Malware Analysis Report

2024-11-30 05:49

Sample ID 240610-e8lhescb5y
Target e849d28b8e499a4dac6152ac85d6959ec7267657ae28ba9955f8275fec0a2e46.rar
SHA256 e849d28b8e499a4dac6152ac85d6959ec7267657ae28ba9955f8275fec0a2e46
Tags
agenttesla execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e849d28b8e499a4dac6152ac85d6959ec7267657ae28ba9955f8275fec0a2e46

Threat Level: Known bad

The file e849d28b8e499a4dac6152ac85d6959ec7267657ae28ba9955f8275fec0a2e46.rar was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger persistence spyware stealer trojan

AgentTesla

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects executables referencing many file transfer clients. Observed in information stealers

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Command and Scripting Interpreter: PowerShell

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 04:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 04:36

Reported

2024-06-10 04:44

Platform

win7-20240508-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bank details.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many file transfer clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2988 set thread context of 2564 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2988 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2988 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2988 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2988 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2988 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2988 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2988 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2988 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2988 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2988 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2988 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\bank details.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bank details.exe

"C:\Users\Admin\AppData\Local\Temp\bank details.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\bank details.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hssWuq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hssWuq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F47.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

N/A

Files

memory/2988-0-0x000000007419E000-0x000000007419F000-memory.dmp

memory/2988-1-0x0000000000AD0000-0x0000000000B9A000-memory.dmp

memory/2988-2-0x0000000074190000-0x000000007487E000-memory.dmp

memory/2988-3-0x0000000000410000-0x0000000000426000-memory.dmp

memory/2988-4-0x0000000000950000-0x000000000095E000-memory.dmp

memory/2988-5-0x0000000000A10000-0x0000000000A20000-memory.dmp

memory/2988-6-0x0000000004410000-0x0000000004494000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6F47.tmp

MD5 7c4a21321a153d24c4840116eef6b5ed
SHA1 b41d59e061c09cc2efab07fea8ef39f5f6927f18
SHA256 7c3a7b353ffccd139ca8f997e4b0e4c4fbf635274ae04fa7d0c32e710c1860db
SHA512 46f79a438d3cc045d40d1fa430e46b373013c9beca2e688ba2ef22cbdae2c08465eeae84217ed25ba233861ecbfb845aefdc1211b1141fdbd3caba82b03b3efc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 aefbb6ac59acb9809cf314e7506643c7
SHA1 5aa12346548504ac4ec02eefe53144391fc8645e
SHA256 a8e79f6c24d6e2b2bd6cdf086accee3769f6332ec465af19880cba45d457fecd
SHA512 816ba87e2ee29d8dbf79fabd70b92332e1eb1317ee568db4e011d6d364567848c15fcf968bf8078204e8b0e6f7000e6a6c1a6ee7b7f2872e541db8585892a144

memory/2564-19-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2564-25-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2564-30-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2564-29-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2564-28-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2564-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2564-21-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2564-23-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2988-31-0x0000000074190000-0x000000007487E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Reported

0001-01-01 00:00

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A