Malware Analysis Report

2024-10-19 08:25

Sample ID 220521-bty87afedj
Target 5ce0bcc033b29c808b49267048f2b8da3e19e3232493e9b4b6285239ba537db7
SHA256 5ce0bcc033b29c808b49267048f2b8da3e19e3232493e9b4b6285239ba537db7
Tags
snakebot snakebot agenttesla collection keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ce0bcc033b29c808b49267048f2b8da3e19e3232493e9b4b6285239ba537db7

Threat Level: Known bad

The file 5ce0bcc033b29c808b49267048f2b8da3e19e3232493e9b4b6285239ba537db7 was found to be: Known bad.

Malicious Activity Summary

snakebot snakebot agenttesla collection keylogger spyware stealer trojan

AgentTesla

Snakebot family

Contains SnakeBOT related strings

AgentTesla Payload

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 01:26

Signatures

Snakebot family

snakebot

Contains SnakeBOT related strings

snakebot
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 01:26

Reported

2022-05-21 02:10

Platform

win7-20220414-en

Max time kernel

135s

Max time network

57s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1944 set thread context of 1224 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1944 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
PID 1944 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
PID 1944 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
PID 1944 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
PID 1944 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
PID 1944 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
PID 1944 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
PID 1944 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
PID 1944 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
PID 1224 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Windows\SysWOW64\netsh.exe
PID 1224 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Windows\SysWOW64\netsh.exe
PID 1224 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Windows\SysWOW64\netsh.exe
PID 1224 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe

"C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe"

C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe

"{path}"

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com.br udp
NL 142.250.179.131:443 www.google.com.br tcp

Files

memory/1944-54-0x0000000076191000-0x0000000076193000-memory.dmp

memory/1944-55-0x00000000746E0000-0x0000000074C8B000-memory.dmp

memory/1944-56-0x0000000000439000-0x000000000044A000-memory.dmp

memory/1224-57-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1224-58-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1224-60-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1224-61-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1224-62-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1224-63-0x000000000044CA5E-mapping.dmp

memory/1224-65-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1224-67-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1224-69-0x00000000746E0000-0x0000000074C8B000-memory.dmp

memory/1740-70-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 01:26

Reported

2022-05-21 02:11

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2272 set thread context of 4376 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
PID 2272 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
PID 2272 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
PID 2272 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
PID 2272 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
PID 2272 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
PID 2272 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
PID 2272 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
PID 4376 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Windows\SysWOW64\netsh.exe
PID 4376 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Windows\SysWOW64\netsh.exe
PID 4376 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe

"C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe"

C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe

"{path}"

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

Network

Country Destination Domain Proto
NL 8.248.1.254:80 tcp
NL 104.110.191.133:80 tcp
US 52.168.112.67:443 tcp
US 8.8.8.8:53 www.google.com.br udp
NL 142.250.179.131:443 www.google.com.br tcp
IE 20.54.110.249:443 tcp
NL 20.190.160.73:443 tcp
NL 104.97.14.80:80 tcp
NL 104.97.14.80:80 tcp
NL 20.190.160.73:443 tcp
FR 2.18.109.224:443 tcp
US 52.242.97.97:443 tcp
NL 20.190.160.67:443 tcp
NL 104.110.191.133:80 tcp
NL 20.190.160.67:443 tcp
NL 20.190.160.67:443 tcp
US 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
NL 20.190.160.2:443 tcp
US 8.8.8.8:53 secure197.inmotionhosting.com udp
US 192.145.239.40:587 secure197.inmotionhosting.com tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.2:443 tcp
US 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp
NL 20.190.160.136:443 tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
NL 20.190.160.136:443 tcp
NL 20.190.160.136:443 tcp
NL 20.190.160.129:443 tcp
NL 20.190.160.129:443 tcp
NL 20.190.160.129:443 tcp
NL 20.190.160.129:443 tcp
NL 20.190.160.6:443 tcp

Files

memory/2272-130-0x0000000074BC0000-0x0000000075171000-memory.dmp

memory/4376-131-0x0000000000000000-mapping.dmp

memory/4376-132-0x0000000000400000-0x0000000000452000-memory.dmp

memory/4376-133-0x0000000074BC0000-0x0000000075171000-memory.dmp

memory/4536-134-0x0000000000000000-mapping.dmp