Analysis Overview
SHA256
980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2
Threat Level: Known bad
The file 980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 12:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 12:39
Reported
2024-04-03 12:41
Platform
win7-20240221-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
AgentTesla
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\JWxJzQW = "C:\\Users\\Admin\\AppData\\Roaming\\JWxJzQW\\JWxJzQW.exe" | C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2884 set thread context of 2932 | N/A | C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe | C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe
"C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe"
C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe
"C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe"
Network
Files
memory/2884-0-0x00000000000A0000-0x00000000000F8000-memory.dmp
memory/2884-1-0x0000000074650000-0x0000000074D3E000-memory.dmp
memory/2932-3-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2884-4-0x0000000000320000-0x0000000000321000-memory.dmp
memory/2884-2-0x00000000048B0000-0x00000000048F0000-memory.dmp
memory/2932-5-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2884-12-0x0000000074650000-0x0000000074D3E000-memory.dmp
memory/2932-13-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2932-15-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2932-10-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2932-16-0x00000000745D0000-0x0000000074CBE000-memory.dmp
memory/2932-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2932-7-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2932-6-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2932-17-0x0000000000610000-0x0000000000650000-memory.dmp
memory/2932-19-0x00000000745D0000-0x0000000074CBE000-memory.dmp
memory/2932-20-0x0000000000610000-0x0000000000650000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 12:39
Reported
2024-04-03 12:41
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
AgentTesla
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JWxJzQW = "C:\\Users\\Admin\\AppData\\Roaming\\JWxJzQW\\JWxJzQW.exe" | C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3200 set thread context of 2320 | N/A | C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe | C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe
"C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe"
C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe
"C:\Users\Admin\AppData\Local\Temp\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | webmail.fashiongroup.pl | udp |
| PL | 193.106.106.59:26 | webmail.fashiongroup.pl | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
memory/3200-0-0x0000000000C30000-0x0000000000C88000-memory.dmp
memory/3200-1-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/3200-2-0x0000000005550000-0x0000000005560000-memory.dmp
memory/2320-4-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3200-3-0x0000000001800000-0x0000000001801000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\980041bd4d6d52fe31e571a496db18bf9bebc87791b5624d8b71c1a2acfab9b2.exe.log
| MD5 | 84cfdb4b995b1dbf543b26b86c863adc |
| SHA1 | d2f47764908bf30036cf8248b9ff5541e2711fa2 |
| SHA256 | d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b |
| SHA512 | 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce |
memory/3200-7-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/2320-8-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/2320-9-0x0000000005510000-0x0000000005AB4000-memory.dmp
memory/2320-10-0x0000000004FD0000-0x0000000005036000-memory.dmp
memory/2320-11-0x0000000004F50000-0x0000000004F60000-memory.dmp
memory/2320-13-0x0000000005F00000-0x0000000005F50000-memory.dmp
memory/2320-14-0x0000000005FF0000-0x000000000608C000-memory.dmp
memory/2320-15-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/2320-16-0x0000000004F50000-0x0000000004F60000-memory.dmp
memory/2320-17-0x0000000006370000-0x0000000006402000-memory.dmp
memory/2320-18-0x0000000006350000-0x000000000635A000-memory.dmp