agenttesla | 5edc00ae5ea6c8a2453bfaacf8b4cf6360027e1c066bd3c96dc4106af5c3b88f

General

Target

Documt736098.vbe
Size

9KB
MD5

8113e63e2ba4ac63a4621b2d9441524d
SHA1

05b433f2cfb14f9d1ec947e32a496c45a2cfa22a
SHA256

d5d3a7f4ca9b374465da72f550cc5a04e751c6a4ed18ab917a304318a9b4409b
SHA512

730e21b73e6320146c53dd9092246578a476b24efb6dbcd902e905df05039274cd2adf76293e54e1d9a3cb01e88d3800db867597bbffd979ecfea5729d4d62d9
SSDEEP

192:egjmLPbnOqiR2jutyT8vPka6hfuIMynp9KAvPxK:tjcPbg2+yT8HkaTTqp0AvQ

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
162.254.34.31
Port:
587
Username:
[email protected]
Password:
M992uew1mw6Z
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	4460	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	api.ipify.org
40	api.ipify.org

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5028 set thread context of 4496	5028	powershell.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3728	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5028	powershell.exe
5028	powershell.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
5028	powershell.exe
5028	powershell.exe
4496	MSBuild.exe
4496	MSBuild.exe
4496	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	4496	MSBuild.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3728	EXCEL.EXE
3728	EXCEL.EXE
3728	EXCEL.EXE
3728	EXCEL.EXE
3728	EXCEL.EXE
3728	EXCEL.EXE
3728	EXCEL.EXE
3728	EXCEL.EXE
3728	EXCEL.EXE
3728	EXCEL.EXE
3728	EXCEL.EXE
3728	EXCEL.EXE
3728	EXCEL.EXE
3728	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 5028	1320	WScript.exe	87
PID 1320 wrote to memory of 5028	1320	WScript.exe	87
PID 1320 wrote to memory of 3512	1320	WScript.exe	104
PID 1320 wrote to memory of 3512	1320	WScript.exe	104
PID 5028 wrote to memory of 4496	5028	powershell.exe	106
PID 5028 wrote to memory of 4496	5028	powershell.exe	106
PID 5028 wrote to memory of 4496	5028	powershell.exe	106
PID 5028 wrote to memory of 4496	5028	powershell.exe	106
PID 5028 wrote to memory of 4496	5028	powershell.exe	106
PID 5028 wrote to memory of 4496	5028	powershell.exe	106
PID 5028 wrote to memory of 4496	5028	powershell.exe	106
PID 5028 wrote to memory of 4496	5028	powershell.exe	106
PID 5028 wrote to memory of 2924	5028	powershell.exe	107
PID 5028 wrote to memory of 2924	5028	powershell.exe	107
PID 3512 wrote to memory of 4780	3512	powershell.exe	108
PID 3512 wrote to memory of 4780	3512	powershell.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documt736098.vbe"
1⤵
- Blocklisted process makes network request
PID:4460

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4496
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5028" "2704" "2656" "2708" "0" "0" "2712" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2924
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3512" "2696" "2620" "2700" "0" "0" "2704" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4780

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\SendRepair.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
9461a7cfb20ff5381df28f51b80c5ef1

SHA1
c86c53fca1dcbe307dafbefbb366abf52c9f5eca

SHA256
d4af1948337d0deb725f4f2b1fe1a9b60f4519841e28748b11bfd62ccd71e028

SHA512
da1e17f67dfebb004ba93d489be504fd7af6d62709ada2581ffa77880baecdaa0015b49d36333d18216d9dc6aad7b0ea2e5bd224d8d3f65ee9b66a05fc45e304

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bxskc0aj.a2n.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
355B

MD5
4ac8b4a12652cc768545f9cc832a07cc

SHA1
44bc5509d2e9d72f5c61d72fe0b369b86c528b87

SHA256
01dd86121ca9a730dd0304638163b26d45c4716a68d5e8b84cf2372aa83685b9

SHA512
d84d8d808df6f2a18e2dbe5143a3b7f3145225a67d7cb8ca92eafb1813a3954b8a67815b3f082d075e6bbc9aed00358ef367f720b1f4650a58d2569e64e2951e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
2751924c61858f3473c538d8df94a025

