agenttesla | bf0fb9348736b302afeb9167c53d54f437963fe3024acd86673c8175b4ec16cc

Analysis

max time kernel
101s
max time network
130s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf0fb9348736b302afeb9167c53d54f437963fe3024acd86673c8175b4ec16cc.docx
Size

328KB
MD5

4df8ff3f5542b0223e9f9a4a01a37de4
SHA1

c63c15b9aceb05fad38a6c527b444ff826985db0
SHA256

bf0fb9348736b302afeb9167c53d54f437963fe3024acd86673c8175b4ec16cc
SHA512

209d7b4bd834f872f8b561b2ef78d3a9613edf84e6ec2d69a906f6e18a1cbc4b2ec85fe65031e6a8b78476153ba5b94d5f7b61c2b2d9f5b4e5ad83b687de17e2
SSDEEP

6144:W7b/w8Ms6S63XPngy+pGLCJXm+Ajs5fg8cNViXqcki3REXh/:yT2t3XGysjrg8IPwREx/

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
Password: )NYyffR0
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
14	1488	EQNEDT32.EXE

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 2 IoCs

pid	Process
1116	winiti.exe
2240	winiti.exe

Loads dropped DLL 1 IoCs

pid	Process
1488	EQNEDT32.EXE

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\mpTrle = "C:\\Users\\Admin\\AppData\\Roaming\\mpTrle\\mpTrle.exe"	winiti.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	api.ipify.org
16	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1116 set thread context of 2240	1116	winiti.exe	35

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1488	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1512	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1116	winiti.exe
1116	winiti.exe
2240	winiti.exe
2240	winiti.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1116	winiti.exe
Token: SeDebugPrivilege	2240	winiti.exe
Token: SeShutdownPrivilege	1512	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1512	WINWORD.EXE
1512	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1116	1488	EQNEDT32.EXE	32
PID 1488 wrote to memory of 1116	1488	EQNEDT32.EXE	32
PID 1488 wrote to memory of 1116	1488	EQNEDT32.EXE	32
PID 1488 wrote to memory of 1116	1488	EQNEDT32.EXE	32
PID 1512 wrote to memory of 564	1512	WINWORD.EXE	34
PID 1512 wrote to memory of 564	1512	WINWORD.EXE	34
PID 1512 wrote to memory of 564	1512	WINWORD.EXE	34
PID 1512 wrote to memory of 564	1512	WINWORD.EXE	34
PID 1116 wrote to memory of 2240	1116	winiti.exe	35
PID 1116 wrote to memory of 2240	1116	winiti.exe	35
PID 1116 wrote to memory of 2240	1116	winiti.exe	35
PID 1116 wrote to memory of 2240	1116	winiti.exe	35
PID 1116 wrote to memory of 2240	1116	winiti.exe	35
PID 1116 wrote to memory of 2240	1116	winiti.exe	35
PID 1116 wrote to memory of 2240	1116	winiti.exe	35
PID 1116 wrote to memory of 2240	1116	winiti.exe	35
PID 1116 wrote to memory of 2240	1116	winiti.exe	35

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bf0fb9348736b302afeb9167c53d54f437963fe3024acd86673c8175b4ec16cc.docx"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:564

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Roaming\winiti.exe
  "C:\Users\Admin\AppData\Roaming\winiti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Users\Admin\AppData\Roaming\winiti.exe
    "C:\Users\Admin\AppData\Roaming\winiti.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
ca80b796467bc985ef82d2cc210eee0d

SHA1
60affc0f5b5f1bcdde469b883a812e9540c764f0

SHA256
0940b8d1904fa63b4ac05a02c291d06aea970748e379c677b7119cbe6ff2fd61

SHA512
9877999328149e6fca4b8a569f4801f62e527e30d190cbfde9eb359cc8ba81781803aa1e3d673f87c99068a089dbc270105b34c74378eaf3dd0b2324dfdc0093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{613587BB-4070-4232-8F89-CC76E8CC1B59}.FSD

Filesize
128KB

MD5
6f590a69c56476fcc2bfcf2a50853760

SHA1
a40a90068fb44e51d4fcb185edd066b1bf0f80e2

SHA256
324e92efff08dfc6d30ea025693dd24ab6ff8cc3e3ee51373969b9b3c33dcf53

SHA512
86f02a2c8385eb68ef7e37188532f4d5fd1347fdcb2cf12171c1211f32cf55f61c8f672ea3fa11af8d71d2ce50ded98cc2ca3510ebe6b3f8e4635367bc837b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
072e71b6688d5c88ca742c8c9f986096

