agenttesla | be725585e6ae2724abda2d338b40b4c39da0b712126da103408e4da844e1f6fa

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 10:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Enq.xll
Size

643KB
MD5

0ed458621a0e75e9dac09b9cf00b909d
SHA1

02f07b3badc63785cd66b181657322f851d3b0c2
SHA256

7a6f8590d4be989faccb34cd393e713fd80fa17e92d7613f33061d647d0e6d12
SHA512

2cb0a297922a609ccbebe3bd64ba8aa7560e2440753c0c39da545cb78248050d1bb0b98b92dd9e013ead850a7087882296bb464e7f639e8c5456b0955f9f9ac9
SSDEEP

12288:pn/zDvGHAykHSzLW/4+8bzbBSreMdbhgFK/UqWgmrMqir:NzbGHAzHAjX1CcLgYi

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Port:
587
Username:
yg�wt%�HIDHd�@CFHn�FE\s�Y^UK.�SP[
Password:
9�TU��

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 3 IoCs

resource	yara_rule
behavioral2/memory/324-41-0x000001B79D460000-0x000001B79D49E000-memory.dmp	family_agenttesla
behavioral2/files/0x0007000000023297-47.dat	family_agenttesla
behavioral2/memory/4384-57-0x0000000000C90000-0x0000000000CCC000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

pid	Process
4384	service.exe

Loads dropped DLL 2 IoCs

pid	Process
324	EXCEL.EXE
324	EXCEL.EXE

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	service.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	service.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	service.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
324	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4384	service.exe
4384	service.exe
4384	service.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4384	service.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
324	EXCEL.EXE
324	EXCEL.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
324	EXCEL.EXE
324	EXCEL.EXE
324	EXCEL.EXE
324	EXCEL.EXE
324	EXCEL.EXE
324	EXCEL.EXE
324	EXCEL.EXE
324	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 4384	324	EXCEL.EXE	100
PID 324 wrote to memory of 4384	324	EXCEL.EXE	100
PID 324 wrote to memory of 4384	324	EXCEL.EXE	100

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	service.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	service.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Enq.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:324
- C:\Users\Admin\AppData\Roaming\service.exe
  "C:\Users\Admin\AppData\Roaming\service.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Enq.xll

Filesize
75KB

MD5
e69b554e1fa16a09cb7f306b40248939

SHA1
5f1546807bad5d8b34f57c431592d9882a5edcd5

SHA256
edc132613d495c261e850a336ed2dc34913564f7e2f71c3a597b367853ea1ece

SHA512
4022ec6ec39c7f15b86fdf4d8047a26f40ba42718a1dc1d88f4c9959b7f4fa6f852005c3137def3aa4cba31923372a1a303940be58cd6f6989f79d01666e2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enq.xll

Filesize
81KB

MD5
55578414c0cc5a11038ed54831299c42

SHA1
31b7a4c9afb775c5ce6c882f7debf199d798438b

SHA256
94f2027fef4d459a1b46ad248cb4d48af7f0943bf0cfa58d13c62c670443d4c7

SHA512
cb50e0d8006a58e3b5f803e5f850df4c5b16ff8b5e8ad282896dcad8845467d19b69dc0c41c229b681adb91cfae78f55309c06d93e4a2c166f584cd8d6e72898

Download Submit
C:\Users\Admin\AppData\Roaming\service.exe

Filesize
216KB

MD5
59b496a8ac6c38dad931d4bfb071e74b

SHA1
8444c61041b3b2844aac3c5477929f2723859eb0

SHA256
ab5444f001b8f9e06ebf12bc8fdc200ee5f4185ee52666d69f7d996317ea38f3

SHA512
5a1dae0a3a84a677a71b43ac2e423983078945a962a34c4ec735cadc86a0a966762c65c701f6efbda4a21f358004d63063ca93ff4881e79d0599334f160a41de

Download Submit
memory/324-33-0x00007FF979B90000-0x00007FF97A651000-memory.dmp

Filesize
10.8MB

Download
memory/324-95-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/324-2-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/324-3-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/324-4-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/324-5-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/324-6-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/324-7-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/324-8-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/324-9-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/324-10-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/324-11-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/324-13-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/324-12-0x00007FF964470000-0x00007FF964480000-memory.dmp