SHA1
8954e8456f20221ecd16b647cb6ccbd3f2a35b4e

SHA256
63a7036683da85fa8d939153341fd799f8fb2391196565c54e9197f329600bfb

SHA512
d55734e7403c43a8d78cc3f8afad04126556c0a1408c92ef6daf3f62bcfba0dab2c638d884208b9b47920e4629a60bc496abb303ac5b6a9c111f0e51c4947ac0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
a54c5f5b447c43179ce71d4573b53e10

SHA1
272b333a09616c46d9a7a42f54baf3bbbe175ed6

SHA256
45b5c4613a5c837217fbfd77c5703fcd54b84d7ec4a45ec2009f541fe20c1c13

SHA512
499209012f9592469c802c7cd2a5e70d1ef77cbb178b4781df38a8fd11ff633f3962e5e1ba8a9924193733c6316ba8e2f89a88e82f5f81204c14d6d9dbc60a00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
6b90714eb0564e2c71a1fcdd84265409

SHA1
649185741a16f32508303d93b144ee2dcc82ed52

SHA256
2b34394e49356c619dcb4fc68d33f89ea72b108b268caebad43bd9bafaa62868

SHA512
a26e70ed422c6f5ce35cddbb05357044e1b77193b020b91d3e7a77f91dc138710959ec5990b919aadebc5cbcf68efc84c7f0f83b05f2f302ede6ad4a910c5c8c

Download Submit
C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs

Filesize
2KB

MD5
78fdde7d507d9d64ddd3808c52231caa

SHA1
cd989a13a2f92c404ddd56f9b9126e529b091f74

SHA256
0c26896cb8ca3eaa7e009abac4eff302f5a8fd312f987a2d802bdf4d67c0fd0a

SHA512
d77b609a544ee038e2673201d756b2a8f486a288ca0df10d1161f1516982405a7ed075c84b16d4f3ff1bde7a8ee21797e51df6e576e7ea0b85ae9835f534321a

Download Submit
memory/3728-19-0x00007FFD43690000-0x00007FFD436A0000-memory.dmp

Filesize
64KB

Download
memory/3728-14-0x00007FFD43690000-0x00007FFD436A0000-memory.dmp

Filesize
64KB

Download
memory/3728-21-0x00007FFD41290000-0x00007FFD412A0000-memory.dmp

Filesize
64KB

Download
memory/3728-20-0x00007FFD41290000-0x00007FFD412A0000-memory.dmp

Filesize
64KB

Download
memory/3728-15-0x00007FFD43690000-0x00007FFD436A0000-memory.dmp

Filesize
64KB

Download
memory/3728-16-0x00007FFD43690000-0x00007FFD436A0000-memory.dmp

Filesize
64KB

Download
memory/3728-18-0x00007FFD43690000-0x00007FFD436A0000-memory.dmp

Filesize
64KB

Download
memory/4496-98-0x0000000005EF0000-0x0000000006494000-memory.dmp

Filesize
5.6MB

Download
memory/4496-79-0x0000000001300000-0x0000000001340000-memory.dmp

Filesize
256KB

Download
memory/4496-99-0x0000000005B00000-0x0000000005B66000-memory.dmp

Filesize
408KB

Download
memory/4496-100-0x0000000006EC0000-0x0000000006F10000-memory.dmp

Filesize
320KB

Download
memory/4496-101-0x0000000006FB0000-0x0000000007042000-memory.dmp

Filesize
584KB

Download
memory/4496-102-0x0000000006F30000-0x0000000006F3A000-memory.dmp

Filesize
40KB

Download
memory/5028-77-0x000001C7A40E0000-0x000001C7A40E8000-memory.dmp

Filesize
32KB

Download
memory/5028-78-0x000001C7A45A0000-0x000001C7A45AA000-memory.dmp

Filesize
40KB

Download
memory/5028-17-0x000001C7A45D0000-0x000001C7A4614000-memory.dmp

Filesize
272KB

Download
memory/5028-13-0x000001C7A4550000-0x000001C7A4572000-memory.dmp

Filesize
136KB

Download
memory/5028-22-0x000001C7BEC70000-0x000001C7BECE6000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads