Malware Analysis Report

2024-10-23 21:59

Sample ID 240612-b1cnrsxhlj
Target 744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe
SHA256 744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee

Threat Level: Known bad

The file 744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects executables referencing many file transfer clients. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Looks up external IP address via web service

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 01:36

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 01:36

Reported

2024-06-12 01:38

Platform

win7-20240508-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many file transfer clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2060 set thread context of 2956 N/A C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2060 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2060 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2060 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2060 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2060 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2060 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2060 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe

"C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp

Files

memory/2060-10-0x0000000000120000-0x0000000000124000-memory.dmp

memory/2956-15-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2956-13-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2956-12-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2956-16-0x000000007489E000-0x000000007489F000-memory.dmp

memory/2956-17-0x0000000074890000-0x0000000074F7E000-memory.dmp

memory/2956-18-0x000000007489E000-0x000000007489F000-memory.dmp

memory/2956-19-0x0000000074890000-0x0000000074F7E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 01:36

Reported

2024-06-12 01:38

Platform

win10v2004-20240611-en

Max time kernel

106s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4.

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many file transfer clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3740 set thread context of 3976 N/A C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe

"C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/3740-10-0x0000000003DB0000-0x0000000003DB4000-memory.dmp

memory/3976-11-0x0000000000700000-0x0000000000742000-memory.dmp

memory/3976-12-0x00000000744BE000-0x00000000744BF000-memory.dmp

memory/3976-13-0x00000000052F0000-0x0000000005894000-memory.dmp

memory/3976-14-0x0000000004E40000-0x0000000004EA6000-memory.dmp

memory/3976-15-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/3976-16-0x0000000006010000-0x0000000006060000-memory.dmp

memory/3976-17-0x0000000006100000-0x0000000006192000-memory.dmp

memory/3976-18-0x0000000006080000-0x000000000608A000-memory.dmp

memory/3976-19-0x00000000744BE000-0x00000000744BF000-memory.dmp

memory/3976-20-0x00000000744B0000-0x0000000074C60000-memory.dmp