Malware Analysis Report

2025-08-06 04:07

Sample ID 231207-jbtjzsbde6
Target SÖZLEŞME-pdf.exe
SHA256 3c0a5c75a24724f85305ffe4831cc0303f9eaa1e2b3a897a91cb808429b34845
Tags
agenttesla guloader downloader keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c0a5c75a24724f85305ffe4831cc0303f9eaa1e2b3a897a91cb808429b34845

Threat Level: Known bad

The file SÖZLEŞME-pdf.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla guloader downloader keylogger spyware stealer trojan

Guloader,Cloudeye

AgentTesla

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-07 07:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-07 07:30

Reported

2023-12-07 07:32

Platform

win7-20231023-en

Max time kernel

148s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Guloader,Cloudeye

downloader guloader

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Haglskadeforsikring\Miljankenvnet.ini C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 800 set thread context of 2796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\integraltegnets\substrate.Ski C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe N/A
File created C:\Program Files (x86)\cockling.lnk C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe N/A
File opened for modification C:\Program Files (x86)\cockling.lnk C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe N/A
File opened for modification C:\Program Files (x86)\Kldebonnets.kod C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\bagvognen.lnk C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe N/A
File opened for modification C:\Windows\Calottes.Doo C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe N/A
File opened for modification C:\Windows\bagvognen.lnk C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2000 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2000 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2000 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 800 wrote to memory of 2796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 800 wrote to memory of 2796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 800 wrote to memory of 2796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 800 wrote to memory of 2796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 800 wrote to memory of 2796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 800 wrote to memory of 2796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe

"C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$bungfu=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Dispersionerne.Amb77';$Sjusserne=$bungfu.SubString(50752,3);.$Sjusserne($bungfu)"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 spsc.sudurpashchim.gov.np udp
NP 202.45.144.24:80 spsc.sudurpashchim.gov.np tcp

Files

C:\Users\Admin\AppData\Local\Temp\Rkkens.ini

MD5 a8ca1db6ae34f5e5c152094f44f92476
SHA1 9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7
SHA256 1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3
SHA512 e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

memory/800-143-0x0000000002680000-0x00000000026C0000-memory.dmp

memory/800-142-0x00000000743A0000-0x000000007494B000-memory.dmp

memory/800-141-0x00000000743A0000-0x000000007494B000-memory.dmp

memory/800-144-0x0000000002680000-0x00000000026C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Dispersionerne.Amb77

MD5 6f471e56b57ed402dd3d0659e4c4489e
SHA1 e3f351b01dd96b408599c1165786635d2332012f
SHA256 7834c9ab2a3f5f0c1d945474a350d8cc1437502931ef6f115c3a77869ae3ba01
SHA512 06773bd5be240c213dc54dc1e4dc2a0f0da40335c15dd93639e8aa4da6a279fa321f395399bb115ed17c6585fc9e2bba3bfca2255bcb02c4f553f9a748ceb8d4

C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Autumn.Fil

MD5 07f672cc4e0e8d3856b4324b80b59275
SHA1 596ceb4b0a3be1029c2be0f633b2f5f4734c4fc0
SHA256 a32785d716991ef0b1ab3af1ba58a5d90fbc03a30431d0ff2d538d0bb2cfc5c3
SHA512 58a692f5347eada5fa9a97cc5f85b2a4c46419c14b8d0cb67c5d4a6a464b5f2b942ac1c6b10efb0d5a2b7c0f291d85dd8a4878c06fe7996ae6df829bd274354d

memory/800-148-0x00000000026D0000-0x00000000026D4000-memory.dmp

memory/800-149-0x0000000006160000-0x0000000007108000-memory.dmp

memory/800-150-0x00000000743A0000-0x000000007494B000-memory.dmp

memory/800-151-0x0000000006160000-0x0000000007108000-memory.dmp

memory/800-152-0x0000000002680000-0x00000000026C0000-memory.dmp

memory/800-153-0x0000000077B10000-0x0000000077CB9000-memory.dmp

memory/800-155-0x0000000077D00000-0x0000000077DD6000-memory.dmp

memory/800-156-0x0000000006160000-0x0000000007108000-memory.dmp

memory/2796-157-0x0000000000910000-0x00000000018B8000-memory.dmp

memory/2796-158-0x0000000077B10000-0x0000000077CB9000-memory.dmp

memory/2796-159-0x000000006FE90000-0x0000000070EF2000-memory.dmp

memory/2796-160-0x0000000000910000-0x00000000018B8000-memory.dmp

memory/800-161-0x0000000006160000-0x0000000007108000-memory.dmp

memory/2796-162-0x000000006F7A0000-0x000000006FE8E000-memory.dmp

memory/2796-163-0x0000000000910000-0x00000000018B8000-memory.dmp

memory/2796-164-0x000000006FE90000-0x000000006FED0000-memory.dmp

memory/2796-166-0x000000001FDD0000-0x000000001FE10000-memory.dmp

memory/2796-169-0x000000006F7A0000-0x000000006FE8E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-07 07:30

Reported

2023-12-07 07:32

Platform

win10v2004-20231127-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Guloader,Cloudeye

downloader guloader

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Haglskadeforsikring\Miljankenvnet.ini C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1212 set thread context of 4956 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\integraltegnets\substrate.Ski C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe N/A
File created C:\Program Files (x86)\cockling.lnk C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe N/A
File opened for modification C:\Program Files (x86)\cockling.lnk C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe N/A
File opened for modification C:\Program Files (x86)\Kldebonnets.kod C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\bagvognen.lnk C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe N/A
File opened for modification C:\Windows\Calottes.Doo C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe N/A
File opened for modification C:\Windows\bagvognen.lnk C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe

"C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$bungfu=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Dispersionerne.Amb77';$Sjusserne=$bungfu.SubString(50752,3);.$Sjusserne($bungfu)"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4956 -ip 4956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1920

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 spsc.sudurpashchim.gov.np udp
NP 202.45.144.24:80 spsc.sudurpashchim.gov.np tcp
US 8.8.8.8:53 24.144.45.202.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Rkkens.ini

MD5 a8ca1db6ae34f5e5c152094f44f92476
SHA1 9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7
SHA256 1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3
SHA512 e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

memory/1212-139-0x0000000002C30000-0x0000000002C66000-memory.dmp

memory/1212-140-0x0000000073C10000-0x00000000743C0000-memory.dmp

memory/1212-142-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/1212-141-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/1212-143-0x00000000057F0000-0x0000000005E18000-memory.dmp

memory/1212-144-0x0000000005160000-0x0000000005182000-memory.dmp

memory/1212-145-0x0000000005530000-0x0000000005596000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lry5qu33.430.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1212-151-0x00000000055A0000-0x0000000005606000-memory.dmp

memory/1212-156-0x0000000005E20000-0x0000000006174000-memory.dmp

memory/1212-157-0x00000000062A0000-0x00000000062BE000-memory.dmp

memory/1212-158-0x00000000062F0000-0x000000000633C000-memory.dmp

memory/1212-159-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/1212-160-0x0000000006880000-0x0000000006916000-memory.dmp

memory/1212-161-0x00000000067D0000-0x00000000067EA000-memory.dmp

memory/1212-162-0x00000000067F0000-0x0000000006812000-memory.dmp

memory/1212-163-0x0000000007AD0000-0x0000000008074000-memory.dmp

C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Dispersionerne.Amb77

MD5 6f471e56b57ed402dd3d0659e4c4489e
SHA1 e3f351b01dd96b408599c1165786635d2332012f
SHA256 7834c9ab2a3f5f0c1d945474a350d8cc1437502931ef6f115c3a77869ae3ba01
SHA512 06773bd5be240c213dc54dc1e4dc2a0f0da40335c15dd93639e8aa4da6a279fa321f395399bb115ed17c6585fc9e2bba3bfca2255bcb02c4f553f9a748ceb8d4

memory/1212-165-0x0000000008700000-0x0000000008D7A000-memory.dmp

C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Autumn.Fil

MD5 07f672cc4e0e8d3856b4324b80b59275
SHA1 596ceb4b0a3be1029c2be0f633b2f5f4734c4fc0
SHA256 a32785d716991ef0b1ab3af1ba58a5d90fbc03a30431d0ff2d538d0bb2cfc5c3
SHA512 58a692f5347eada5fa9a97cc5f85b2a4c46419c14b8d0cb67c5d4a6a464b5f2b942ac1c6b10efb0d5a2b7c0f291d85dd8a4878c06fe7996ae6df829bd274354d

memory/1212-168-0x00000000077A0000-0x00000000077A4000-memory.dmp

memory/1212-169-0x0000000008D80000-0x0000000009D28000-memory.dmp

memory/1212-170-0x0000000008D80000-0x0000000009D28000-memory.dmp

memory/1212-171-0x0000000073C10000-0x00000000743C0000-memory.dmp

memory/1212-173-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/1212-174-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/1212-175-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/1212-176-0x0000000077871000-0x0000000077991000-memory.dmp

memory/4956-177-0x0000000000BB0000-0x0000000001B58000-memory.dmp

memory/1212-178-0x0000000008D80000-0x0000000009D28000-memory.dmp

memory/4956-179-0x00000000778F8000-0x00000000778F9000-memory.dmp

memory/4956-180-0x0000000077871000-0x0000000077991000-memory.dmp

memory/4956-181-0x000000006EA10000-0x000000006FC64000-memory.dmp

memory/4956-182-0x0000000000BB0000-0x0000000001B58000-memory.dmp

memory/1212-184-0x0000000073C10000-0x00000000743C0000-memory.dmp

memory/4956-185-0x000000006EA10000-0x000000006EA50000-memory.dmp

memory/1212-187-0x0000000008D80000-0x0000000009D28000-memory.dmp

memory/4956-186-0x0000000073C10000-0x00000000743C0000-memory.dmp

memory/4956-188-0x000000001FD40000-0x000000001FD50000-memory.dmp

memory/4956-189-0x0000000000BB0000-0x0000000001B58000-memory.dmp

memory/4956-192-0x0000000073C10000-0x00000000743C0000-memory.dmp