Malware Analysis Report

2025-08-10 22:03

Sample ID 240518-vhej7adf93
Target comet.exe
SHA256 bbf8a678f59bd3cdb0bb4b1a3d2072829acf7d763016a586e683d38fe05e3d90
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bbf8a678f59bd3cdb0bb4b1a3d2072829acf7d763016a586e683d38fe05e3d90

Threat Level: Known bad

The file comet.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

AgentTesla payload

Downloads MZ/PE file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious behavior: LoadsDriver

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 16:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 16:59

Reported

2024-05-18 17:02

Platform

win10v2004-20240508-en

Max time kernel

182s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\comet.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PLA\Rules\en-GB\winxsrcsv64.sys C:\Users\Admin\AppData\Local\Temp\comet.exe N/A
File created C:\Windows\Fonts\AMIDEWINx64.EXE C:\Users\Admin\AppData\Local\Temp\comet.exe N/A
File created C:\Windows\Fonts\amigendrv64.sys C:\Users\Admin\AppData\Local\Temp\comet.exe N/A
File created C:\Windows\Fonts\amifldrv64.sys C:\Users\Admin\AppData\Local\Temp\comet.exe N/A
File created C:\Windows\IME\Volumeid.exe C:\Users\Admin\AppData\Local\Temp\comet.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\comet.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\comet.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\comet.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\comet.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 380 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\Fonts\AMIDEWINx64.EXE
PID 380 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\IME\Volumeid.exe
PID 380 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\IME\Volumeid.exe
PID 380 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\IME\Volumeid.exe
PID 380 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\IME\Volumeid.exe
PID 380 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\IME\Volumeid.exe
PID 380 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\comet.exe C:\Windows\IME\Volumeid.exe

Processes

C:\Users\Admin\AppData\Local\Temp\comet.exe

"C:\Users\Admin\AppData\Local\Temp\comet.exe"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /IVN "BPJY-OKYN"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /IV "DSWT-TFFW"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /SM "LVIQ-BZKZ"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /SP "SSWA-PWRQ"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /SU "Auto"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /SS "UVLZ-OTKN"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /CSK "GAWK-LWAF"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /CM "YMBW-QNTC"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /SF "EKFV-OXXG"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /BM "AGYY-TFIR"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /BP "KVKA-DZNW"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /BV "SQCD-VUAH"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /BT "CIUD-OPYI"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /BLC "DQJF-XCLS"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /PSN "DJMU-CSYF"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /PAT "WIDX-VUKF"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /PPN "GRWL-KFDV"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /CS "WBXN-PIYP"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /CV "EJZL-IFEJ"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /CA "KPGF-LBNI"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /CO "FDZG-GAIY"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /CT "GQYA-VLPO"

C:\Windows\Fonts\AMIDEWINx64.EXE

"C:\Windows\Fonts\AMIDEWINx64.EXE" /BS "JNTL-UZXA"

C:\Windows\IME\Volumeid.exe

"C:\Windows\IME\Volumeid.exe" C: "MNAV-YXJV"

C:\Windows\IME\Volumeid.exe

"C:\Windows\IME\Volumeid.exe" D: "OOHL-ISID"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 57.72.67.172.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.123:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.96:443 www.bing.com tcp
US 8.8.8.8:53 123.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 96.196.17.2.in-addr.arpa udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 cold8.gofile.io udp
US 136.175.8.111:443 cold8.gofile.io tcp
US 8.8.8.8:53 cold2.gofile.io udp
FR 31.14.70.251:443 cold2.gofile.io tcp
US 8.8.8.8:53 cold1.gofile.io udp
FR 31.14.70.248:443 cold1.gofile.io tcp
US 8.8.8.8:53 store8.gofile.io udp
US 8.8.8.8:53 111.8.175.136.in-addr.arpa udp
US 8.8.8.8:53 251.70.14.31.in-addr.arpa udp
US 8.8.8.8:53 248.70.14.31.in-addr.arpa udp
US 206.168.191.31:443 store8.gofile.io tcp
US 8.8.8.8:53 31.191.168.206.in-addr.arpa udp

Files

memory/380-0-0x000000007495E000-0x000000007495F000-memory.dmp

memory/380-1-0x0000000000FD0000-0x0000000001112000-memory.dmp

memory/380-2-0x0000000006090000-0x0000000006634000-memory.dmp

memory/380-3-0x0000000005B80000-0x0000000005C12000-memory.dmp

memory/380-4-0x0000000005B40000-0x0000000005B4A000-memory.dmp

memory/380-5-0x0000000074950000-0x0000000075100000-memory.dmp

memory/380-6-0x0000000006640000-0x0000000006852000-memory.dmp

memory/380-7-0x00000000071B0000-0x00000000071C2000-memory.dmp

memory/380-8-0x0000000074950000-0x0000000075100000-memory.dmp

memory/380-9-0x0000000009B70000-0x0000000009BAC000-memory.dmp

memory/380-10-0x000000007495E000-0x000000007495F000-memory.dmp

memory/380-11-0x0000000074950000-0x0000000075100000-memory.dmp

memory/380-12-0x0000000074950000-0x0000000075100000-memory.dmp

memory/380-14-0x0000000074950000-0x0000000075100000-memory.dmp

C:\Windows\Fonts\AMIDEWINx64.EXE

MD5 64ae4aa4904d3b259dda8cc53769064f
SHA1 24be8fb54afd8182652819b9a307b6f66f3fc58d
SHA256 2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4
SHA512 6c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16

C:\Windows\IME\Volumeid.exe

MD5 4d867033b27c8a603de4885b449c4923
SHA1 f1ace1a241bab6efb3c7059a68b6e9bbe258da83
SHA256 22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3
SHA512 b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 16:59

Reported

2024-05-18 17:02

Platform

win11-20240426-en

Max time kernel

102s

Max time network

202s

Command Line

"C:\Users\Admin\AppData\Local\Temp\comet.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\comet.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\comet.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\comet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\comet.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\comet.exe

"C:\Users\Admin\AppData\Local\Temp\comet.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp

Files

memory/2548-0-0x000000007434E000-0x000000007434F000-memory.dmp

memory/2548-1-0x0000000000C00000-0x0000000000D42000-memory.dmp

memory/2548-2-0x0000000005F40000-0x00000000064E6000-memory.dmp

memory/2548-3-0x0000000005860000-0x00000000058F2000-memory.dmp

memory/2548-4-0x0000000074340000-0x0000000074AF1000-memory.dmp

memory/2548-5-0x0000000005810000-0x000000000581A000-memory.dmp

memory/2548-6-0x0000000005C80000-0x0000000005E92000-memory.dmp

memory/2548-7-0x0000000009200000-0x0000000009212000-memory.dmp

memory/2548-8-0x0000000074340000-0x0000000074AF1000-memory.dmp

memory/2548-9-0x0000000009C90000-0x0000000009CCC000-memory.dmp

memory/2548-10-0x000000007434E000-0x000000007434F000-memory.dmp

memory/2548-11-0x0000000074340000-0x0000000074AF1000-memory.dmp