Overview

overview

10

Static

static

1

SecuriteIn...54.xls

windows7-x64

10

SecuriteIn...54.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 15:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Heur.25589.9954.xls

  • Size

    275KB

  • MD5

    e108b870cba8e39e516076ca3989372b

  • SHA1

    439fd0bdcf0319994f9b91f28d4f2b2a5bde0874

  • SHA256

    69f40c2f6a4540550f934e0b2f9a354629d3835b30fd13293c2f6a6b97202159

  • SHA512

    710235888d211b49f89d97d2cd32a7ac47922cbe421a3eb0fbb7f50a2b5f2e46236a6b64843cf29e6163c32798b48f46b6e1fca318f8cfc04045f00bf30d244a

  • SSDEEP

    6144:5kunhVY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVLOMI2n1WbMS5Fuhix2c:5tC3bVLOMIg9Y

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.25589.9954.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1384
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2152
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Users\Admin\AppData\Roaming\conhost.exe
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1952
        • C:\Users\Admin\AppData\Roaming\conhost.exe
          "C:\Users\Admin\AppData\Roaming\conhost.exe"
          3⤵
          • Executes dropped EXE
          PID:2872
        • C:\Users\Admin\AppData\Roaming\conhost.exe
          "C:\Users\Admin\AppData\Roaming\conhost.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2824

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F2010D12-7FC2-4A2F-B4FF-82D2A6A88FC0}.FSD
      Filesize

      128KB

      MD5

      8661887cf3224a5cd6c5b27db4962074

      SHA1

      b263fc6b27bd5997e7417cd41080af3383df2e74

      SHA256

      14ac30d9e825699a6e64c7c8941aa0bf1220e90b45353dbcae8a1644614bec83

      SHA512

      c8e5d4f1035595dd63b90b78c89c375234ad7a263a3ec6eef18fd587d25fdf61878fd5ed0ed926c821cb915740d7d8eff823697a474a2f580d6c2face1087b77

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
      Filesize

      128KB

      MD5

      953fc6ce2ba430e5233df46b3b776532

      SHA1

      09ec10103af8dc0462e6a257892ba44aca945081

      SHA256

      c0c7bb2db07797cae2bd56204c94ed70249c3a1bc94ecfa3848061d8b754b5c4

      SHA512

      eab7984e06709b3c64dbf8d3598cc15bda0ffb2448cd7865f464be5922a954073479bc79700bd4627b7e760551d7b629def6c8b333015d4529c74f6e1acf1e93

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JIH1AB02\vnextofficeupdationwaitingfortheentireprocesstocompleteandimprovethethecnonologyfornew[1].doc
      Filesize

      65KB

      MD5

      869dc88123916a7193c56809db6b5e97

      SHA1

      fb285a3be57ea12e4884152c9542dbcc4b3d1b6d

      SHA256

      d144a111d023b667aa6a2f56af76323943ae9553b6629afe91131dfd2d5f2e0b

      SHA512

      67bd25e403c355090ad1db59f9f15426595c7c70ab77d85cb3678bfac5c939f4a3f72d6caf713dd2ca8f2df4f8f908f190940c2035afd5efbf9e6916f52f2081

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\{85F137EE-3AA7-4F9F-96D0-DAAB50FCE847}
      Filesize

      128KB

      MD5

      e15056751e28099c973e99726e777ba0

      SHA1

      e6db22a4963f034e16b6d2af026fa3d786a1f93c

      SHA256

      65238512e04de3bfa5a7462c7218d5b99fbe98362005ef87ebe27f5a59fd0a4b

      SHA512

      352df54322af21b42999bd0fb8b0fe9fc3630dfa1192d74940eb685900afa0327bf464925f2974c2aafe94e95fe79da44cf1ef1166d9f8e12ac8b52bf0ab88fc

      Download Submit
    • C:\Users\Admin\AppData\Roaming\conhost.exe
      Filesize

      504KB

      MD5

      7f197736d08b01265597a9df15ebb346

      SHA1

      506cd0b4b2a2171bd775c865bcaa18f850a8b2d9

      SHA256

      f9b87bfdd0157482c04d254b505d38b7223f421bcc3427ba99de9f583d6faa77

      SHA512

      d6dfe9c232cffaeb09061437e419cb96a3eab7c0666878e64243378e5e89d7fb42f4e942b19a429d4ab6b7bca80a038daa7662df1aa051b9a5fb723daf443c74

      Download Submit
    • C:\Users\Admin\AppData\Roaming\conhost.exe
      Filesize

      610KB

      MD5

      b90adcc386503d5864f6df6bfaa3409b

      SHA1

      23bc57deb41d02b582a5ae03d8e94a5732b0f959

      SHA256

      24b2c5278a4d80c22994b4d9727293aa6641ae9947f7ed522b7b5f44fa1f7a63

      SHA512

      b2a2264d2ec247b2cebe94469bd5fdda87fd257222643fa5321686a99df12657fe86f87e7333f75c0c654cdc1fd0817c79909f6bfa407692d2a577a4c6b9e4cb

      Download Submit
    • memory/624-9-0x0000000004090000-0x0000000004092000-memory.dmp
      Filesize

      8KB

      Download
    • memory/624-7-0x0000000071FCD000-0x0000000071FD8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/624-5-0x000000002F561000-0x000000002F562000-memory.dmp
      Filesize

      4KB

      Download
    • memory/624-107-0x0000000071FCD000-0x0000000071FD8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1384-10-0x0000000002470000-0x0000000002472000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1384-103-0x0000000071FCD000-0x0000000071FD8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1384-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1384-1-0x0000000071FCD000-0x0000000071FD8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1952-104-0x00000000004C0000-0x00000000004C8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1952-102-0x0000000000450000-0x0000000000468000-memory.dmp
      Filesize

      96KB

      Download
    • memory/1952-101-0x0000000000820000-0x0000000000860000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1952-105-0x0000000000800000-0x000000000080C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1952-106-0x0000000005380000-0x00000000053FA000-memory.dmp
      Filesize

      488KB

      Download
    • memory/1952-99-0x000000006A3D0000-0x000000006AABE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1952-122-0x000000006A3D0000-0x000000006AABE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1952-98-0x0000000000860000-0x00000000008FE000-memory.dmp
      Filesize

      632KB

      Download
    • memory/2824-113-0x0000000000400000-0x0000000000440000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2824-114-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2824-121-0x0000000000400000-0x0000000000440000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2824-119-0x0000000000400000-0x0000000000440000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2824-111-0x0000000000400000-0x0000000000440000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2824-116-0x0000000000400000-0x0000000000440000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2824-112-0x0000000000400000-0x0000000000440000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2824-123-0x000000006A3D0000-0x000000006AABE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2824-124-0x0000000004950000-0x0000000004990000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2824-109-0x0000000000400000-0x0000000000440000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2824-125-0x000000006A3D0000-0x000000006AABE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2824-126-0x0000000004950000-0x0000000004990000-memory.dmp
      Filesize

      256KB

      Download