Malware Analysis Report

2024-11-30 04:12

Sample ID 240408-brqt2acf35
Target 6fdf1d837846b08d6ae2a494e4a8cb4f.bin
SHA256 9410453b5b9e7f3a65408cd8258d40222d239b424d8d6b6288940a6e1ab54a53
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9410453b5b9e7f3a65408cd8258d40222d239b424d8d6b6288940a6e1ab54a53

Threat Level: Known bad

The file 6fdf1d837846b08d6ae2a494e4a8cb4f.bin was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

Reads WinSCP keys stored on the system

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 01:22

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 01:22

Reported

2024-04-08 01:25

Platform

win10v2004-20231215-en

Max time kernel

24s

Max time network

86s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe

"C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PlzhtgAH.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PlzhtgAH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9AE8.tmp"

C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe

"C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp

Files

memory/3420-0-0x00000000003A0000-0x000000000044A000-memory.dmp

memory/3420-1-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/3420-2-0x0000000005270000-0x0000000005814000-memory.dmp

memory/3420-3-0x0000000004D60000-0x0000000004DF2000-memory.dmp

memory/3420-4-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/3420-5-0x0000000004D20000-0x0000000004D2A000-memory.dmp

memory/3420-6-0x0000000007800000-0x0000000007810000-memory.dmp

memory/3420-7-0x0000000007810000-0x000000000781C000-memory.dmp

memory/3420-8-0x0000000007BA0000-0x0000000007C26000-memory.dmp

memory/3420-9-0x000000000A320000-0x000000000A3BC000-memory.dmp

memory/3420-10-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1720-16-0x0000000002340000-0x0000000002376000-memory.dmp

memory/3420-15-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/1720-17-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1720-18-0x0000000004FA0000-0x00000000055C8000-memory.dmp

memory/1720-19-0x0000000002330000-0x0000000002340000-memory.dmp

memory/4588-21-0x0000000002190000-0x00000000021A0000-memory.dmp

memory/1720-20-0x0000000002330000-0x0000000002340000-memory.dmp

memory/4588-22-0x0000000002190000-0x00000000021A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9AE8.tmp

MD5 26bdbec1b02e586943578968f89185a6
SHA1 da4bc6922c37bf28100fbda51e4cdbfeee608708
SHA256 df2c945cc69b1f375ecc0f5b213ac7d027d2043324070dbe4cb05057e2a355a4
SHA512 284c82e687d382e8a753c15a0437ab248530fc269b560b7f669373aeaa42840383ddfd56b6b091b8cf79c7832412ec8a1f006ba46b158d3467a807277bd4c8b6

memory/4588-25-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1720-27-0x00000000055D0000-0x0000000005636000-memory.dmp

memory/1720-26-0x0000000004F30000-0x0000000004F96000-memory.dmp

memory/4588-24-0x0000000004940000-0x0000000004962000-memory.dmp

memory/392-33-0x0000000000400000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y2qljrjr.v0y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/392-48-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/3420-50-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1720-47-0x0000000005740000-0x0000000005A94000-memory.dmp

memory/392-51-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/4588-52-0x0000000005A10000-0x0000000005A2E000-memory.dmp

memory/4588-53-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

memory/4588-56-0x0000000075440000-0x000000007548C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 01:22

Reported

2024-04-08 01:25

Platform

win7-20240220-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Windows\SysWOW64\schtasks.exe
PID 3028 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe
PID 3028 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe
PID 3028 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe
PID 3028 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe
PID 3028 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe
PID 3028 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe
PID 3028 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe
PID 3028 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe
PID 3028 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe

"C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PlzhtgAH.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PlzhtgAH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp77FD.tmp"

C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe

"C:\Users\Admin\AppData\Local\Temp\ef8ad9042176ddf7dae5199f0135c2efabf224a45ac52f0ebc054b7ee9806c04.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/3028-0-0x0000000000F50000-0x0000000000FFA000-memory.dmp

memory/3028-1-0x00000000744C0000-0x0000000074BAE000-memory.dmp

memory/3028-2-0x0000000004D50000-0x0000000004D90000-memory.dmp

memory/3028-3-0x00000000004C0000-0x00000000004D0000-memory.dmp

memory/3028-4-0x00000000004D0000-0x00000000004DC000-memory.dmp

memory/3028-5-0x0000000005FE0000-0x0000000006066000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp77FD.tmp

MD5 6adae5bf511e3d99629705c6a320b7a4
SHA1 860c1b312a6de73a495efe5122aa10ad50b8ed22
SHA256 47d927487ba9bf3f5abfa115ec9cacdb947cf0c1194da3b7e5f7aed4c0105b27
SHA512 bdfd650f3fe93616810c0163d49695bbf5820c3f8e233d086203063cdcd31709cf06679e4ecc8033f6eb3a71960daa139ed0cb4deeddcab5a193be583db465e4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 1b60cb471265a2b244e67da9b5b6313c
SHA1 67c28424d518045dfca6d0d38c49a239c7b99854
SHA256 2f64b7fa6b1561408930d640f1399aede069581405f0ab2ff0fcc87f9fcb08b7
SHA512 4068828786e72ac3011901f1a34f9d3fcb48e24973d2ca5ac536fad85e3f407020b90f5053ca9a6c4101bc9465fbc8de60d042dc617e632d8de255d36cb318ea

memory/3028-19-0x00000000744C0000-0x0000000074BAE000-memory.dmp

memory/2464-18-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2464-21-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2464-23-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2464-25-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2464-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2464-29-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2464-31-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3028-33-0x00000000744C0000-0x0000000074BAE000-memory.dmp

memory/2464-34-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2552-35-0x000000006F010000-0x000000006F5BB000-memory.dmp

memory/2624-36-0x000000006F010000-0x000000006F5BB000-memory.dmp

memory/2624-37-0x00000000028A0000-0x00000000028E0000-memory.dmp

memory/2552-38-0x00000000029E0000-0x0000000002A20000-memory.dmp

memory/2624-39-0x000000006F010000-0x000000006F5BB000-memory.dmp

memory/2552-41-0x00000000029E0000-0x0000000002A20000-memory.dmp

memory/2624-42-0x00000000028A0000-0x00000000028E0000-memory.dmp

memory/2552-40-0x000000006F010000-0x000000006F5BB000-memory.dmp

memory/2624-43-0x000000006F010000-0x000000006F5BB000-memory.dmp

memory/2552-45-0x000000006F010000-0x000000006F5BB000-memory.dmp

memory/2464-44-0x00000000731C0000-0x00000000738AE000-memory.dmp

memory/2464-46-0x0000000004DF0000-0x0000000004E30000-memory.dmp

memory/2464-47-0x00000000731C0000-0x00000000738AE000-memory.dmp

memory/2464-48-0x0000000004DF0000-0x0000000004E30000-memory.dmp