Analysis Overview
SHA256
f47687b0c0b19be857d3ae8c77d4a35980e4c511a90329fc766a82b148dd42b3
Threat Level: Known bad
The file f47687b0c0b19be857d3ae8c77d4a35980e4c511a90329fc766a82b148dd42b3 was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 01:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 01:21
Reported
2024-06-04 01:23
Platform
win7-20240508-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
AgentTesla
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2840 set thread context of 2344 | N/A | C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe | C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe
"C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe"
C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe
"C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe"
Network
Files
memory/2840-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp
memory/2840-1-0x0000000000830000-0x0000000000922000-memory.dmp
memory/2840-2-0x0000000074A90000-0x000000007517E000-memory.dmp
memory/2840-3-0x00000000054F0000-0x000000000558E000-memory.dmp
memory/2840-4-0x0000000000570000-0x0000000000586000-memory.dmp
memory/2840-5-0x0000000000820000-0x000000000082E000-memory.dmp
memory/2840-6-0x0000000001F70000-0x0000000001F80000-memory.dmp
memory/2840-7-0x0000000005610000-0x0000000005692000-memory.dmp
memory/2344-9-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2344-22-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2344-20-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2344-18-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2344-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2344-14-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2344-12-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2344-10-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2840-23-0x0000000074A90000-0x000000007517E000-memory.dmp
memory/2344-24-0x0000000074A90000-0x000000007517E000-memory.dmp
memory/2344-25-0x0000000074A90000-0x000000007517E000-memory.dmp
memory/2344-26-0x0000000074A90000-0x000000007517E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 01:21
Reported
2024-06-04 01:23
Platform
win10v2004-20240426-en
Max time kernel
94s
Max time network
96s
Command Line
Signatures
AgentTesla
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2224 set thread context of 3536 | N/A | C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe | C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe
"C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe"
C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe
"C:\Users\Admin\AppData\Local\Temp\MTO-JOHNSON-TF-8548.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | us2.smtp.mailhostbox.com | udp |
| US | 208.91.199.225:587 | us2.smtp.mailhostbox.com | tcp |
| US | 8.8.8.8:53 | 225.199.91.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/2224-0-0x000000007458E000-0x000000007458F000-memory.dmp
memory/2224-1-0x0000000000770000-0x0000000000862000-memory.dmp
memory/2224-2-0x00000000058C0000-0x0000000005E64000-memory.dmp
memory/2224-3-0x0000000005200000-0x0000000005292000-memory.dmp
memory/2224-4-0x0000000005510000-0x0000000005864000-memory.dmp
memory/2224-6-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/2224-5-0x00000000054C0000-0x00000000054CA000-memory.dmp
memory/2224-7-0x0000000006CE0000-0x0000000006D7E000-memory.dmp
memory/2224-8-0x0000000005FB0000-0x0000000005FC6000-memory.dmp
memory/2224-9-0x0000000006810000-0x000000000681E000-memory.dmp
memory/2224-10-0x0000000006820000-0x0000000006830000-memory.dmp
memory/2224-11-0x00000000068A0000-0x0000000006922000-memory.dmp
memory/2224-12-0x0000000009190000-0x000000000922C000-memory.dmp
memory/3536-13-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MTO-JOHNSON-TF-8548.exe.log
| MD5 | b7b9acb869ccc7f7ecb5304ec0384dee |
| SHA1 | 6a90751c95817903ee833d59a0abbef425a613b3 |
| SHA256 | 8cb00a15cd942a1861c573d86d6fb430512c8e2f80f6349f48b16b8709ca7aa4 |
| SHA512 | 7bec881ac5f59ac26f1be1e7e26d63f040c06369de10c1c246e531a4395d27c335d9acc647ecdedb48ed37bdc2dc405a4cfc11762e1c00659a49be259eaf8764 |
memory/3536-16-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/2224-17-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/3536-19-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/3536-18-0x0000000005380000-0x00000000053E6000-memory.dmp
memory/3536-20-0x00000000061A0000-0x00000000061F0000-memory.dmp
memory/3536-21-0x0000000074580000-0x0000000074D30000-memory.dmp