Malware Analysis Report

2025-08-10 23:16

Sample ID 221101-ns838aceap
Target bank details.bin.zip
SHA256 912e466248d4724df1e9ee89eae72f1da08f93eb3697f7a467bdcef9e771c5ef
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

912e466248d4724df1e9ee89eae72f1da08f93eb3697f7a467bdcef9e771c5ef

Threat Level: Known bad

The file bank details.bin.zip was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-11-01 11:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 11:40

Reported

2022-11-01 11:41

Platform

win10v2004-20220812-en

Max time kernel

32s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bank details.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4900 set thread context of 2724 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4900 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4900 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4900 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4900 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4900 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4900 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4900 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4900 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4900 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4900 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4900 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4900 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4900 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bank details.exe

"C:\Users\Admin\AppData\Local\Temp\bank details.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

Network

Files

memory/4900-132-0x0000000000710000-0x000000000082C000-memory.dmp

memory/4900-133-0x00000000056D0000-0x0000000005C74000-memory.dmp

memory/4900-134-0x00000000051C0000-0x0000000005252000-memory.dmp

memory/4900-135-0x0000000005300000-0x000000000539C000-memory.dmp

memory/4900-136-0x00000000051A0000-0x00000000051AA000-memory.dmp

memory/4856-137-0x0000000000000000-mapping.dmp

memory/3480-138-0x0000000000000000-mapping.dmp

memory/2724-139-0x0000000000000000-mapping.dmp

memory/2724-140-0x0000000000400000-0x000000000043C000-memory.dmp