agenttesla | e0f1ef9fcfae45d393777618ac8c0a82b8c58d34053b019749fef31588de1f10

General

Target

e0f1ef9fcfae45d393777618ac8c0a82b8c58d34053b019749fef31588de1f10.rtf
Size

67KB
MD5

75d665089332432123f71fbc88882326
SHA1

20f065e60c8a45b0d3e6f76e4eba7a6b4ce79e53
SHA256

e0f1ef9fcfae45d393777618ac8c0a82b8c58d34053b019749fef31588de1f10
SHA512

ec79af230708d255facc14d871873674cd0d752cb5e1489fe3699e3212e7c20e1f8b1ee84749644a14ee632886dabb412ae6aed11677cb5e35a623d2d3b592b3
SSDEEP

1536:2XSMKpKeqLvjbAYLGX4YstY13c3E4J8N5yt3Yn1EjVGY38hX5HjLr5p4Q:DMyKeqLvoYXtYG04J8N5yt3Y1EjVGY3q

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.vila-gabriel.ro
Port:
21
Username:
[email protected]
Password:
bVkMH6R.pfF~NN@ossy$W!_pz[bh!9l(MU%UtX9L^W}vO=mn*g*;]}]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Downloads MZ/PE file
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2824 EQNEDT32.EXE

pid	process
2824	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e0f1ef9fcfae45d393777618ac8c0a82b8c58d34053b019749fef31588de1f10.rtf"
1⤵
- Modifies Internet Explorer settings
PID:1412

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1900

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
PID:2824

C:\Users\Admin\AppData\Roaming\HJC.exe
"C:\Users\Admin\AppData\Roaming\HJC.exe"
2⤵
PID:2620

C:\Users\Admin\AppData\Roaming\HJC.exe
"C:\Users\Admin\AppData\Roaming\HJC.exe"
3⤵
PID:768

C:\Users\Admin\AppData\Roaming\HJC.exe
"C:\Users\Admin\AppData\Roaming\HJC.exe"
3⤵
PID:2676

C:\Users\Admin\AppData\Roaming\HJC.exe
"C:\Users\Admin\AppData\Roaming\HJC.exe"
3⤵
PID:2756

C:\Users\Admin\AppData\Roaming\HJC.exe
"C:\Users\Admin\AppData\Roaming\HJC.exe"
3⤵
PID:2092

C:\Users\Admin\AppData\Roaming\HJC.exe
"C:\Users\Admin\AppData\Roaming\HJC.exe"
3⤵
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
22369ec716a99dfb48da83e7c2b7fb64

SHA1
74b3715616680b8e4e6af4c5c51f08f35a3e2e69

SHA256
db7e3e2fa52409870199f98ac64cba5656e8a144db087eb5893a4b6152d7514f

SHA512
5d112590aa81b34e8e1569d3674fa9c0d02d11880a5b7f8269581065e1ae703bc073ac6bce4da86996f8781c531932d9300a3e55796cc8f8705ec16c81a3e018

Download Submit
\Users\Admin\AppData\Roaming\HJC.exe
Filesize
807KB

MD5
23b94e1b073e54606fcf106d3c5d8286

SHA1
1fd95874cb88ba3b557c440c5cd6f5f8639723ce

SHA256
6b54303a91c5bc99696dc0896ec3813bedd9296987d12327348ec3c525aeb5a9

SHA512
e434137c29833486f42d5cf3e6c3700d4218c7d19bda2bad6d917d707b099439ef727eb0fa87e7923f27ff8398565f6fc172500404a4909f3da6a285d358041b

Download Submit
memory/768-36-0x0000000000070000-0x00000000000B2000-memory.dmp

Filesize
264KB

Download
memory/768-34-0x0000000000070000-0x00000000000B2000-memory.dmp

Filesize
264KB

Download
memory/768-37-0x0000000000070000-0x00000000000B2000-memory.dmp

Filesize
264KB

Download
memory/768-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/768-38-0x0000000000070000-0x00000000000B2000-memory.dmp

Filesize
264KB

Download
memory/1412-5-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/1412-2-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/1412-0-0x000000002FFD1000-0x000000002FFD2000-memory.dmp

Filesize
4KB

Download
memory/1412-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1412-97-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/1412-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2620-19-0x0000000000360000-0x0000000000430000-memory.dmp

Filesize
832KB

Download
memory/2620-33-0x0000000004E40000-0x0000000004E80000-memory.dmp

Filesize
256KB

Download
memory/2620-32-0x0000000000610000-0x0000000000616000-memory.dmp

Filesize
24KB

Download
memory/2620-31-0x0000000002030000-0x000000000204A000-memory.dmp

Filesize
104KB

Download
memory/2620-30-0x0000000004E40000-0x0000000004E80000-memory.dmp

Filesize
256KB

Download
memory/2620-29-0x000000006AE40000-0x000000006B52E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-78-0x000000006AE40000-0x000000006B52E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-27-0x0000000001F00000-0x0000000001F44000-memory.dmp

Filesize
272KB

Download
memory/2620-22-0x0000000004E40000-0x0000000004E80000-memory.dmp

Filesize
256KB

Download
memory/2620-21-0x000000006AE40000-0x000000006B52E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing