Malware Analysis Report

2024-08-06 08:42

Sample ID 230422-2gv9waag8y
Target Katana.exe
SHA256 43356d754fb7ddeb493c95127122e3ee6126d8408936e7b8cbc7c5554efca1bc
Tags
agenttesla elysiumstealer keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43356d754fb7ddeb493c95127122e3ee6126d8408936e7b8cbc7c5554efca1bc

Threat Level: Known bad

The file Katana.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla elysiumstealer keylogger spyware stealer trojan

ElysiumStealer

ElysiumStealer Support DLL

AgentTesla

AgentTesla payload

Loads dropped DLL

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2023-04-22 22:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-22 22:33

Reported

2023-04-22 22:34

Platform

win7-20230220-en

Max time kernel

33s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Katana.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

ElysiumStealer

stealer elysiumstealer

ElysiumStealer Support DLL

Description Indicator Process Target
N/A N/A N/A N/A

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Katana.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Katana.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Katana.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\Katana.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Katana.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Katana.exe

"C:\Users\Admin\AppData\Local\Temp\Katana.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 172.67.190.19:443 keyauth.win tcp

Files

memory/1972-54-0x0000000000F10000-0x000000000133C000-memory.dmp

memory/1972-55-0x00000000001C0000-0x00000000001D4000-memory.dmp

\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\0x7RT.dll

MD5 94173de2e35aa8d621fc1c4f54b2a082
SHA1 fbb2266ee47f88462560f0370edb329554cd5869
SHA256 7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f
SHA512 cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

memory/1972-59-0x0000000000320000-0x000000000033A000-memory.dmp

memory/1972-60-0x00000000008B0000-0x00000000008F0000-memory.dmp

memory/1972-61-0x0000000000960000-0x00000000009BC000-memory.dmp

memory/1972-62-0x0000000000490000-0x00000000004AA000-memory.dmp

memory/1972-63-0x0000000005130000-0x00000000051E0000-memory.dmp

memory/1972-64-0x00000000052E0000-0x0000000005376000-memory.dmp

memory/1972-65-0x00000000056C0000-0x00000000058D6000-memory.dmp

memory/1972-67-0x00000000008B0000-0x00000000008F0000-memory.dmp

memory/1972-66-0x00000000008B0000-0x00000000008F0000-memory.dmp

memory/1972-70-0x00000000008B0000-0x00000000008F0000-memory.dmp

memory/1972-71-0x00000000008B0000-0x00000000008F0000-memory.dmp

memory/1972-72-0x00000000008B0000-0x00000000008F0000-memory.dmp

memory/1972-73-0x00000000008B0000-0x00000000008F0000-memory.dmp

memory/1972-74-0x0000000008F90000-0x00000000090AE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-22 22:33

Reported

2023-04-22 22:34

Platform

win10v2004-20230220-en

Max time kernel

35s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Katana.exe"

Signatures

ElysiumStealer

stealer elysiumstealer

ElysiumStealer Support DLL

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Katana.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Katana.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Katana.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\Katana.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Katana.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Katana.exe

"C:\Users\Admin\AppData\Local\Temp\Katana.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 188.114.96.0:443 keyauth.win tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 52.152.108.96:443 tcp

Files

memory/1596-133-0x00000000006E0000-0x0000000000B0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\0x7RT.dll

MD5 94173de2e35aa8d621fc1c4f54b2a082
SHA1 fbb2266ee47f88462560f0370edb329554cd5869
SHA256 7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f
SHA512 cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

memory/1596-138-0x0000000005C40000-0x00000000061E4000-memory.dmp

memory/1596-139-0x0000000005690000-0x0000000005722000-memory.dmp

memory/1596-140-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1596-141-0x0000000006820000-0x0000000006E48000-memory.dmp

memory/1596-142-0x0000000005640000-0x0000000005652000-memory.dmp

memory/1596-143-0x0000000005A80000-0x0000000005A8A000-memory.dmp

memory/1596-144-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1596-145-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1596-146-0x0000000009610000-0x000000000964C000-memory.dmp

memory/1596-149-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1596-150-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/1596-151-0x0000000002FB0000-0x0000000002FC0000-memory.dmp