Overview

overview

10

Static

static

1

hsbcpayment.rtf

windows7-x64

10

hsbcpayment.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    23-02-2024 16:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hsbcpayment.rtf

  • Size

    200KB

  • MD5

    f38485c927c41083769311aef5eac8c5

  • SHA1

    d883b17a8a12895729c253a3497eed90dd718db7

  • SHA256

    c119837547083f87c3852d0399f2065b733d687a5cb493523463df231351324b

  • SHA512

    acc825916110bb006217da1e800245643f4603384204ab7c318994279ed8719ba482e39bdd7ce0eca5b17e77999957965ba21bf76498f0cb76d3e933ad0b0a24

  • SSDEEP

    1536:gwAlRkwAlRkwAlRkwAlRi3vsBlwu2aS9kqaH:gwAlawAlawAlawAlI30Blwu2VkqaH

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\hsbcpayment.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2344
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Users\Admin\AppData\Roaming\fmp20044.scr
        "C:\Users\Admin\AppData\Roaming\fmp20044.scr"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Users\Admin\AppData\Roaming\fmp20044.scr
          "C:\Users\Admin\AppData\Roaming\fmp20044.scr"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1204

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      fe7ba4d3d95490fc0e73223f41fad104

      SHA1

      d18f532a67a1e898d18d417f895479abdb25a61f

      SHA256

      9393374e41b85e6a549f11d8e5bd847272aeba36165e1130537d07757e38c71b

      SHA512

      5778a547f0538cdc1788afb1cf7c94cd8700f20aa8c9792c3d66599c173e3b788cd30a5dde62c19090080f0dcbe89fe50d7e08244dfadf4736baefb08a238f5f

      Download Submit

    • \Users\Admin\AppData\Roaming\fmp20044.scr
      Filesize

      801KB

      MD5

      9dbe2af5998908187b79afebf4753634

      SHA1

      e4fd2fd4d0c20b80dee8342b88e6e140d1f0137d

      SHA256

      d023fb1b834e04895084d602077082766b04a7d2798fb6ce912c844d108ab4bc

      SHA512

      bc762e9d1cb31b2a44f3a0904efc084a63693d9239d491859e081107e7e1ba2593110574f095d345d4ddc85206f24aa99b680b3e59f8d19dbeec5244b46c6014

      Download Submit

    • memory/1204-50-0x0000000000080000-0x00000000000C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1204-42-0x0000000000080000-0x00000000000C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1204-41-0x0000000000080000-0x00000000000C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1204-39-0x0000000000080000-0x00000000000C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1204-62-0x00000000044A0000-0x00000000044E0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1204-61-0x000000006AD60000-0x000000006B44E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1204-58-0x000000006AD60000-0x000000006B44E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1204-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1204-43-0x0000000000080000-0x00000000000C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1204-54-0x0000000000080000-0x00000000000C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1204-57-0x0000000000080000-0x00000000000C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1204-48-0x0000000000080000-0x00000000000C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2064-0-0x000000002FA91000-0x000000002FA92000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2064-83-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2064-2-0x000000007147D000-0x0000000071488000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2064-60-0x000000007147D000-0x0000000071488000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2064-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2728-30-0x0000000000A00000-0x0000000000ACE000-memory.dmp

      Filesize

      824KB

      Download

    • memory/2728-49-0x000000006B630000-0x000000006BD1E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2728-38-0x0000000000520000-0x0000000000528000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2728-32-0x0000000004680000-0x00000000046C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2728-33-0x0000000000410000-0x000000000047E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/2728-31-0x000000006B630000-0x000000006BD1E000-memory.dmp

      Filesize

      6.9MB

      Download