Malware Analysis Report

2024-10-23 21:07

Sample ID 201109-kfbvgqhz3x
Target TBL PAYMENT COPY.exe
SHA256 10b2155331d3b0c7934808e52084c3911f82ece51f39836e3ef0e8db39ee9904
Tags
snakebot snakebot agenttesla coreentity keylogger rezer0 spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10b2155331d3b0c7934808e52084c3911f82ece51f39836e3ef0e8db39ee9904

Threat Level: Known bad

The file TBL PAYMENT COPY.exe was found to be: Known bad.

Malicious Activity Summary

snakebot snakebot agenttesla coreentity keylogger rezer0 spyware stealer trojan

CoreEntity .NET Packer

Snakebot family

AgentTesla

AgentTesla Payload

Contains SnakeBOT related strings

rezer0

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-09 19:37

Signatures

Snakebot family

snakebot

Contains SnakeBOT related strings

snakebot
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-09 19:37

Reported

2020-11-09 22:13

Platform

win7v20201028

Max time kernel

78s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

CoreEntity .NET Packer

coreentity
Description Indicator Process Target
N/A N/A N/A N/A

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

rezer0

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 744 set thread context of 1476 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 744 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\SysWOW64\schtasks.exe
PID 744 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\SysWOW64\schtasks.exe
PID 744 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\SysWOW64\schtasks.exe
PID 744 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\SysWOW64\schtasks.exe
PID 744 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 744 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 744 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 744 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 744 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 744 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 744 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 744 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 744 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1476 wrote to memory of 1548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\netsh.exe
PID 1476 wrote to memory of 1548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\netsh.exe
PID 1476 wrote to memory of 1548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\netsh.exe
PID 1476 wrote to memory of 1548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe

"C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sxxFNU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E54.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"{path}"

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.google.com.br udp
N/A 172.217.19.195:443 www.google.com.br tcp
N/A 8.8.8.8:53 crl.verisign.com udp

Files

memory/744-0-0x0000000074CC0000-0x00000000753AE000-memory.dmp

memory/744-1-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

memory/1440-3-0x000007FEF7E50000-0x000007FEF80CA000-memory.dmp

memory/744-4-0x0000000000360000-0x0000000000363000-memory.dmp

memory/744-5-0x00000000073C0000-0x0000000007413000-memory.dmp

memory/1956-6-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7E54.tmp

MD5 8d83d1b84313f3758f363f2c6b4f98b0
SHA1 038d5c767f9c59e12ef2038c34871d584e60d8c5
SHA256 a7e4b354643d09ba5dd647d4f79bfa660d84f897c11e86e793e82a1e9e1444fa
SHA512 1f740297e41781cc0cdd391ef9d3796ce7c24fabbbc23fd9d78ae457c2084fe98c30cce99f7139cce46bc60cf726a69bbe629f3c9b058081cff2c737501e28af

memory/1476-8-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1476-9-0x000000000044CA3E-mapping.dmp

memory/1476-10-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1476-11-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1476-12-0x0000000074CC0000-0x00000000753AE000-memory.dmp

memory/1548-15-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-09 19:37

Reported

2020-11-09 22:13

Platform

win10v20201028

Max time kernel

133s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

CoreEntity .NET Packer

coreentity
Description Indicator Process Target
N/A N/A N/A N/A

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

rezer0

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 424 set thread context of 2684 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 424 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\SysWOW64\schtasks.exe
PID 424 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\SysWOW64\schtasks.exe
PID 424 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\SysWOW64\schtasks.exe
PID 424 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 424 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 424 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 424 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 424 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 424 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 424 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 424 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2684 wrote to memory of 3820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\netsh.exe
PID 2684 wrote to memory of 3820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\netsh.exe
PID 2684 wrote to memory of 3820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe

"C:\Users\Admin\AppData\Local\Temp\TBL PAYMENT COPY.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sxxFNU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D75.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"{path}"

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.google.com.br udp
N/A 172.217.19.195:443 www.google.com.br tcp
N/A 8.8.8.8:53 www.google.com udp
N/A 172.217.20.100:443 www.google.com tcp

Files

memory/424-0-0x0000000073D50000-0x000000007443E000-memory.dmp

memory/424-1-0x0000000000920000-0x0000000000921000-memory.dmp

memory/424-3-0x0000000007C00000-0x0000000007C01000-memory.dmp

memory/424-4-0x00000000077A0000-0x00000000077A1000-memory.dmp

memory/424-5-0x0000000005220000-0x0000000005221000-memory.dmp

memory/424-6-0x0000000002B60000-0x0000000002B63000-memory.dmp

memory/424-7-0x000000000AD60000-0x000000000ADB3000-memory.dmp

memory/424-8-0x000000000AE60000-0x000000000AE61000-memory.dmp

memory/3280-9-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6D75.tmp

MD5 7a2c752e729ee231da18ee33cf3b4517
SHA1 43881e48474b57f048c5dccb13149de418ea8998
SHA256 d36452787e6c11a04313a27bca5c13e6bd632d0c74afb1d3994e62cb4243441a
SHA512 abcb2bd8ac4ca544224392f2a5a157fab54b396352cc9399df74bf73b4d083a3f209f79b999b1e1d252b4bdc4b5e03f8719fec13678cba032c13be4a75446f8b

memory/2684-11-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2684-12-0x000000000044CA3E-mapping.dmp

memory/2684-13-0x0000000073D50000-0x000000007443E000-memory.dmp

memory/2684-18-0x0000000005A70000-0x0000000005A71000-memory.dmp

memory/2684-19-0x00000000064B0000-0x00000000064B1000-memory.dmp

memory/3820-20-0x0000000000000000-mapping.dmp