agenttesla | 5685ac180e320c50a6c4d70569a15d317f9b03baf71091b84f0915cec512869e

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 10:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

nick015.docx
Size

16KB
MD5

916ebc98b5e558d1549670b6daaa69f5
SHA1

143fd3c85c8c4d1582f46e7dd1df66ec55a10662
SHA256

5685ac180e320c50a6c4d70569a15d317f9b03baf71091b84f0915cec512869e
SHA512

9925b9f0b9dd674f0bc781ce20265989a7a94ecde90dc07bb2dfabc985d7069c84a3582a8c3fc9dd0c9585d698531c3253bc652ad88a708b7e3588f256e42ace
SSDEEP

384:3yXkT5jW9Zs8PL8wi4OEwH8TIbE91r2fRJJY+vigkZoCOkp:3ckVYZ5P3DOqnYJHLvVkZoop

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
cp8nl.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
7213575aceACE@#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	2588	EQNEDT32.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2432	powershell.exe
1896	powershell.exe

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 2 IoCs

pid	Process
2776	nick39100.scr
1724	nick39100.scr

Loads dropped DLL 1 IoCs

pid	Process
2588	EQNEDT32.EXE

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2776 set thread context of 1724	2776	nick39100.scr	42

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2588	EQNEDT32.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1244	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2372	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2776	nick39100.scr
2776	nick39100.scr
1724	nick39100.scr
1724	nick39100.scr
2432	powershell.exe
1896	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	nick39100.scr
Token: SeDebugPrivilege	1724	nick39100.scr
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeShutdownPrivilege	2372	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2372	WINWORD.EXE
2372	WINWORD.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2776	2588	EQNEDT32.EXE	32
PID 2588 wrote to memory of 2776	2588	EQNEDT32.EXE	32
PID 2588 wrote to memory of 2776	2588	EQNEDT32.EXE	32
PID 2588 wrote to memory of 2776	2588	EQNEDT32.EXE	32
PID 2372 wrote to memory of 1068	2372	WINWORD.EXE	35
PID 2372 wrote to memory of 1068	2372	WINWORD.EXE	35
PID 2372 wrote to memory of 1068	2372	WINWORD.EXE	35
PID 2372 wrote to memory of 1068	2372	WINWORD.EXE	35
PID 2776 wrote to memory of 1896	2776	nick39100.scr	36
PID 2776 wrote to memory of 1896	2776	nick39100.scr	36
PID 2776 wrote to memory of 1896	2776	nick39100.scr	36
PID 2776 wrote to memory of 1896	2776	nick39100.scr	36
PID 2776 wrote to memory of 2432	2776	nick39100.scr	38
PID 2776 wrote to memory of 2432	2776	nick39100.scr	38
PID 2776 wrote to memory of 2432	2776	nick39100.scr	38
PID 2776 wrote to memory of 2432	2776	nick39100.scr	38
PID 2776 wrote to memory of 1244	2776	nick39100.scr	40
PID 2776 wrote to memory of 1244	2776	nick39100.scr	40
PID 2776 wrote to memory of 1244	2776	nick39100.scr	40
PID 2776 wrote to memory of 1244	2776	nick39100.scr	40
PID 2776 wrote to memory of 1724	2776	nick39100.scr	42
PID 2776 wrote to memory of 1724	2776	nick39100.scr	42
PID 2776 wrote to memory of 1724	2776	nick39100.scr	42
PID 2776 wrote to memory of 1724	2776	nick39100.scr	42
PID 2776 wrote to memory of 1724	2776	nick39100.scr	42
PID 2776 wrote to memory of 1724	2776	nick39100.scr	42
PID 2776 wrote to memory of 1724	2776	nick39100.scr	42
PID 2776 wrote to memory of 1724	2776	nick39100.scr	42
PID 2776 wrote to memory of 1724	2776	nick39100.scr	42

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\nick015.docx"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1068

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Roaming\nick39100.scr
  "C:\Users\Admin\AppData\Roaming\nick39100.scr"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nick39100.scr"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TwqPuOzbnOG.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwqPuOzbnOG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A83.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1244
- - C:\Users\Admin\AppData\Roaming\nick39100.scr
    "C:\Users\Admin\AppData\Roaming\nick39100.scr"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
296a12e4bc552e6829d7f006bdb45bea

SHA1
be5d5d5ec86e8c8c1151c3ff63f3a583368ff092

SHA256
7a3023ccd3e1ab8c84dad4c3d14c444a68c345ed699d168f2c54705adf3e0774

SHA512
f878a87c2ccb1b5d3f388ba8fe22d48b99e7ff0f19b3182f730a024c66a036adc50f46774c8834a69900b17bd6663cb28e8e1d08ede9269d82b2c09b575e767d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d7c268559c5ef383ac786152858d748

SHA1
942f8bb5d67863b56d52a39bb008f425ae940faa

SHA256
6d25741245b921e619fe7f7b97b82df5178433714257ac4dbf8fa86e63f2d03a

SHA512
d46eabe050606cb0c30cfbaf0c71ed311f3b93be5b61f6f289e04623d6253c6893fb844853d6f9e66dfb9ef01fdca6867ed5bd86562ee8369e035f31b46a4d58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
2951967639ca781d5af9982e503b8c7a

SHA1
3993977dfd5cb394b621bd995124fe05ff41d3fc

SHA256
b934a6ecd94507fbc30703239109bbf648baf18b2b010f6be18a6e9726282188

SHA512
dfd516c7472400bebc56dadd735529f89ef23945fd45ec0edf804f47464c5c3a0e7d8252ee4458922be3242ee3903d219fce6dd196b5df9251aa4128f9d50a1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2D83197C-D7CA-443D-9212-F8106335C751}.FSD

Filesize
128KB

MD5
681faaa757db83198fbfb1e599f06b6b

SHA1
852fceff204469b09799b341b38d6b344fcb03e3

SHA256
6c5460ed1dc48ea21c1e42d1fb8554ac692d486aebb922aadcee3e5dc8dafdf0

SHA512
30299d446b31cbcb8cd67bc109ff1670d2b6376ab0d2aa68b30e1d257d8d8280b08d29b822b1f417ae55766f70da7f4752e41406d04177e9cb729c135165c881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
ef447c057b521a36ad5b8cdfb3f81852

SHA1
18f98e096e0feb7534d7ad2bbfdf09e62dcfd427

SHA256
4f93acb99169724becabf6e98f05a595c4bc4ff192f9104def1bada5b3899e09

SHA512
7af4005c7d8443b7f8b5197c0e48cc2f9e721e721d0a043cacb42066d4f85ce08b58fcdac3d0fc01f8d10a5fc9e49311d8182c7a0d6666ef17fb9de174f50a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{422A3AB0-F2CB-4C4D-B1DA-7DD5C027387E}.FSD

Filesize
128KB

MD5
c06923e48afabed0f0f834069314478c

SHA1
e914bd55f905a9d06338e012a20257ac66599eb9

SHA256
c8913f6fef1c5ac4faf497a00e0b4c8201be5cd1304d10db8c12b92b0b68243a

SHA512
c8fe374d3a2ae20f230cdea60cc177b2ccbf24c7162be2f9b409bb3500bb3f118bdeb79cc7e80ae9fd512be27f602ed0565adb9db0cfbd33628c8c13048a3f04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z2D3H3V6\nick[1].doc

Filesize
589KB

MD5
cfd4d9dd527b39666c60b568cba3c5a1

SHA1
f96ce3dfd7435fd8db601ee73d4c0d20fe0a52a4

SHA256
50db4947b7b376e1dcf502a704bd87dbbc7a04959720f5c2b9390d171cef240c

SHA512
3d4208a40d7b3962c836c2ca4637ac5c1ac67532fdf851e636977927cb540460f8f5ab400d0fe72d01fd651f2afb3195b436c37bbc882c7fe75c6523d12ae23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabED8A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1A83.tmp

Filesize
1KB

MD5
86213cb84b8b24338da3f237a609eb59

SHA1
295c05a7b883de0e677d6a9ee72c34ff5f693e1e

SHA256
df1fb967777c98ccbab2e4f08acfa231355db5e1cdb03a83e3d66160ecd93a92

SHA512
0fb76bd6eb9c7017be8162c0082c3466414759f1752b8e4063d1170dbc014d016f8877b36f52e6380333d629ede30bf37917045997d3b86941b527b1c72d482b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0CA03010-4B28-4F08-8C4C-8040E598DE3E}

Filesize
128KB

MD5
194ca3629e04dd4b0fb0c22ac449a046

SHA1
b2a03d911abbde94473ec4cfd165accc88215454

SHA256
fe7cea7cf311673f6513ac35554899ad651fcd908c68b030d45f10b02e9d80ec

SHA512
1284cff12a9feed39d20e781d1cc45f920d504520e95aae85185ad35881876a96e741827a3bf765ae77fb47f29d7e15749638cbdaa722560705bdc78c35588b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
418B

MD5
3b4d2b505f73a234e854f1abee311df2

SHA1
e7958534782b138434c4c9fa578f9b1cfdc2032a

SHA256
fc742004b01a833bb55c42271f8f26a30246bfa0f957c1bffa0a093f49671594

SHA512
326bf6e0a3873c7b0d04b1a3b2376986f64810ceb885c3d17e05fcd68c98fed06b4b5fa919f9c98cfea2ada36d88052d53ab420b37b80908c736aa5a363c5dd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
dee06f5be200e7fe768c898c2cb455a3

SHA1
a576c3167a8f48a0008b423ddd2c25b7ff0606f0

SHA256
0051a22b46859786c75b8dec55836b7a5c364115eda2eb4eb0f81a63b4627264

SHA512
ff6c00f3605e09b5200c03635a76818ac1d45f6695c1bcbfa7415fa83686e41141ac98bdcae8b73418a63a4325e3e2d695725ceb56aa6c933d8561d4a7c43a3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Roaming\nick39100.scr

Filesize
696KB

MD5
ff7bf50a80985677e556206bd39e9401

SHA1
bfbbd87ecdb40afb2614a9d511b47dbc2c9602b7

SHA256
05da9848e44274f32cf592fb476550dedcea2477d9ae2cce3dbf8c20c04cf188

SHA512
ed3e4d58a030911c7abf0cb570fccf5dd0d7477af54077c59fe2ea714ba434f654011ed58d70235d2b447ed5c4a902120264e08f7747b914fd37ff4ecbaa8af4

Download Submit
memory/1724-157-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1724-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-0-0x000000002F501000-0x000000002F502000-memory.dmp

Filesize
4KB

Download
memory/2372-2-0x000000007121D000-0x0000000071228000-memory.dmp

Filesize
44KB

Download
memory/2372-162-0x000000007121D000-0x0000000071228000-memory.dmp

Filesize
44KB

Download
memory/2372-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2372-185-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2372-186-0x000000007121D000-0x0000000071228000-memory.dmp

Filesize
44KB

Download
memory/2776-138-0x0000000004C30000-0x0000000004CB2000-memory.dmp

Filesize
520KB

Download
memory/2776-137-0x00000000009B0000-0x00000000009BE000-memory.dmp

Filesize
56KB

Download
memory/2776-122-0x00000000013C0000-0x0000000001470000-memory.dmp

Filesize
704KB

Download
memory/2776-127-0x0000000000980000-0x000000000099A000-memory.dmp

Filesize
104KB

Download