Loading ...

Play interactive tourEdit tour

Windows Analysis Report Specification.doc

Overview

General Information

Sample Name:Specification.doc
Analysis ID:502702
MD5:a9c264b36e9a8bcb07dd7caad3e74c7a
SHA1:b123be7f202496264a25ea58d9b6116eba3de5da
SHA256:a386ffc6861f5ddad443d3b4d98d91a0bed209b7662e24fbc0bb2478a417d177
Tags:doc
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Installs a global keyboard hook
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Adds / modifies Windows certificates
Drops PE files
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Office Equation Editor has been started
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1916 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 684 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • edufyrigefy4utwgqeoriufj4ce.exe (PID: 1184 cmdline: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe MD5: 60997F0CBBC87CE8E5581B38C39F78B7)
      • schtasks.exe (PID: 2552 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yxnDFepLbf' /XML 'C:\Users\user\AppData\Local\Temp\tmp7B0A.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • newapp.exe (PID: 2852 cmdline: 'C:\Users\user\AppData\Roaming\newapp\newapp.exe' MD5: 60997F0CBBC87CE8E5581B38C39F78B7)
    • schtasks.exe (PID: 2856 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yxnDFepLbf' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC63.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
    • newapp.exe (PID: 2924 cmdline: C:\Users\user\AppData\Roaming\newapp\newapp.exe MD5: 60997F0CBBC87CE8E5581B38C39F78B7)
  • newapp.exe (PID: 2628 cmdline: 'C:\Users\user\AppData\Roaming\newapp\newapp.exe' MD5: 60997F0CBBC87CE8E5581B38C39F78B7)
    • schtasks.exe (PID: 236 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yxnDFepLbf' /XML 'C:\Users\user\AppData\Local\Temp\tmp10D3.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
    • newapp.exe (PID: 2712 cmdline: C:\Users\user\AppData\Roaming\newapp\newapp.exe MD5: 60997F0CBBC87CE8E5581B38C39F78B7)
    • newapp.exe (PID: 1136 cmdline: C:\Users\user\AppData\Roaming\newapp\newapp.exe MD5: 60997F0CBBC87CE8E5581B38C39F78B7)
    • newapp.exe (PID: 2656 cmdline: C:\Users\user\AppData\Roaming\newapp\newapp.exe MD5: 60997F0CBBC87CE8E5581B38C39F78B7)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "yashanka.patabandige@dlmahtea.co", "Password": "FocusYourSEF@123", "Host": "mail.privateemail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.663485397.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000011.00000002.663485397.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000007.00000002.663533545.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.663533545.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000008.00000002.483735795.00000000035BF000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 34 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.newapp.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              11.2.newapp.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                17.2.newapp.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  17.2.newapp.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    7.2.edufyrigefy4utwgqeoriufj4ce.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 28 entries

                      Sigma Overview

                      Exploits:

                      barindex
                      Sigma detected: EQNEDT32.EXE connecting to internetShow sources
                      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 143.95.246.178, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 684, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
                      Sigma detected: File Dropped By EQNEDT32EXEShow sources
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 684, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\booobb[1].exe

                      System Summary:

                      barindex
                      Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe, CommandLine: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe, NewProcessName: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe, OriginalFileName: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 684, ProcessCommandLine: C:\Users\user\AppData\Roaming\edufyrigefy4utwgqeoriufj4ce.exe, ProcessId: 1184

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 11.2.newapp.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "yashanka.patabandige@dlmahtea.co", "Password": "FocusYourSEF@123", "Host": "mail.privateemail.com"}

                      Exploits: