Malware Analysis Report

2024-10-19 08:25

Sample ID 220521-bq2j5sfchr
Target 9d0090f0ad9618301e3527f212e156dc2720fd5859ae2469d643e85323d74c89
SHA256 9d0090f0ad9618301e3527f212e156dc2720fd5859ae2469d643e85323d74c89
Tags
agenttesla collection evasion keylogger spyware stealer trojan snakebot snakebot
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d0090f0ad9618301e3527f212e156dc2720fd5859ae2469d643e85323d74c89

Threat Level: Known bad

The file 9d0090f0ad9618301e3527f212e156dc2720fd5859ae2469d643e85323d74c89 was found to be: Known bad.

Malicious Activity Summary

agenttesla collection evasion keylogger spyware stealer trojan snakebot snakebot

Snakebot family

AgentTesla

Contains SnakeBOT related strings

Looks for VirtualBox Guest Additions in registry

AgentTesla Payload

Looks for VMWare Tools registry key

Reads user/profile data of web browsers

Checks computer location settings

Reads user/profile data of local email clients

Checks BIOS information in registry

Maps connected drives based on registry

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

outlook_win_path

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 01:21

Signatures

Snakebot family

snakebot

Contains SnakeBOT related strings

snakebot
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 01:21

Reported

2022-05-21 02:02

Platform

win10v2004-20220414-en

Max time kernel

75s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Order.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion

Looks for VMWare Tools registry key

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4452 set thread context of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Users\Admin\AppData\Local\Temp\Order.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Order.exe

"C:\Users\Admin\AppData\Local\Temp\Order.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QPcnNesmP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB2BB.tmp"

C:\Users\Admin\AppData\Local\Temp\Order.exe

"{path}"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
US 93.184.220.29:80 tcp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 www.google.com.br udp
NL 142.250.179.131:443 www.google.com.br tcp
US 8.8.8.8:53 consent.google.com.br udp
NL 142.251.39.110:443 consent.google.com.br tcp
US 20.44.10.122:443 tcp
US 8.8.8.8:53 smtp.yandex.com udp
RU 77.88.21.158:587 smtp.yandex.com tcp
RU 77.88.21.158:587 smtp.yandex.com tcp
NL 8.248.7.254:80 tcp
NL 8.248.7.254:80 tcp

Files

memory/4452-130-0x0000000074F30000-0x00000000754E1000-memory.dmp

memory/4420-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB2BB.tmp

MD5 da35df82786d298a891eebb4f2d99db8
SHA1 9fd6198904a15f41d93445c5722296a5eddf08b2
SHA256 655b63a1abbee4821274adb760a4390909115c20fdd05e56d699469f96ea5daf
SHA512 91fa3998b8de06dc1b70c154aef8e3be182aa71c03c26ef70ab19819c731cf7372fc35cdd2a474350040383b417698f87b56f3dd743fe857c4aa6187a8e9eb55

memory/1080-133-0x0000000000000000-mapping.dmp

memory/1080-134-0x0000000000400000-0x0000000000450000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Order.exe.log

MD5 fa63f48f58ed4dfb0c496c113f0926c7
SHA1 9d79155de350d586d815e7abf1c00696f4b22d3e
SHA256 9d670c5385c7a9ab57bf6790af6e13ce25637f05c96765b847b64f7a68a3c8db
SHA512 55a43eefd1592a4d821f539075b5db719c9ab86f360e357caf1a57a23971ce4c94a7afc61bdb35830df0fd474de340aa03e6396b5da8ec0a19d8a062ea07a66d

memory/1080-136-0x0000000074F30000-0x00000000754E1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 01:21

Reported

2022-05-21 02:02

Platform

win7-20220414-en

Max time kernel

94s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Order.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion

Looks for VMWare Tools registry key

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1512 set thread context of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Users\Admin\AppData\Local\Temp\Order.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Windows\SysWOW64\schtasks.exe
PID 1512 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Windows\SysWOW64\schtasks.exe
PID 1512 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Windows\SysWOW64\schtasks.exe
PID 1512 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Windows\SysWOW64\schtasks.exe
PID 1512 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Users\Admin\AppData\Local\Temp\Order.exe
PID 1512 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Users\Admin\AppData\Local\Temp\Order.exe
PID 1512 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Users\Admin\AppData\Local\Temp\Order.exe
PID 1512 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Users\Admin\AppData\Local\Temp\Order.exe
PID 1512 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Users\Admin\AppData\Local\Temp\Order.exe
PID 1512 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Users\Admin\AppData\Local\Temp\Order.exe
PID 1512 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Users\Admin\AppData\Local\Temp\Order.exe
PID 1512 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Users\Admin\AppData\Local\Temp\Order.exe
PID 1512 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Order.exe C:\Users\Admin\AppData\Local\Temp\Order.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Order.exe

"C:\Users\Admin\AppData\Local\Temp\Order.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QPcnNesmP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF883.tmp"

C:\Users\Admin\AppData\Local\Temp\Order.exe

"{path}"

Network

N/A

Files

memory/1512-54-0x0000000076421000-0x0000000076423000-memory.dmp

memory/1512-55-0x0000000074640000-0x0000000074BEB000-memory.dmp

memory/1512-56-0x0000000000219000-0x000000000022A000-memory.dmp

memory/2036-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF883.tmp

MD5 4b32d7958f712ab94d9b190fe09dfc6d
SHA1 54660b796b02ce4b681a03812adde148ae70c162
SHA256 bfd463029bd56000f3c5bf09b25459f343cb9d4ec679794542ff539cdc132a81
SHA512 782f0a9d7e30aebcc2da468c5d34fec076c914196a8e4c2f97871a32ca9acecbb78519501ed25027fc5f4fe7baa49f75ebc8a2b4837dce8048f771d2ae66a758

memory/1060-59-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1060-60-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1060-62-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1060-63-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1060-64-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1060-65-0x000000000044B99E-mapping.dmp

memory/1060-67-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1060-69-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1060-71-0x0000000074640000-0x0000000074BEB000-memory.dmp