Loading ...

Play interactive tourEdit tour

Analysis Report IMG_05412_868_21.docx

Overview

General Information

Sample Name:IMG_05412_868_21.docx
Analysis ID:404303
MD5:8832e0557e1b144bad206ed6d14d5c34
SHA1:4b729d3262362a2ab3edab09ac1f625af8f5e0c1
SHA256:fbd1b454da7fecb92c40b9b2f74fc8fecae79340afdc011e7c0d6339fabdcfde
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains no OLE stream with summary information
Document has an unknown application name
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2464 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2564 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • tthxx.exe (PID: 2928 cmdline: C:\Users\user\tthxx.exe MD5: CCE6C363C0FF7AC663CD71C5906069A6)
      • tthxx.exe (PID: 2312 cmdline: C:\Users\user\AppData\Local\Temp\tthxx.exe MD5: CCE6C363C0FF7AC663CD71C5906069A6)
  • EQNEDT32.EXE (PID: 3028 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • EQNEDT32.EXE (PID: 2452 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • tthxx.exe (PID: 2880 cmdline: C:\Users\user\tthxx.exe MD5: CCE6C363C0FF7AC663CD71C5906069A6)
  • EQNEDT32.EXE (PID: 2140 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • EQNEDT32.EXE (PID: 2196 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "bigazz@sixjan.xyzH^i?T2&gWQ({sixjan.xyz"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000B.00000002.2345059510.0000000002461000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: tthxx.exe PID: 2312JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

        Sigma Overview

        Exploits:

        barindex
        Sigma detected: EQNEDT32.EXE connecting to internetShow sources
        Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 31.210.20.6, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2564, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
        Sigma detected: File Dropped By EQNEDT32EXEShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2564, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\44444[1].exe

        System Summary:

        barindex
        Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\tthxx.exe, CommandLine: C:\Users\user\tthxx.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\tthxx.exe, NewProcessName: C:\Users\user\tthxx.exe, OriginalFileName: C:\Users\user\tthxx.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2564, ProcessCommandLine: C:\Users\user\tthxx.exe, ProcessId: 2928

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus detection for URL or domainShow sources
        Source: http://31.210.20.6/3/44444.exeAvira URL Cloud: Label: malware
        Found malware configurationShow sources
        Source: 11.2.tthxx.exe.400000.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "bigazz@sixjan.xyzH^i?T2&gWQ({sixjan.xyz"}
        Multi AV Scanner detection for domain / URLShow sources
        Source: http://31.210.20.6/3/44444.exeVirustotal: Detection: 6%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\44444[1].exeReversingLabs: Detection: 40%
        Source: C:\Users\user\AppData\Local\Temp\tthxx.exeReversingLabs: Detection: 40%
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exeReversingLabs: Detection: 40%
        Source: C:\Users\user\tthxx.exeReversingLabs: Detection: 40%
        Multi AV Scanner detection for submitted fileShow sources
        Source: IMG_05412_868_21.docxVirustotal: Detection: 30%Perma Link
        Source: IMG_05412_868_21.docxReversingLabs: Detection: 37%

        Exploits:

        bar