agenttesla | b0dcb9ceb001f6ea05b3163e56783cfe2028357129eb7db516d28e88acd9845b

General

Target

pro-forma invoice.xlsm.exe
Size

2.2MB
MD5

7f673b101bf26081c7e9a07afb60208d
SHA1

7d875b5fa96cb98a12290dac8f78f32b321023c4
SHA256

b0dcb9ceb001f6ea05b3163e56783cfe2028357129eb7db516d28e88acd9845b
SHA512

59e218de90db1e498239ec9cdd129b595b58cc5f2e4da6b1a142b654ef1ad8ad21679c1714180ad28cf4163c39ba093f829ec7fb9bbda6577b3b026dd6aac2a5
SSDEEP

49152:Ya3RyYkdvQ0RKgfPj6eKgT24yYqYu+lste0NENnxIj0i7wClms:YwyjI0RKgfb6eKgTgXp+lst21x5Clms

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.spia-indonesia.org
Port:
587
Username:
[email protected]
Password:
Looloo123@#

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.spia-indonesia.org
Port:
587
Username:
[email protected]
Password:
Looloo123@#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pro-forma invoice.xlsm.exepro-forma invoice.xlsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MvQHOaQ = "C:\\Users\\Admin\\AppData\\Roaming\\MvQHOaQ\\MvQHOaQ.exe"	pro-forma invoice.xlsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Biibpb = "C:\\Users\\Admin\\AppData\\Roaming\\Biibpb.exe"	pro-forma invoice.xlsm.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

53 api.ipify.org
54 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

pro-forma invoice.xlsm.exe

description pid process target process

PID 4136 set thread context of 3964 4136 pro-forma invoice.xlsm.exe pro-forma invoice.xlsm.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro-forma invoice.xlsm.exe

pid process

3964 pro-forma invoice.xlsm.exe
3964 pro-forma invoice.xlsm.exe

flow	ioc
53	api.ipify.org
54	api.ipify.org

description	pid	process	target process
PID 4136 set thread context of 3964	4136	pro-forma invoice.xlsm.exe	pro-forma invoice.xlsm.exe

pid	process
3964	pro-forma invoice.xlsm.exe
3964	pro-forma invoice.xlsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pro-forma invoice.xlsm.exepro-forma invoice.xlsm.exe

description	pid	process
Token: SeDebugPrivilege	4136	pro-forma invoice.xlsm.exe
Token: SeDebugPrivilege	4136	pro-forma invoice.xlsm.exe
Token: SeDebugPrivilege	3964	pro-forma invoice.xlsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

pro-forma invoice.xlsm.exe

pid process

3964 pro-forma invoice.xlsm.exe

pid	process
3964	pro-forma invoice.xlsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

pro-forma invoice.xlsm.exe

description	pid	process	target process
PID 4136 wrote to memory of 3964	4136	pro-forma invoice.xlsm.exe	pro-forma invoice.xlsm.exe
PID 4136 wrote to memory of 3964	4136	pro-forma invoice.xlsm.exe	pro-forma invoice.xlsm.exe
PID 4136 wrote to memory of 3964	4136	pro-forma invoice.xlsm.exe	pro-forma invoice.xlsm.exe
PID 4136 wrote to memory of 3964	4136	pro-forma invoice.xlsm.exe	pro-forma invoice.xlsm.exe
PID 4136 wrote to memory of 3964	4136	pro-forma invoice.xlsm.exe	pro-forma invoice.xlsm.exe
PID 4136 wrote to memory of 3964	4136	pro-forma invoice.xlsm.exe	pro-forma invoice.xlsm.exe
PID 4136 wrote to memory of 3964	4136	pro-forma invoice.xlsm.exe	pro-forma invoice.xlsm.exe
PID 4136 wrote to memory of 3964	4136	pro-forma invoice.xlsm.exe	pro-forma invoice.xlsm.exe

C:\Users\Admin\AppData\Local\Temp\pro-forma invoice.xlsm.exe
"C:\Users\Admin\AppData\Local\Temp\pro-forma invoice.xlsm.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136

C:\Users\Admin\AppData\Local\Temp\pro-forma invoice.xlsm.exe
"C:\Users\Admin\AppData\Local\Temp\pro-forma invoice.xlsm.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pro-forma invoice.xlsm.exe.log
Filesize
716B

MD5
a92a2835b20b01436fb6517e97090bb1

SHA1
1a179d6b4018cc896708aa112b9d683176ba59b9

SHA256
807a02aa126863cf5b802851a3b42d233a856346c0fb13517236815a1764e963

SHA512
ef51b2bcfa1cdd33a02176d87b609f8ea4a6c4cfcf69094e88459a19bd1c187872b3a789a46e28869dad63f559cab8d51ac1125a172d71c477f3dd0ec60550a9

Download Submit
memory/3964-4902-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3964-4901-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/3964-4903-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/3964-4904-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/3964-4910-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/3964-4909-0x0000000006D40000-0x0000000006D4A000-memory.dmp

Filesize
40KB

Download
memory/3964-4908-0x0000000006DA0000-0x0000000006E32000-memory.dmp

Filesize
584KB

Download
memory/3964-4907-0x0000000006C60000-0x0000000006CFC000-memory.dmp

Filesize
624KB

Download
memory/3964-4906-0x0000000006B70000-0x0000000006BC0000-memory.dmp

Filesize
320KB

Download
memory/4136-39-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-29-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-23-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-37-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-53-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-63-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-67-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-65-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-61-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-59-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-57-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-55-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-52-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-45-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-43-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-41-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-5-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-35-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-33-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-31-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-49-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-19-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-47-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-27-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-21-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-17-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-15-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-13-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-11-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-9-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-7-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-25-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-4890-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4136-4891-0x0000000005510000-0x000000000557C000-memory.dmp

Filesize
432KB

Download
memory/4136-4892-0x0000000005580000-0x00000000055CC000-memory.dmp

Filesize
304KB

Download
memory/4136-4-0x0000000005220000-0x000000000544A000-memory.dmp

Filesize
2.2MB

Download
memory/4136-3-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4136-2-0x0000000005220000-0x0000000005450000-memory.dmp

Filesize
2.2MB

Download
memory/4136-1-0x0000000000550000-0x0000000000796000-memory.dmp

Filesize
2.3MB

Download
memory/4136-0-0x000000007445E000-0x000000007445F000-memory.dmp

Filesize
4KB

Download
memory/4136-4893-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4136-4894-0x0000000005F40000-0x00000000064E4000-memory.dmp

Filesize
5.6MB

Download
memory/4136-4895-0x0000000000E60000-0x0000000000EB4000-memory.dmp

Filesize
336KB

Download
memory/4136-4900-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads