83da90193517549244e89a40d5d3ecf836a885b059c575d10450cef083c5d99522405ea79b353fda559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
c8898bd0ca2d18ddcc43508f8473bba2

SHA1
b75f6786eafd792dd0278e81131afa522460002e

SHA256
66b77c00f22267f9016301c647fa80125257dd19fdda145487fc03c65755c423

SHA512
0eac1b2a7a202e9869aec3e79d86b91aa93adb801c00bc173697bcbe7757bf5edb08a006ed287d7859de3fd93e048d1fc11e30636e3939ecdd99435d11ed5701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{887A84A9-099F-4F03-8E5B-B94B2E8EBC47}.FSD
Filesize
128KB

MD5
7551a7c2f60496d23ed57706e04e69f3

SHA1
2003f3c8ce6df1bfe27ca8da311665d147f467ab

SHA256
35d1d8e806b3f68cee414c5bd0f1e674e80b91e3d0d28991ec7227a9ac345570

SHA512
50190145c36a36c704b8a202b5445d12311b85e3d6f123f2d1fe33d8b72cb24b939414fdd52a767009ea7ed73478f1b61bff03235e050090adbd59f129c2f3db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K7OQK7H1\newmicrosoftunderstandhowimportanttodeletehistorycookiecacheeverythingfromthepc[1].doc
Filesize
53KB

MD5
460857b142873aecf2a7fb03c03ad16c

SHA1
7dea4f943df7b874475531318592f3a7cee39119

SHA256
ec4035e087e6bfb7e4ed8de073512ff89c251a322b228ccf60dd96ff43c7f63a

SHA512
a4b4df83a88c7af7e25f5d94efb24c077112659fb91bd9eb53994eb55f506871d33c4efefc62b39b2abab42fd8074c30196d9761de028e968f5b8d992f235889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5A18465A.doc
Filesize
53KB

MD5
460857b142873aecf2a7fb03c03ad16c

SHA1
7dea4f943df7b874475531318592f3a7cee39119

SHA256
ec4035e087e6bfb7e4ed8de073512ff89c251a322b228ccf60dd96ff43c7f63a

SHA512
a4b4df83a88c7af7e25f5d94efb24c077112659fb91bd9eb53994eb55f506871d33c4efefc62b39b2abab42fd8074c30196d9761de028e968f5b8d992f235889

Download Submit
C:\Users\Admin\AppData\Local\Temp\{25B363EF-D451-4CFB-9ABE-50BAD38E07DC}
Filesize
128KB

MD5
3c9d05af1b28d204535a282745de9fcd

SHA1
95afab3f4f8bcbb95eeee560c47b42380d65fdad

SHA256
475237c67433d51af92f942758a6737da248d206441d8fe5b7e0cc04eb3d5ee9

SHA512
1b7f6d317b5c34d38848b2e8856cd1e8f5f8f2ee2a991f5a819cb1840e821dbc0bb85574373b05f309a586a2be6db6fe0159eb075e8768b5cb33b26de8187fd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
149B

MD5
4ef34cbc1b93016b71eafab2854e5af4

SHA1
38f8fccf99113c80825f05f0cc853d2813eb4496

SHA256
09b7082b8e28e2247b7b76536f38163dae254b74ca9a2ae01de9cb7a3ddb0a67

SHA512
60e35cc1e6a2484a5ca5646969b79364817773c9d294fbff111a4a0b2cc5a06ef22d2ee588615a1401a0949c5c20929fefe09836b1830dfd141bea0f183b77a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
8c4581e25697c1a007fcb5a8412ad7cf

SHA1
0fcdb7e8735467425ef4379503a10ab17bd26b02

SHA256
0ab8d16056f7277df043c5bd283d7c8c90f7c71a142f8b334aca493a33d81692

SHA512
8ace55de9c6d4dde26ba148684cc8efb558d50142f557cf364e0dcc1de71f8521dabd233faaedcbf835bae48f11030b7519fb2a50252de974dc748f0f99c7597

