Malware Analysis Report

2025-06-15 20:05

Sample ID 240515-mxtcwsdh3s
Target SHIPPING DOCUMENTS.exe
SHA256 21d546daca396508a4777d88c6b07a198fd84e0b368ffa19d2c7eaa961ec014d
Tags
agenttesla execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21d546daca396508a4777d88c6b07a198fd84e0b368ffa19d2c7eaa961ec014d

Threat Level: Known bad

The file SHIPPING DOCUMENTS.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger persistence spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 10:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 10:51

Reported

2024-05-15 10:53

Platform

win7-20240215-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\NcnBt = "C:\\Users\\Admin\\AppData\\Roaming\\NcnBt\\NcnBt.exe" C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2820 set thread context of 2444 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
PID 2820 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
PID 2820 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
PID 2820 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
PID 2820 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
PID 2820 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
PID 2820 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
PID 2820 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
PID 2820 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe

"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kEDrUYYd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kEDrUYYd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp"

C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe

"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2820-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

memory/2820-1-0x0000000000E90000-0x0000000000F3E000-memory.dmp

memory/2820-2-0x0000000074B00000-0x00000000751EE000-memory.dmp

memory/2820-3-0x00000000004D0000-0x00000000004EE000-memory.dmp

memory/2820-4-0x00000000005D0000-0x00000000005E0000-memory.dmp

memory/2820-5-0x0000000000620000-0x0000000000636000-memory.dmp

memory/2820-6-0x0000000005010000-0x0000000005094000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp

MD5 cccf7b892faf1ac1ce91c9daeb238984
SHA1 20dfc0bdb11263e8c5519e3e9aa1c6a5ae89786b
SHA256 4c39cfd6d67b84420f1dc80d8ee7837a3ca5509c2daa2009a0a60f55cff02689
SHA512 b77de5b79fb9c9eaac28477aea9dcb21ac9844684cceef1bf2cb9a0330d4d83e0e1baba2984d7bb863b864049cfbe9b9d1050d1f893191e62049650d3e1cc8fb

memory/2444-14-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2444-23-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2444-26-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2444-24-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2444-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2444-20-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2444-18-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2444-16-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2820-27-0x0000000074B00000-0x00000000751EE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 10:51

Reported

2024-05-15 10:53

Platform

win10v2004-20240508-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NcnBt = "C:\\Users\\Admin\\AppData\\Roaming\\NcnBt\\NcnBt.exe" C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4216 set thread context of 4248 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4216 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4216 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4216 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4216 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Windows\SysWOW64\schtasks.exe
PID 4216 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Windows\SysWOW64\schtasks.exe
PID 4216 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Windows\SysWOW64\schtasks.exe
PID 4216 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
PID 4216 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
PID 4216 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
PID 4216 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
PID 4216 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
PID 4216 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
PID 4216 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
PID 4216 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe

"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kEDrUYYd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kEDrUYYd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp859B.tmp"

C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe

"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
BE 2.17.107.114:443 www.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 114.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 mail.santexknit.com udp
US 199.188.205.52:587 mail.santexknit.com tcp
US 8.8.8.8:53 52.205.188.199.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/4216-0-0x000000007471E000-0x000000007471F000-memory.dmp

memory/4216-1-0x00000000000A0000-0x000000000014E000-memory.dmp

memory/4216-2-0x0000000005010000-0x00000000055B4000-memory.dmp

memory/4216-3-0x0000000004B00000-0x0000000004B92000-memory.dmp

memory/4216-4-0x0000000004AF0000-0x0000000004AFA000-memory.dmp

memory/4216-5-0x0000000004C50000-0x0000000004CEC000-memory.dmp

memory/4216-6-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/4216-7-0x00000000079E0000-0x00000000079FE000-memory.dmp

memory/4216-8-0x0000000005FD0000-0x0000000005FE0000-memory.dmp

memory/4216-9-0x0000000006110000-0x0000000006126000-memory.dmp

memory/4216-10-0x0000000007B80000-0x0000000007C04000-memory.dmp

memory/2364-15-0x00000000025E0000-0x0000000002616000-memory.dmp

memory/2364-17-0x0000000005060000-0x0000000005688000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp859B.tmp

MD5 9cfc3df2d711f2fe5177ff86b111417e
SHA1 0e99f5c9be22e4d2f7e5515109a1b4a06b37cf3c
SHA256 564996bce009cf00bcc24bf83819c54aa41b36a47a87394e7aa75461b7d8918e
SHA512 4d07303c9d5a656ffde2acfd0b3eff7adae9466b5f50d6d8b41eb4729080e56f39689fc9f61818b58a9dda32bb9b970fa7f0dda1c518ca8f63b9f171a77fd1af

memory/2364-18-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/2364-16-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/2364-20-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/2364-21-0x0000000004E00000-0x0000000004E22000-memory.dmp

memory/2364-22-0x0000000005700000-0x0000000005766000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tkfudw0h.zij.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4248-29-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2364-23-0x0000000005820000-0x0000000005886000-memory.dmp

memory/2364-35-0x00000000058D0000-0x0000000005C24000-memory.dmp

memory/4216-37-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/4248-36-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/2364-38-0x0000000005EB0000-0x0000000005ECE000-memory.dmp

memory/2364-39-0x00000000061E0000-0x000000000622C000-memory.dmp

memory/2364-40-0x0000000006490000-0x00000000064C2000-memory.dmp

memory/2364-41-0x0000000074FA0000-0x0000000074FEC000-memory.dmp

memory/2364-51-0x0000000007080000-0x000000000709E000-memory.dmp

memory/2364-52-0x00000000070B0000-0x0000000007153000-memory.dmp

memory/2364-53-0x0000000007830000-0x0000000007EAA000-memory.dmp

memory/2364-54-0x00000000071E0000-0x00000000071FA000-memory.dmp

memory/2364-55-0x0000000007250000-0x000000000725A000-memory.dmp

memory/2364-56-0x0000000007460000-0x00000000074F6000-memory.dmp

memory/2364-57-0x00000000073E0000-0x00000000073F1000-memory.dmp

memory/2364-58-0x0000000007410000-0x000000000741E000-memory.dmp

memory/2364-59-0x0000000007420000-0x0000000007434000-memory.dmp

memory/2364-60-0x0000000007520000-0x000000000753A000-memory.dmp

memory/2364-61-0x0000000007500000-0x0000000007508000-memory.dmp

memory/2364-64-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/4248-66-0x0000000006ED0000-0x0000000006F20000-memory.dmp

memory/4248-67-0x0000000074710000-0x0000000074EC0000-memory.dmp