Analysis Overview
SHA256
4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284
Threat Level: Known bad
The file 4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284 was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 01:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 01:30
Reported
2024-06-04 01:32
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
AgentTesla
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1636 set thread context of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe | C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe
"C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe"
C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe
"C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe"
Network
Files
memory/1636-0-0x000000007492E000-0x000000007492F000-memory.dmp
memory/1636-1-0x00000000013C0000-0x00000000014AC000-memory.dmp
memory/1636-2-0x0000000074920000-0x000000007500E000-memory.dmp
memory/1636-3-0x0000000000C50000-0x0000000000C94000-memory.dmp
memory/1636-4-0x000000007492E000-0x000000007492F000-memory.dmp
memory/1636-5-0x0000000074920000-0x000000007500E000-memory.dmp
memory/1636-6-0x0000000000640000-0x000000000065A000-memory.dmp
memory/1636-7-0x00000000004F0000-0x00000000004F6000-memory.dmp
memory/2680-9-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2680-12-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1636-18-0x0000000074920000-0x000000007500E000-memory.dmp
memory/2680-16-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2680-10-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2680-14-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1636-19-0x0000000074920000-0x000000007500E000-memory.dmp
memory/2680-20-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2680-21-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2680-22-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2680-23-0x0000000074920000-0x000000007500E000-memory.dmp
memory/1636-24-0x0000000074920000-0x000000007500E000-memory.dmp
memory/2680-25-0x0000000074920000-0x000000007500E000-memory.dmp
memory/2680-26-0x0000000074920000-0x000000007500E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 01:30
Reported
2024-06-04 01:32
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
AgentTesla
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2984 set thread context of 3692 | N/A | C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe | C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe
"C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe"
C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe
"C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe"
C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe
"C:\Users\Admin\AppData\Local\Temp\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ftp.rusticpensiune.ro | udp |
| RO | 185.146.87.128:21 | ftp.rusticpensiune.ro | tcp |
| US | 8.8.8.8:53 | 128.87.146.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.17.178.52.in-addr.arpa | udp |
Files
memory/2984-0-0x000000007538E000-0x000000007538F000-memory.dmp
memory/2984-1-0x0000000000710000-0x00000000007FC000-memory.dmp
memory/2984-2-0x0000000004E80000-0x0000000004F1C000-memory.dmp
memory/2984-3-0x0000000005530000-0x0000000005AD4000-memory.dmp
memory/2984-4-0x0000000075380000-0x0000000075B30000-memory.dmp
memory/2984-5-0x0000000006070000-0x00000000060B4000-memory.dmp
memory/2984-6-0x0000000006280000-0x0000000006312000-memory.dmp
memory/2984-7-0x0000000006410000-0x000000000641A000-memory.dmp
memory/2984-8-0x0000000075380000-0x0000000075B30000-memory.dmp
memory/2984-9-0x000000007538E000-0x000000007538F000-memory.dmp
memory/2984-10-0x0000000075380000-0x0000000075B30000-memory.dmp
memory/2984-11-0x0000000075380000-0x0000000075B30000-memory.dmp
memory/2984-12-0x0000000005FA0000-0x0000000005FBA000-memory.dmp
memory/2984-13-0x0000000006000000-0x0000000006006000-memory.dmp
memory/3692-14-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284.exe.log
| MD5 | a053a152bb35229292626703958d32af |
| SHA1 | 95a97a0b46b0c0826e4d4b7f98d3c989486cc015 |
| SHA256 | 007a3862a3f7fdf80007af071719abeb624ae94db77213dd3d0d48c248e2b9fe |
| SHA512 | 5178591b1eb940b85d888d3443761c1e13930354ab364d0643814b65a2482fb2f9a58faaf1949496ffcde7291e174c2e96904a939f17c95d1a87a0ed044f88ca |
memory/3692-17-0x0000000075380000-0x0000000075B30000-memory.dmp
memory/2984-18-0x0000000075380000-0x0000000075B30000-memory.dmp
memory/3692-19-0x00000000059D0000-0x0000000005A36000-memory.dmp
memory/3692-20-0x0000000075380000-0x0000000075B30000-memory.dmp
memory/3692-21-0x00000000067B0000-0x0000000006800000-memory.dmp
memory/3692-22-0x0000000075380000-0x0000000075B30000-memory.dmp