Malware Analysis Report

2025-08-11 06:22

Sample ID 240403-nfec3sce2y
Target yWQK3JWrMiYdSNG.exe
SHA256 105c79d054029dcf3d38c5ba526dc7c111cc2e2e6fb2555a88c0820a6ba9eb52
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

105c79d054029dcf3d38c5ba526dc7c111cc2e2e6fb2555a88c0820a6ba9eb52

Threat Level: Known bad

The file yWQK3JWrMiYdSNG.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Reads WinSCP keys stored on the system

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 11:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 11:20

Reported

2024-04-03 11:22

Platform

win10v2004-20240226-en

Max time kernel

122s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3840 set thread context of 2120 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3840 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3840 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3840 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3840 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Windows\SysWOW64\schtasks.exe
PID 3840 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Windows\SysWOW64\schtasks.exe
PID 3840 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Windows\SysWOW64\schtasks.exe
PID 3840 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 3840 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 3840 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 3840 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 3840 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 3840 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 3840 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 3840 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 3840 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 3840 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 3840 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe

"C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SVxgdVWqIPqwco.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVxgdVWqIPqwco" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E43.tmp"

C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe

"C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe"

C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe

"C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=2260,i,9938964625802268469,1928462186077019554,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 mail.funworld.co.id udp
ID 180.235.148.163:587 mail.funworld.co.id tcp
US 8.8.8.8:53 163.148.235.180.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 142.250.179.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/3840-1-0x0000000074EB0000-0x0000000075660000-memory.dmp

memory/3840-0-0x0000000000390000-0x0000000000434000-memory.dmp

memory/3840-2-0x00000000053A0000-0x0000000005944000-memory.dmp

memory/3840-3-0x0000000004E90000-0x0000000004F22000-memory.dmp

memory/3840-4-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/3840-5-0x0000000004E40000-0x0000000004E4A000-memory.dmp

memory/3840-6-0x00000000050A0000-0x00000000050B4000-memory.dmp

memory/3840-7-0x00000000060E0000-0x00000000060EA000-memory.dmp

memory/3840-8-0x00000000060F0000-0x00000000060FC000-memory.dmp

memory/3840-9-0x0000000006160000-0x00000000061E2000-memory.dmp

memory/3840-10-0x0000000008810000-0x00000000088AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9E43.tmp

MD5 c2c28e6005a9069f2b024f6b690b0e9f
SHA1 f8578a3b2bfc358bfcbc1bcc9661dde2739674b4
SHA256 34da89ae97c2980181dbc7d0af7b374455771075fa66a11b09f24b38ba552a0a
SHA512 a88472a657224dc04eeca2aca8750c5dca357b625bf9fa63879d8d6cdc4d5c44693155e67eb709b2f60fa25e0b9e28cc60b0a4c5091293877ca051326b0238ee

memory/2120-16-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3840-19-0x0000000074EB0000-0x0000000075660000-memory.dmp

memory/2120-18-0x0000000074EB0000-0x0000000075660000-memory.dmp

memory/2120-20-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/2120-21-0x00000000051A0000-0x0000000005206000-memory.dmp

memory/2120-22-0x0000000005FD0000-0x0000000006020000-memory.dmp

memory/2120-25-0x0000000074EB0000-0x0000000075660000-memory.dmp

memory/2120-26-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 11:20

Reported

2024-04-03 11:22

Platform

win7-20240221-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1956 set thread context of 2628 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Windows\SysWOW64\schtasks.exe
PID 1956 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Windows\SysWOW64\schtasks.exe
PID 1956 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Windows\SysWOW64\schtasks.exe
PID 1956 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Windows\SysWOW64\schtasks.exe
PID 1956 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 1956 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 1956 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 1956 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 1956 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 1956 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 1956 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 1956 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe
PID 1956 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe

"C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SVxgdVWqIPqwco.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVxgdVWqIPqwco" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A23.tmp"

C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe

"C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe"

Network

N/A

Files

memory/1956-0-0x0000000000F40000-0x0000000000FE4000-memory.dmp

memory/1956-1-0x0000000074520000-0x0000000074C0E000-memory.dmp

memory/1956-2-0x0000000000380000-0x00000000003C0000-memory.dmp

memory/1956-3-0x0000000000310000-0x0000000000324000-memory.dmp

memory/1956-4-0x00000000003C0000-0x00000000003CA000-memory.dmp

memory/1956-5-0x0000000000410000-0x000000000041C000-memory.dmp

memory/1956-6-0x0000000004E00000-0x0000000004E82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3A23.tmp

MD5 3b3fd0bf1ce63b96d762bb061353c1b0
SHA1 6779808da1826487e2043a5033f34e4c35c23680
SHA256 e5866608eb75b7be96ad0374968324501c2c9c1cb0af8f9eb1047c1484e068e1
SHA512 7a174e5ba2ca313ba7e1a523efa463bbbbfba338076ea74ad7adc5d48b5465ed8d017e75a672982afa0254e1c102452d43cefa654113ab8c7b60ddd2133ffd9e

memory/2628-14-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2628-15-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2628-16-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2628-17-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2628-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2628-20-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1956-22-0x0000000074520000-0x0000000074C0E000-memory.dmp

memory/2628-23-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2628-25-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2672-26-0x000000006E870000-0x000000006EE1B000-memory.dmp

memory/2672-27-0x000000006E870000-0x000000006EE1B000-memory.dmp

memory/2672-28-0x0000000002C00000-0x0000000002C40000-memory.dmp

memory/2628-29-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/2628-30-0x0000000004440000-0x0000000004480000-memory.dmp

memory/2672-31-0x000000006E870000-0x000000006EE1B000-memory.dmp

memory/2628-32-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/2628-33-0x0000000004440000-0x0000000004480000-memory.dmp