Malware Analysis Report

2024-10-19 08:46

Sample ID 220521-dxdg1agdh8
Target 1ea26893b98115c9c36c6c1ecb7b4fa28b71ea8dc91f7219c7e54d9f95d4bf8e
SHA256 1ea26893b98115c9c36c6c1ecb7b4fa28b71ea8dc91f7219c7e54d9f95d4bf8e
Tags
agenttesla masslogger agilenet collection keylogger persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ea26893b98115c9c36c6c1ecb7b4fa28b71ea8dc91f7219c7e54d9f95d4bf8e

Threat Level: Known bad

The file 1ea26893b98115c9c36c6c1ecb7b4fa28b71ea8dc91f7219c7e54d9f95d4bf8e was found to be: Known bad.

Malicious Activity Summary

agenttesla masslogger agilenet collection keylogger persistence ransomware spyware stealer trojan

AgentTesla Payload

MassLogger Main Payload

AgentTesla

Masslogger family

MassLogger log file

Agenttesla family

MassLogger

AgentTesla Payload

Executes dropped EXE

Reads user/profile data of web browsers

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Reads user/profile data of local email clients

Drops startup file

Loads dropped DLL

Reads data files stored by FTP clients

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

outlook_office_path

outlook_win_path

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 03:22

Signatures

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Masslogger family

masslogger

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 03:22

Reported

2022-05-21 05:04

Platform

win7-20220414-en

Max time kernel

130s

Max time network

183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\WEqfDb = "C:\\Users\\Admin\\AppData\\Roaming\\WEqfDb\\WEqfDb.exe" C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1648 set thread context of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe
PID 1648 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe
PID 1648 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe
PID 1648 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe
PID 1648 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe
PID 1648 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe
PID 1648 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe
PID 1648 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
PID 1648 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
PID 1648 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
PID 1648 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
PID 1648 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
PID 1648 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
PID 1648 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
PID 1648 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
PID 1648 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe"

C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp

Files

memory/1648-54-0x0000000001190000-0x00000000013A4000-memory.dmp

memory/1648-55-0x0000000075F61000-0x0000000075F63000-memory.dmp

memory/1648-56-0x0000000000320000-0x0000000000342000-memory.dmp

\Users\Admin\AppData\Local\Temp\305ca9ce-05a7-4081-bcf5-b3110c43e68e\l.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe

MD5 8bc40219a7641c3bcf72228173552977
SHA1 ccd09865e9c7adc458a85b7638b7cd3e6a843d83
SHA256 9e4cce1b23e7fdec9ab35c03326a7d3990aef52b7a5bce0d47d28bf8e56cfd6e
SHA512 d6273cd78443faac11ddfe3dbfe3731d0243cd2454227153c71593ad826df4c62d3488da29dc7a527ec5977c54e02d091eec43803f20832de518b9f3069c396e

memory/968-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe

MD5 8bc40219a7641c3bcf72228173552977
SHA1 ccd09865e9c7adc458a85b7638b7cd3e6a843d83
SHA256 9e4cce1b23e7fdec9ab35c03326a7d3990aef52b7a5bce0d47d28bf8e56cfd6e
SHA512 d6273cd78443faac11ddfe3dbfe3731d0243cd2454227153c71593ad826df4c62d3488da29dc7a527ec5977c54e02d091eec43803f20832de518b9f3069c396e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe

MD5 8bc40219a7641c3bcf72228173552977
SHA1 ccd09865e9c7adc458a85b7638b7cd3e6a843d83
SHA256 9e4cce1b23e7fdec9ab35c03326a7d3990aef52b7a5bce0d47d28bf8e56cfd6e
SHA512 d6273cd78443faac11ddfe3dbfe3731d0243cd2454227153c71593ad826df4c62d3488da29dc7a527ec5977c54e02d091eec43803f20832de518b9f3069c396e

memory/968-63-0x0000000001390000-0x0000000001448000-memory.dmp

memory/968-64-0x0000000000C50000-0x0000000000CC8000-memory.dmp

memory/1648-66-0x0000000000D20000-0x0000000000D2A000-memory.dmp

memory/1044-67-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1044-68-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1044-70-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1044-71-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1044-72-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1044-73-0x000000000045445E-mapping.dmp

memory/1044-77-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1044-75-0x0000000000400000-0x000000000045A000-memory.dmp

memory/968-79-0x0000000004CD5000-0x0000000004CE6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 03:22

