Malware Analysis Report

2024-11-30 05:50

Sample ID 240610-cb1jzaad6t
Target 3b4827cd945dd236a36ac1c96ccb085b4bc71ce3c2da1b5daa12594787de6f47.zip
SHA256 3b4827cd945dd236a36ac1c96ccb085b4bc71ce3c2da1b5daa12594787de6f47
Tags
agenttesla execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b4827cd945dd236a36ac1c96ccb085b4bc71ce3c2da1b5daa12594787de6f47

Threat Level: Known bad

The file 3b4827cd945dd236a36ac1c96ccb085b4bc71ce3c2da1b5daa12594787de6f47.zip was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger spyware stealer trojan

AgentTesla

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many file transfer clients. Observed in information stealers

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 01:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 01:54

Reported

2024-06-10 02:04

Platform

win7-20240215-en

Max time kernel

20s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many file transfer clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe

"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IyoNJg.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IyoNJg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6845.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

N/A

Files

memory/2916-0-0x000000007426E000-0x000000007426F000-memory.dmp

memory/2916-1-0x0000000000CB0000-0x0000000000D60000-memory.dmp

memory/2916-2-0x0000000074260000-0x000000007494E000-memory.dmp

memory/2916-3-0x00000000003C0000-0x00000000003D6000-memory.dmp

memory/2916-5-0x00000000003E0000-0x00000000003F0000-memory.dmp

memory/2916-4-0x0000000000350000-0x000000000035E000-memory.dmp

memory/2916-6-0x00000000051D0000-0x0000000005254000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IX1WC3G6QDD4NQAWJIBJ.temp

MD5 16164c5e765d764910463b162cd6f488
SHA1 0ab61ce3391d56aeb1a82c78c616430f1f4381cc
SHA256 85b0d4212940a0d6f88741623771f33b6072404423c456986f25f78ab094e442
SHA512 8c0030f4ffcc4191bec4e2c2dfb99238062e30df42dd1528ec0c5cb1a54445ec2b0fecd7b7dd1ff962db17a15e02dcbf200ec86cb3b32afddd29ea19b748b460

memory/2532-29-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2916-32-0x0000000074260000-0x000000007494E000-memory.dmp

memory/2532-31-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2532-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2532-25-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2532-28-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2532-23-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2532-21-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2532-20-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6845.tmp

MD5 2bec82bce75aadb2fc03713a77a42a68
SHA1 29e8122620faead94697f6a97a1fe18b52eb959e
SHA256 e73c243304d5c2e4a1c18a6be504f89a9e8edeff77f6f6d294e6a668a96420cf
SHA512 ef235ac68c0e384b47e343e89c825f54856835de727ee7d0c66a48422229db901917d8adeaf66ea990a1c6944884e11dcee0487066de4a8fc94a2d3668643377

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 01:54

Reported

2024-06-10 02:02

Platform

win10v2004-20240426-en

Max time kernel

21s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4.

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many file transfer clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe

"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IyoNJg.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IyoNJg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA8E2.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 153.141.79.40.in-addr.arpa udp

Files

memory/3268-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

memory/3268-1-0x0000000000230000-0x00000000002E0000-memory.dmp

memory/3268-2-0x0000000005240000-0x00000000057E4000-memory.dmp

memory/3268-3-0x0000000004D30000-0x0000000004DC2000-memory.dmp

memory/3268-5-0x0000000004CA0000-0x0000000004CAA000-memory.dmp

memory/3268-4-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/3268-6-0x0000000004F00000-0x0000000004F16000-memory.dmp

memory/3268-8-0x00000000051D0000-0x00000000051E0000-memory.dmp

memory/3268-7-0x00000000051C0000-0x00000000051CE000-memory.dmp

memory/3268-9-0x0000000006400000-0x0000000006484000-memory.dmp

memory/3268-10-0x0000000008A50000-0x0000000008AEC000-memory.dmp

memory/3268-16-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

memory/3756-18-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/3756-19-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/3756-17-0x0000000005950000-0x0000000005F78000-memory.dmp

memory/3756-22-0x0000000006620000-0x0000000006686000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA8E2.tmp

MD5 ba4b2a76b8986e2df5f763a5f2ace7f3
SHA1 d1f4bb0e7f00c7326609301c8646f053ec43cd81
SHA256 e7f9b54a0c5393e6ce0cd627a07b01f73edd7d2523e766364f284a18297460ba
SHA512 7443d5066336875390d965a0bf47bc840d8788d5b41867b4dff62619b8f8927de0afedad90ecce8234144ddc7da93825f7b44afa346994391e5e6f44c57d8a0c

memory/2992-43-0x0000000005690000-0x00000000059E4000-memory.dmp

memory/2992-46-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2992-47-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/3268-50-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/3756-51-0x00000000067A0000-0x00000000067BE000-memory.dmp

memory/1356-48-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3756-52-0x0000000006D50000-0x0000000006D9C000-memory.dmp

memory/3268-45-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2992-44-0x0000000074BE0000-0x0000000075390000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fmwg50wz.3qa.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3756-23-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/3756-21-0x00000000058A0000-0x0000000005906000-memory.dmp

memory/3756-20-0x0000000005800000-0x0000000005822000-memory.dmp

memory/3756-15-0x0000000002EA0000-0x0000000002ED6000-memory.dmp

memory/3756-65-0x00000000079E0000-0x0000000007A83000-memory.dmp

memory/2992-66-0x0000000075450000-0x000000007549C000-memory.dmp

memory/3756-64-0x0000000006DA0000-0x0000000006DBE000-memory.dmp

memory/3756-77-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

memory/3756-78-0x0000000007B50000-0x0000000007B5A000-memory.dmp

memory/3756-76-0x0000000008130000-0x00000000087AA000-memory.dmp

memory/3756-54-0x0000000075450000-0x000000007549C000-memory.dmp

memory/3756-53-0x00000000077A0000-0x00000000077D2000-memory.dmp

memory/3756-79-0x0000000007D60000-0x0000000007DF6000-memory.dmp

memory/2992-80-0x00000000071B0000-0x00000000071C1000-memory.dmp

memory/3756-81-0x0000000007D10000-0x0000000007D1E000-memory.dmp

memory/3756-83-0x0000000007D20000-0x0000000007D34000-memory.dmp

memory/3756-84-0x0000000007E20000-0x0000000007E3A000-memory.dmp

memory/3756-85-0x0000000007E00000-0x0000000007E08000-memory.dmp

memory/2992-92-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/3756-91-0x0000000074BE0000-0x0000000075390000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2a98d1816459e3b46bd459d286729cba
SHA1 f48f12d25ff80189c33cf735ab51c33f7015c880
SHA256 bfcbfdf4aca49b5d132714c2e2a390dfffaa4c5794168c97d11a1a2fd32267e9
SHA512 1cd059337a9dd2d4ae03578d51975e16fea5a0b43fe2e92a94c77402f969fe1958aa27c5bd9445018c6f7a2dde6f3d7ee1e9ccd0fad56b3be3abc39806526341

memory/1356-93-0x0000000006830000-0x0000000006880000-memory.dmp