Overview

overview

10

Static

static

3

Byte Guard Free.exe

windows10-1703-x64

10

Byte Guard Free.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    27s
  • max time network
    200s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/05/2024, 13:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Byte Guard Free.exe

  • Size

    2.4MB

  • MD5

    32eee970bec927fd068197918edac5a4

  • SHA1

    8aa4820931aa228856f12fc516f886dab4d12e28

  • SHA256

    53eeff9f4fa0473d90cf4abe978ff60d5898d2527924a593ef877303cab88a5b

  • SHA512

    d47d2fbc9d4b9a47d0b5b1076aaa89b20ba72a9625e9fcfd57f000bc14abc11aff60123667bbb6998fa5bdff65b7207f410cc6008207fc2362db1d99c80afbe8

  • SSDEEP

    49152:3Ls8e8SkGMITYbNbNWo4kSH3OqtwI2MrBm6w30IfRaRf:3PecGMIT4bNJFY3OqtxdmDDJef

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Byte Guard Free.exe
    "C:\Users\Admin\AppData\Local\Temp\Byte Guard Free.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/g3pH5NZESD
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d90846f8,0x7ff9d9084708,0x7ff9d9084718
        3⤵
          PID:1560
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1303646393043950511,42932031294747670,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
          3⤵
            PID:3704
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,1303646393043950511,42932031294747670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
            3⤵
              PID:4368
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,1303646393043950511,42932031294747670,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
              3⤵
                PID:3092
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1303646393043950511,42932031294747670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
                3⤵
                  PID:2780
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1303646393043950511,42932031294747670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
                  3⤵
                    PID:3544
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1303646393043950511,42932031294747670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
                    3⤵
                      PID:2240
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,1303646393043950511,42932031294747670,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3988 /prefetch:8
                      3⤵
                        PID:2316
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,1303646393043950511,42932031294747670,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4112 /prefetch:8
                        3⤵
                        • Modifies registry class
                        PID:4272
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1303646393043950511,42932031294747670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
                        3⤵
                          PID:5524
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1303646393043950511,42932031294747670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
                          3⤵
                            PID:5676
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:4812
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:3056

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            ea98e583ad99df195d29aa066204ab56

                            SHA1

                            f89398664af0179641aa0138b337097b617cb2db

                            SHA256

                            a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

                            SHA512

                            e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            4f7152bc5a1a715ef481e37d1c791959

                            SHA1

                            c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

                            SHA256

                            704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

                            SHA512

                            2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                            Filesize

                            840B

                            MD5

                            b015d91f858c2e5289c3683a432a3fa6

                            SHA1

                            3f1db32896cdad1dee09042d79e67c6e48e0afbb

                            SHA256

                            42751d63b760af9a1de25e65bd4d6d578f36155b9f5dd0c1161edb86a350edb9

                            SHA512

                            fd5c6b355547384306f2130a8f1b007985986e3f365254288d41149c9c63421b46bfe658f2c1abcad739b974da2d4e1b9b523f067e29cc13e53942db80ca5fb5

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                            Filesize

                            323B

                            MD5

                            a5a1149047729a493b1a2a65063c39ba

                            SHA1

                            8f1f45cb0c0772dcd05795734cbf408636fb9fb9

                            SHA256

                            e0ef1f906ea2606c802310437fe799d93e073770ab6549060ee4b9c9c49f2006

                            SHA512

                            8ce257a087115e2d542657a2b4679d0c100ebdec76e3392cff1bbba133e129f2fcdbd73f9baab92e762bef47a2572d3dc8553fa3858d787d2a0b2bf8f05dc54e

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            1ca934a6001860e8e065b036c0076fb1

                            SHA1

                            44b501f67674959508d8207081994bac3668468b

                            SHA256

                            c5e9bf87c0d8cb04ba9533242e7b8ffc96d51791dab1733e80100e8c074d6fbf

                            SHA512

                            9386199c5d299f81125826891ee5937f85c343aafee3843f752b10083d781384b34ffad9e6663d18fbab3d7d132a05598964b012df7afe0b2703ecaff30b3168

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            5KB

                            MD5

                            14eff1a067970066f6896574aceca0ff

                            SHA1

                            206930c5f58585ed0e68dc110d72301fd084565e

                            SHA256

                            b70df9e62ae5ed3da1e1f6e4d881bf685779003e78a0fee1dd1a339361c4cc31

                            SHA512

                            638ab5a9b07353afe38fef8fc6ffb33809a3015d08ef5481a25bd53ec5852e896aae24e163177de83b4d1f1f50eaa212e1b6dfac58c2baba84449b526308a2c1

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            11KB

                            MD5

                            9f90c48b80f0a4aa59da85f7fa7e947b

                            SHA1

                            cd45716e6f1ff88a7747f68ccb8a72760070024c

                            SHA256

                            35bfa6fec333fd2d60f69a09efc6d457a9d82e3fa07dc86d254f57646316393d

                            SHA512

                            598ef655dd8fd2734a033b72915c1e6a6044593197c0849cf7e0bf916a4315874ccf3e13f9823524c604a42a36480e1b5ad5f082e5398e096eaaaa9c03d184c2

                            Download Submit

                          • memory/4700-4-0x0000000074820000-0x0000000074FD0000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/4700-7-0x0000000006CE0000-0x0000000006CEA000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/4700-9-0x0000000009730000-0x000000000976C000-memory.dmp

                            Filesize

                            240KB

                            Download

                          • memory/4700-6-0x00000000069A0000-0x0000000006BB4000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/4700-5-0x00000000067D0000-0x00000000067E2000-memory.dmp

                            Filesize

                            72KB

                            Download

                          • memory/4700-8-0x0000000074820000-0x0000000074FD0000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/4700-0-0x000000007482E000-0x000000007482F000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4700-3-0x0000000005630000-0x00000000056C2000-memory.dmp

                            Filesize

                            584KB

                            Download

                          • memory/4700-2-0x0000000005BE0000-0x0000000006184000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/4700-1-0x00000000008B0000-0x0000000000B28000-memory.dmp

                            Filesize

                            2.5MB

                            Download

                          • memory/4700-232-0x000000007482E000-0x000000007482F000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4700-233-0x0000000074820000-0x0000000074FD0000-memory.dmp

                            Filesize

                            7.7MB

                            Download