Analysis
-
max time kernel
144s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
-
submitted
13-12-2023 01:46
General
-
Target
e0f39aafb9e7336243e6e7474a8dae1eaef0d47f18cf248647447de68025419d.xls
-
Size
581KB
-
MD5
9a6023f380a3ca9497b58c03af489a46
-
SHA1
b0c3f4a422bdebb69ae2b23a02ede3d4963a2f1f
-
SHA256
e0f39aafb9e7336243e6e7474a8dae1eaef0d47f18cf248647447de68025419d
-
SHA512
0713716a398dc5633bfcf4dd5b48db1ffb226efb7fad594fc74e31cc6e84ba4ebdb158763ba3d874c2d9e5654c640a5e75a158257e09af043dbcdba970a7da12
-
SSDEEP
12288:OMe0yk97XV2bZ/HEIR01GF3CxBfL9DeHp/GilMD:OMeo9gdvR2GFupxCHv
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.experthvac.ro - Port:
21 - Username:
[email protected] - Password:
-8{jszMOY*Z8(~Za0#jyP%o7VoB.0)kk^)7_
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\e0f39aafb9e7336243e6e7474a8dae1eaef0d47f18cf248647447de68025419d.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wlanext.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD51344bf99bb3125579da58918826b80e1
SHA15075a85087c6422be2458f0ca6b1dd00764dbd04
SHA25671bdfca663f3381f0273699632877e5cab01901e5e2844ecb2e9e6ec5759acb9
SHA51273400d614ea7d6360e3325059cd699562d9f98cb926d06ba7f50ba0613cfc0072084fe778f36809ad1efc147025100a944b6bc843991533a91de8a889c2635cd
-
Filesize
128KB
MD59b3ea2a503e6aa423e4c1b7012aec26f
SHA11df4dcd2eaf2066d4287e82fa274f27e6bb1d42e
SHA2563cf8c5008e3384ceec5f1102be140fc1c1c4b73520ebe53efc706e0b1f1a55d9
SHA51282a6873bd5925d7725b9d49535a31eb0cc076f4645ddc308a687289a477c3a3e03540240c577bc8f77dbe8b1c329dfc27713f10e6ccbcf95c5fb202372bea50b
-
Filesize
128KB
MD5811ab950d7458f1eab31d503d8823e1c
SHA146800fb45c5b782364593f0f2d8e29615c9d3478
SHA256c90fd05b47c8efb56ac2ec6ce380c4cea31dc323ff7d9355ff8d83447bb130ab
SHA512b9f62fc8efb181cdf7892f1eadd7cfd409641f6f3dbab7ef8a3fa9eb07e7def0b33f93a0c7bb7041ee28b75be0fc5971bb5b89c3a2b4e4c0587c18f85466352e
-
Filesize
58KB
MD57d37e6af80e23aea8f852cd402856a16
SHA1bc068302becb020a2e80e23a26f84d640beeaafd
SHA25612c9ce523a6506f8b7de9be6e3ba2061bd7f0ece9b4ffbe0d66c3478f6d03381
SHA5127cb46b04a6ba1299bf2c2942368fe0cdcc6abb01dae607e5fcddba344e4ee634c6d21bb6b93cbfe24e2022dfbeb5361904724bd18988320505a389f106aa28c0
-
Filesize
128KB
MD5488bfcd5b16b630abcfef1540e88ea4a
SHA161c9ad4cad49ed5715891f676ec772b051d6b093
SHA256cf65114e2620372a956dbe45813a66ec916e87b9e232854f3cfc7b32c853130e
SHA5121bc77fd48f1ccc3ab59dfb404bcff5cf0e95c702d9648eeaed7bc429ec67ad419daf8fffbb92015beada0936b24d988c6e06a1f4fa82753974b8e50cd48608a6
-
Filesize
823KB
MD53713c253ab56bf85aaa806fc41cc6905
SHA1cf59aac87590bb5f3bba092f20455b097a1ffab5
SHA256ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17
SHA512ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
848KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
104KB
-
Filesize
24KB
-
Filesize
272KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
8KB