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe
Filesize
661KB

MD5
a6f825c7bd99b1e08271022933e4c0e4

SHA1
6e9e3bef43c86e0a561f84b41f5d90cd38108c6f

SHA256
547d7284d2ab147e1ca48bc9d11a784edc0fa3e26f397afc1e0642bae869ca01

SHA512
1dd921e7bcc35ffca012b6f8771d620ed8f91f15b32ea529a0dcb37b29b88b0e545dca4bdc61e385c25d6298af6a253ea9bb6c6f084545d7558b82eee0a957a4

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe
Filesize
661KB

MD5
a6f825c7bd99b1e08271022933e4c0e4

SHA1
6e9e3bef43c86e0a561f84b41f5d90cd38108c6f

SHA256
547d7284d2ab147e1ca48bc9d11a784edc0fa3e26f397afc1e0642bae869ca01

SHA512
1dd921e7bcc35ffca012b6f8771d620ed8f91f15b32ea529a0dcb37b29b88b0e545dca4bdc61e385c25d6298af6a253ea9bb6c6f084545d7558b82eee0a957a4

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe
Filesize
661KB

MD5
a6f825c7bd99b1e08271022933e4c0e4

SHA1
6e9e3bef43c86e0a561f84b41f5d90cd38108c6f

SHA256
547d7284d2ab147e1ca48bc9d11a784edc0fa3e26f397afc1e0642bae869ca01

SHA512
1dd921e7bcc35ffca012b6f8771d620ed8f91f15b32ea529a0dcb37b29b88b0e545dca4bdc61e385c25d6298af6a253ea9bb6c6f084545d7558b82eee0a957a4

Download Submit
\Users\Admin\AppData\Roaming\wlanext.exe
Filesize
661KB

MD5
a6f825c7bd99b1e08271022933e4c0e4

SHA1
6e9e3bef43c86e0a561f84b41f5d90cd38108c6f

SHA256
547d7284d2ab147e1ca48bc9d11a784edc0fa3e26f397afc1e0642bae869ca01

SHA512
1dd921e7bcc35ffca012b6f8771d620ed8f91f15b32ea529a0dcb37b29b88b0e545dca4bdc61e385c25d6298af6a253ea9bb6c6f084545d7558b82eee0a957a4

Download Submit
memory/1596-102-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/1596-98-0x000000006A610000-0x000000006ACFE000-memory.dmp

Filesize
6.9MB

Download
memory/1596-108-0x00000000047D0000-0x0000000004810000-memory.dmp

Filesize
256KB

Download
memory/1596-105-0x00000000009C0000-0x0000000000A02000-memory.dmp

Filesize
264KB

Download
memory/1596-104-0x00000000052B0000-0x000000000532E000-memory.dmp

Filesize
504KB

Download
memory/1596-99-0x00000000047D0000-0x0000000004810000-memory.dmp

Filesize
256KB

Download
memory/1596-100-0x0000000000410000-0x000000000042A000-memory.dmp

Filesize
104KB

Download
memory/1596-107-0x000000006A610000-0x000000006ACFE000-memory.dmp

Filesize
6.9MB

Download
memory/1596-91-0x0000000000CF0000-0x0000000000D9C000-memory.dmp

Filesize
688KB

Download
memory/1596-103-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download
memory/1728-1-0x00000000722BD000-0x00000000722C8000-memory.dmp

Filesize
44KB

Download
memory/1728-101-0x00000000722BD000-0x00000000722C8000-memory.dmp

Filesize
44KB

Download
memory/1728-8-0x0000000002CD0000-0x0000000002CD2000-memory.dmp

Filesize
8KB

Download
memory/1728-135-0x00000000722BD000-0x00000000722C8000-memory.dmp

Filesize
44KB

Download
memory/1728-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2724-106-0x00000000722BD000-0x00000000722C8000-memory.dmp

Filesize
44KB

Download
memory/2724-5-0x00000000722BD000-0x00000000722C8000-memory.dmp

Filesize
44KB

Download
memory/2724-7-0x0000000003640000-0x0000000003642000-memory.dmp

Filesize
8KB

Download
memory/2724-132-0x00000000722BD000-0x00000000722C8000-memory.dmp

Filesize
44KB

Download
memory/2724-130-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2724-3-0x000000002F591000-0x000000002F592000-memory.dmp

Filesize
4KB

Download