Analysis Overview
SHA256
5ce0bcc033b29c808b49267048f2b8da3e19e3232493e9b4b6285239ba537db7
Threat Level: Known bad
The file 5ce0bcc033b29c808b49267048f2b8da3e19e3232493e9b4b6285239ba537db7 was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Snakebot family
Contains SnakeBOT related strings
AgentTesla Payload
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
outlook_office_path
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
outlook_win_path
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 01:26
Signatures
Snakebot family
Contains SnakeBOT related strings
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 01:26
Reported
2022-05-21 02:10
Platform
win7-20220414-en
Max time kernel
135s
Max time network
57s
Command Line
Signatures
AgentTesla
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1944 set thread context of 1224 | N/A | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
"C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe"
C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
"{path}"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com.br | udp |
| NL | 142.250.179.131:443 | www.google.com.br | tcp |
Files
memory/1944-54-0x0000000076191000-0x0000000076193000-memory.dmp
memory/1944-55-0x00000000746E0000-0x0000000074C8B000-memory.dmp
memory/1944-56-0x0000000000439000-0x000000000044A000-memory.dmp
memory/1224-57-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1224-58-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1224-60-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1224-61-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1224-62-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1224-63-0x000000000044CA5E-mapping.dmp
memory/1224-65-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1224-67-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1224-69-0x00000000746E0000-0x0000000074C8B000-memory.dmp
memory/1740-70-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 01:26
Reported
2022-05-21 02:11
Platform
win10v2004-20220414-en
Max time kernel
151s
Max time network
158s
Command Line
Signatures
AgentTesla
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2272 set thread context of 4376 | N/A | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
"C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe"
C:\Users\Admin\AppData\Local\Temp\MV DARANEE NAREE.exe
"{path}"
C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
Network
| Country | Destination | Domain | Proto |
| NL | 8.248.1.254:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 52.168.112.67:443 | tcp | |
| US | 8.8.8.8:53 | www.google.com.br | udp |
| NL | 142.250.179.131:443 | www.google.com.br | tcp |
| IE | 20.54.110.249:443 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 52.242.97.97:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.67:443 | tcp | |
| US | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
| NL | 20.190.160.2:443 | tcp | |
| US | 8.8.8.8:53 | secure197.inmotionhosting.com | udp |
| US | 192.145.239.40:587 | secure197.inmotionhosting.com | tcp |
| NL | 20.190.160.2:443 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| US | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| NL | 20.190.160.136:443 | tcp | |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| NL | 20.190.160.136:443 | tcp | |
| NL | 20.190.160.136:443 | tcp | |
| NL | 20.190.160.129:443 | tcp | |
| NL | 20.190.160.129:443 | tcp | |
| NL | 20.190.160.129:443 | tcp | |
| NL | 20.190.160.129:443 | tcp | |
| NL | 20.190.160.6:443 | tcp |
Files
memory/2272-130-0x0000000074BC0000-0x0000000075171000-memory.dmp
memory/4376-131-0x0000000000000000-mapping.dmp
memory/4376-132-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4376-133-0x0000000074BC0000-0x0000000075171000-memory.dmp
memory/4536-134-0x0000000000000000-mapping.dmp