Filesize
64KB

Download
memory/324-14-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/324-15-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/324-16-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/324-17-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/324-18-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/324-19-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/324-20-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/324-21-0x00007FF964470000-0x00007FF964480000-memory.dmp

Filesize
64KB

Download
memory/324-26-0x000001B79BAD0000-0x000001B79BB8B000-memory.dmp

Filesize
748KB

Download
memory/324-32-0x000001B79BCB0000-0x000001B79BCCC000-memory.dmp

Filesize
112KB

Download
memory/324-36-0x000001B7B6CE0000-0x000001B7B6CF0000-memory.dmp

Filesize
64KB

Download
memory/324-35-0x000001B7B6CE0000-0x000001B7B6CF0000-memory.dmp

Filesize
64KB

Download
memory/324-37-0x000001B7B6CE0000-0x000001B7B6CF0000-memory.dmp

Filesize
64KB

Download
memory/324-38-0x000001B79BD00000-0x000001B79BD3C000-memory.dmp

Filesize
240KB

Download
memory/324-34-0x000001B7B6CE0000-0x000001B7B6CF0000-memory.dmp

Filesize
64KB

Download
memory/324-0-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/324-1-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/324-98-0x00007FF979B90000-0x00007FF97A651000-memory.dmp

Filesize
10.8MB

Download
memory/324-39-0x000001B7B6CE0000-0x000001B7B6CF0000-memory.dmp

Filesize
64KB

Download
memory/324-42-0x000001B79BC90000-0x000001B79BCA0000-memory.dmp

Filesize
64KB

Download
memory/324-69-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/324-70-0x00007FF979B90000-0x00007FF97A651000-memory.dmp

Filesize
10.8MB

Download
memory/324-40-0x000001B7B6CE0000-0x000001B7B6CF0000-memory.dmp

Filesize
64KB

Download
memory/324-97-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/324-96-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/324-41-0x000001B79D460000-0x000001B79D49E000-memory.dmp

Filesize
248KB

Download
memory/324-94-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/324-93-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

Filesize
64KB

Download
memory/324-71-0x000001B7B6CE0000-0x000001B7B6CF0000-memory.dmp

Filesize
64KB

Download
memory/324-72-0x000001B7B6CE0000-0x000001B7B6CF0000-memory.dmp

Filesize
64KB

Download
memory/324-73-0x000001B7B6CE0000-0x000001B7B6CF0000-memory.dmp

Filesize
64KB

Download
memory/324-74-0x000001B7B6CE0000-0x000001B7B6CF0000-memory.dmp

Filesize
64KB

Download
memory/324-75-0x000001B7B6CE0000-0x000001B7B6CF0000-memory.dmp

Filesize
64KB

Download
memory/324-76-0x000001B7B6CE0000-0x000001B7B6CF0000-memory.dmp

Filesize
64KB

Download
memory/4384-56-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/4384-101-0x0000000001450000-0x000000000145A000-memory.dmp

Filesize
40KB

Download
memory/4384-77-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/4384-78-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/4384-61-0x0000000005920000-0x00000000059BC000-memory.dmp

Filesize
624KB

Download
memory/4384-67-0x0000000005BC0000-0x0000000005BD8000-memory.dmp

Filesize
96KB

Download
memory/4384-57-0x0000000000C90000-0x0000000000CCC000-memory.dmp

Filesize
240KB

Download
memory/4384-58-0x0000000005C80000-0x0000000006224000-memory.dmp

Filesize
5.6MB

Download
memory/4384-68-0x0000000006570000-0x00000000065D6000-memory.dmp

Filesize
408KB

Download
memory/4384-59-0x00000000056D0000-0x0000000005762000-memory.dmp

Filesize
584KB

Download
memory/4384-99-0x0000000001650000-0x00000000016A0000-memory.dmp

Filesize
320KB

Download
memory/4384-100-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/4384-60-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/4384-102-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download