SHA1
c9a3e4c8005d2bdbd04e9da6367c2cae7db6b06b

SHA256
ed6366f16758b91f53892085975947bddb17bfbb7673bdb9acc245ecbaf170e7

SHA512
d7d09a1e75cdfd1291ba21216c7b05f808c1d44277cb66f1f854337ab437f35fb8263b5b727874da8f6b10c031e45acdd4e8471b698033b66511e1e1ca726ade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{8653E4A8-B561-47F4-B088-5DF5A47EC3C6}.FSD

Filesize
128KB

MD5
fd23b9479926f8f09adf5982bdafaba1

SHA1
d0e0393159355b74a0daaccf482f020d11e534f0

SHA256
8b9b367d42ae372ea48914660c2908d0dc49c985d417c45f04eeb6d8df2a7c67

SHA512
aa84430093120dd2b3f111dec470d1cc170adf8c387de25c7ec464e4d72cdfc43de40f14414751cf90c1f9321e4e586f05dda721c7fc6c530367a6948c7ab108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VOGNAB2O\we.we.we.we.wewewewe[1].doc

Filesize
113KB

MD5
6f2f933c81549f01eb55e42a0d85535e

SHA1
f5212e43164146c5015f2091f3f0e69be9909028

SHA256
965c26393e3b278c346831c9efc6c344386d1e06fc4f1921c7ce67b0cf0e4a36

SHA512
1fc8f12c3497a2010dc5d2657fa2ec250d900e05b2381b8ea3aa0382a482013b0cb8ad1f181c793a78aabc59da19032f13fbdb272b36fec7af38a682fa18faca

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3A094760-64A7-4BD2-93A7-02E943F93DA6}

Filesize
128KB

MD5
791c129b1bce8b1831bceaeba8030637

SHA1
fea1e6637c663e8a6e31ef14a134af91534e8fae

SHA256
bb4f7b19ec279406595c984938826a700fb36ec81cf44c6b09394d8dc6187c12

SHA512
a654740f1d0912af5dd4dc163a2ecb7bd1170457ab405929fdd1e6b7898bed92595760837e936e334fa5e8a46eb9e9d4f0d6910d9118578cb62d033826c185c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
eb7a850b828615cb194b126f38acdd92

SHA1
54f3864a989390ac0a67a72115f18392d0454ad2

SHA256
6843d88e3f6a84c9b6c0c40d3a798c8b2ef07674d7f8d147ac60a5aeee517f60

SHA512
a7c4e1e6a704e21690d90e6993d205858af9e0032a9831067279eaf2a05836cbe4d7e0ab3e683f44f8275ca4d2b55a7b46b42d85bfa64542738ab238ac730d5f

Download Submit
C:\Users\Admin\AppData\Roaming\winiti.exe

Filesize
903KB

MD5
deed9f1fa07445c4e7529c820d42800c

SHA1
4887b16effbcbe6adf8b9077e066c4b0616d5fe8

SHA256
eb70ed06d47c8c56d64970223e42898350e262cd50c8f9d9b04a60004ae742ee

SHA512
689435cbfd95c8cc5102ae40632d357a07b65b37f6214254d46a913766cca07bd74c86f12affba1c395209de95b3e1f8eb4bca3f383b0f641c4da3b129344eed

Download Submit
memory/1116-118-0x0000000000590000-0x00000000005AA000-memory.dmp

Filesize
104KB

Download
memory/1116-115-0x00000000011D0000-0x00000000012B8000-memory.dmp

Filesize
928KB

Download
memory/1116-117-0x0000000005340000-0x000000000540E000-memory.dmp

Filesize
824KB

Download
memory/1116-119-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/1116-120-0x0000000004AF0000-0x0000000004B72000-memory.dmp

Filesize
520KB

Download
memory/1512-135-0x00000000718ED000-0x00000000718F8000-memory.dmp

Filesize
44KB

Download
memory/1512-0-0x000000002FF41000-0x000000002FF42000-memory.dmp

Filesize
4KB

Download
memory/1512-163-0x00000000718ED000-0x00000000718F8000-memory.dmp

Filesize
44KB

Download
memory/1512-160-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1512-2-0x00000000718ED000-0x00000000718F8000-memory.dmp

Filesize
44KB

Download
memory/1512-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2240-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2240-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2240-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2240-130-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2240-129-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2240-132-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2240-123-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2240-121-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download