Malware Analysis Report

2024-10-23 21:07

Sample ID 201109-q5xnal2eqx
Target Scan 0007052020.exe
SHA256 03ffe4f20fb755df6d624c00fa8146eb3870b55fa5356d25b50ebfc197f7ade4
Tags
agenttesla keylogger spyware stealer trojan snakebot snakebot
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03ffe4f20fb755df6d624c00fa8146eb3870b55fa5356d25b50ebfc197f7ade4

Threat Level: Known bad

The file Scan 0007052020.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan snakebot snakebot

Snakebot family

AgentTesla

Contains SnakeBOT related strings

AgentTesla Payload

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2020-11-09 19:37

Signatures

Snakebot family

snakebot

Contains SnakeBOT related strings

snakebot
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-09 19:37

Reported

2020-11-09 22:12

Platform

win10v20201028

Max time kernel

110s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4696 set thread context of 3776 N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe

"C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"{path}"

Network

Country Destination Domain Proto
N/A 52.109.12.18:443 tcp
N/A 8.8.8.8:53 www.google.com.br udp
N/A 172.217.19.195:443 www.google.com.br tcp
N/A 8.8.8.8:53 smtp.yandex.com udp
N/A 77.88.21.158:587 smtp.yandex.com tcp

Files

memory/3776-3-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3776-4-0x0000000000449FCE-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-09 19:37

Reported

2020-11-09 22:12

Platform

win7v20201028

Max time kernel

107s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1664 set thread context of 472 N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1664 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1664 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1664 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1664 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1664 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1664 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1664 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1664 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1664 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1664 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1664 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe

"C:\Users\Admin\AppData\Local\Temp\Scan 0007052020.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"{path}"

Network

N/A

Files

memory/576-114-0x000007FEF6F80000-0x000007FEF71FA000-memory.dmp

memory/472-116-0x0000000000449FCE-mapping.dmp

memory/472-115-0x0000000000400000-0x000000000044E000-memory.dmp

memory/472-118-0x0000000000400000-0x000000000044E000-memory.dmp

memory/472-117-0x0000000000400000-0x000000000044E000-memory.dmp