Reported

2022-05-21 05:03

Platform

win10v2004-20220414-en

Max time kernel

121s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WEqfDb = "C:\\Users\\Admin\\AppData\\Roaming\\WEqfDb\\WEqfDb.exe" C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4776 set thread context of 1904 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4776 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe
PID 4776 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe
PID 4776 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe
PID 4776 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
PID 4776 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
PID 4776 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
PID 4776 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
PID 4776 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
PID 4776 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
PID 4776 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
PID 4776 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe
PID 772 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4496 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4496 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe"

C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\DHL_AWB #1008936572891_pdf.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe'

Network

Country Destination Domain Proto
FR 2.18.109.224:443 tcp
US 104.18.24.243:80 tcp
US 93.184.220.29:80 tcp
AU 104.46.162.226:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 mail.specialmetal.ir udp
IR 5.144.130.34:587 mail.specialmetal.ir tcp
IR 5.144.130.34:587 mail.specialmetal.ir tcp

Files

memory/4776-130-0x0000000000BB0000-0x0000000000DC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\305ca9ce-05a7-4081-bcf5-b3110c43e68e\l.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

memory/4776-132-0x0000000073D40000-0x0000000073DC9000-memory.dmp

memory/4776-133-0x0000000006660000-0x0000000006C04000-memory.dmp

memory/4776-134-0x0000000006190000-0x0000000006222000-memory.dmp

memory/772-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe

MD5 8bc40219a7641c3bcf72228173552977
SHA1 ccd09865e9c7adc458a85b7638b7cd3e6a843d83
SHA256 9e4cce1b23e7fdec9ab35c03326a7d3990aef52b7a5bce0d47d28bf8e56cfd6e
SHA512 d6273cd78443faac11ddfe3dbfe3731d0243cd2454227153c71593ad826df4c62d3488da29dc7a527ec5977c54e02d091eec43803f20832de518b9f3069c396e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MassLoggerBinUPDATEProizvodnja.exe

MD5 8bc40219a7641c3bcf72228173552977
SHA1 ccd09865e9c7adc458a85b7638b7cd3e6a843d83
SHA256 9e4cce1b23e7fdec9ab35c03326a7d3990aef52b7a5bce0d47d28bf8e56cfd6e
SHA512 d6273cd78443faac11ddfe3dbfe3731d0243cd2454227153c71593ad826df4c62d3488da29dc7a527ec5977c54e02d091eec43803f20832de518b9f3069c396e

memory/772-138-0x0000000000480000-0x0000000000538000-memory.dmp

memory/772-139-0x0000000004E00000-0x0000000004E9C000-memory.dmp

memory/772-140-0x0000000004FB0000-0x0000000005016000-memory.dmp

memory/1904-141-0x0000000000000000-mapping.dmp

memory/1904-142-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4496-143-0x0000000000000000-mapping.dmp

memory/1876-144-0x0000000000000000-mapping.dmp

memory/1876-145-0x0000000002B80000-0x0000000002BB6000-memory.dmp

memory/1876-146-0x0000000005680000-0x0000000005CA8000-memory.dmp

memory/1876-147-0x00000000053C0000-0x00000000053E2000-memory.dmp

memory/1876-148-0x0000000005560000-0x00000000055C6000-memory.dmp

memory/1876-149-0x00000000064A0000-0x00000000064BE000-memory.dmp

memory/1876-150-0x0000000007D90000-0x000000000840A000-memory.dmp

memory/1876-151-0x00000000069C0000-0x00000000069DA000-memory.dmp

memory/1876-152-0x00000000077B0000-0x0000000007846000-memory.dmp

memory/1876-153-0x0000000006B10000-0x0000000006B32000-memory.dmp

memory/1904-154-0x0000000006900000-0x0000000006950000-memory.dmp

memory/1904-155-0x0000000006BD0000-0x0000000006BDA000-memory.dmp