Malware Analysis Report

2024-11-30 06:42

Sample ID 240604-bqnchsha33
Target f47687b0c0b19be857d3ae8c77d4a35980e4c511a90329fc766a82b148dd42b3
SHA256 f47687b0c0b19be857d3ae8c77d4a35980e4c511a90329fc766a82b148dd42b3
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f47687b0c0b19be857d3ae8c77d4a35980e4c511a90329fc766a82b148dd42b3

Threat Level: Known bad

The file f47687b0c0b19be857d3ae8c77d4a35980e4c511a90329fc766a82b148dd42b3 was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:21

Reported

2024-06-04 01:23

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2840 set thread context of 2344 N/A C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe

"C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe"

C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe

"C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe"

Network

N/A

Files

memory/2840-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

memory/2840-1-0x0000000000830000-0x0000000000922000-memory.dmp

memory/2840-2-0x0000000074A90000-0x000000007517E000-memory.dmp

memory/2840-3-0x00000000054F0000-0x000000000558E000-memory.dmp

memory/2840-4-0x0000000000570000-0x0000000000586000-memory.dmp

memory/2840-5-0x0000000000820000-0x000000000082E000-memory.dmp

memory/2840-6-0x0000000001F70000-0x0000000001F80000-memory.dmp

memory/2840-7-0x0000000005610000-0x0000000005692000-memory.dmp

memory/2344-9-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2344-22-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2344-20-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2344-18-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2344-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2344-14-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2344-12-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2344-10-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2840-23-0x0000000074A90000-0x000000007517E000-memory.dmp

memory/2344-24-0x0000000074A90000-0x000000007517E000-memory.dmp

memory/2344-25-0x0000000074A90000-0x000000007517E000-memory.dmp

memory/2344-26-0x0000000074A90000-0x000000007517E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:21

Reported

2024-06-04 01:23

Platform

win10v2004-20240426-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2224 set thread context of 3536 N/A C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe

"C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe"

C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe

"C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 us2.smtp.mailhostbox.com udp
US 208.91.199.225:587 us2.smtp.mailhostbox.com tcp
US 8.8.8.8:53 225.199.91.208.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/2224-0-0x000000007458E000-0x000000007458F000-memory.dmp

memory/2224-1-0x0000000000770000-0x0000000000862000-memory.dmp

memory/2224-2-0x00000000058C0000-0x0000000005E64000-memory.dmp

memory/2224-3-0x0000000005200000-0x0000000005292000-memory.dmp

memory/2224-4-0x0000000005510000-0x0000000005864000-memory.dmp

memory/2224-6-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/2224-5-0x00000000054C0000-0x00000000054CA000-memory.dmp

memory/2224-7-0x0000000006CE0000-0x0000000006D7E000-memory.dmp

memory/2224-8-0x0000000005FB0000-0x0000000005FC6000-memory.dmp

memory/2224-9-0x0000000006810000-0x000000000681E000-memory.dmp

memory/2224-10-0x0000000006820000-0x0000000006830000-memory.dmp

memory/2224-11-0x00000000068A0000-0x0000000006922000-memory.dmp

memory/2224-12-0x0000000009190000-0x000000000922C000-memory.dmp

memory/3536-13-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MTO-JOHNSON-TF-8548.exe.log

MD5 b7b9acb869ccc7f7ecb5304ec0384dee
SHA1 6a90751c95817903ee833d59a0abbef425a613b3
SHA256 8cb00a15cd942a1861c573d86d6fb430512c8e2f80f6349f48b16b8709ca7aa4
SHA512 7bec881ac5f59ac26f1be1e7e26d63f040c06369de10c1c246e531a4395d27c335d9acc647ecdedb48ed37bdc2dc405a4cfc11762e1c00659a49be259eaf8764

memory/3536-16-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/2224-17-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3536-19-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3536-18-0x0000000005380000-0x00000000053E6000-memory.dmp

memory/3536-20-0x00000000061A0000-0x00000000061F0000-memory.dmp

memory/3536-21-0x0000000074580000-0x0000000074D30000-memory.dmp