Malware Analysis Report

2024-10-19 08:08

Sample ID 240530-x4kpfahh29
Target Office 365 Smtp Checker by xLotus.exe
SHA256 85bcedf925b9c4736e58be9585168b8bff41b5ad76d85a188b004967c023bd6c
Tags
agenttesla njrat evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85bcedf925b9c4736e58be9585168b8bff41b5ad76d85a188b004967c023bd6c

Threat Level: Known bad

The file Office 365 Smtp Checker by xLotus.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla njrat evasion keylogger persistence spyware stealer trojan

AgentTesla

njRAT/Bladabindi

AgentTesla payload

Modifies Windows Firewall

Drops startup file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 19:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 19:24

Reported

2024-05-30 19:26

Platform

win10v2004-20240426-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Office 365 Smtp Checker by xLotus.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

njRAT/Bladabindi

trojan njrat

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Office 365 Smtp Checker by xLotus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft Corp\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ebe8ac4d453f424fb04983e03f7ffc9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ebe8ac4d453f424fb04983e03f7ffc9e.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Corp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ebe8ac4d453f424fb04983e03f7ffc9e = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ebe8ac4d453f424fb04983e03f7ffc9e = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Office 365 Smtp Checker by xLotus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Office 365 Smtp Checker by xLotus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\Office 365 Smtp Checker by xLotus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 365 Smtp Checker by xLotus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Office 365 Smtp Checker by xLotus.exe

"C:\Users\Admin\AppData\Local\Temp\Office 365 Smtp Checker by xLotus.exe"

C:\Users\Admin\AppData\Roaming\Microsoft Corp\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Corp\svchost.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 server-rotow47179.x10.mx udp
US 198.91.81.15:443 server-rotow47179.x10.mx tcp
US 8.8.8.8:53 15.81.91.198.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 xdonbrook.ddns.net udp
TN 196.179.249.22:1177 xdonbrook.ddns.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
TN 196.179.249.22:1177 xdonbrook.ddns.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
TN 196.179.249.22:1177 xdonbrook.ddns.net tcp
US 8.8.8.8:53 xdonbrook.ddns.net udp
TN 196.179.249.22:1177 xdonbrook.ddns.net tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
TN 196.179.249.22:1177 xdonbrook.ddns.net tcp

Files

memory/1232-0-0x000000007468E000-0x000000007468F000-memory.dmp

memory/1232-1-0x0000000000930000-0x0000000000AEE000-memory.dmp

memory/1232-2-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/1232-3-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/1232-4-0x0000000005F20000-0x00000000064C4000-memory.dmp

memory/1232-5-0x0000000005610000-0x00000000056A2000-memory.dmp

memory/1232-6-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/1232-7-0x0000000006520000-0x000000000652A000-memory.dmp

memory/1232-8-0x0000000006900000-0x0000000006BCA000-memory.dmp

memory/1232-9-0x0000000006BD0000-0x0000000006DE4000-memory.dmp

memory/1232-11-0x000000000A400000-0x000000000A47A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft Corp\svchost.exe

MD5 71ef183a5a18725806fa656974d49929
SHA1 deebe1b2c77f1a9bfd6248f7c47a93e662680558
SHA256 68f78f7959a3f8eb3dff29f579125c80e9f0893ce571eb720304d2d7a881cf3c
SHA512 abed2549cf3d13e50310b253097a3f9f68cded4465e72d2100301a773105c27b5d5c88913c63a27b6d34e2dea7b546d4c39d95a9c318daf1727c36aced241ac2

memory/2208-26-0x000000006EB12000-0x000000006EB13000-memory.dmp

memory/2208-27-0x000000006EB10000-0x000000006F0C1000-memory.dmp

memory/2208-37-0x000000006EB10000-0x000000006F0C1000-memory.dmp

memory/4568-38-0x000000006EB10000-0x000000006F0C1000-memory.dmp

memory/1232-39-0x000000007468E000-0x000000007468F000-memory.dmp

memory/1232-40-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/1232-42-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/4568-43-0x000000006EB10000-0x000000006F0C1000-memory.dmp

memory/1232-44-0x0000000005560000-0x0000000005570000-memory.dmp

memory/1232-46-0x0000000074680000-0x0000000074E30000-memory.dmp