Analysis Overview
SHA256
891b5bb34a57b6f58d635f8c3c64e9f1ca2fec59030fb9094fa3efebfb5b8729
Threat Level: Known bad
The file 891b5bb34a57b6f58d635f8c3c64e9f1ca2fec59030fb9094fa3efebfb5b8729.rar was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Detects executables referencing Windows vault credential objects. Observed in infostealers
Detects executables referencing many email and collaboration clients. Observed in information stealers
Detects executables referencing many file transfer clients. Observed in information stealers
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Detect packed .NET executables. Mostly AgentTeslaV4.
Reads user/profile data of local email clients
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 01:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 01:42
Reported
2024-06-12 01:45
Platform
win7-20240508-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
AgentTesla
Detect packed .NET executables. Mostly AgentTeslaV4.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing Windows vault credential objects. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many email and collaboration clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many file transfer clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\jBpFfg = "C:\\Users\\Admin\\AppData\\Roaming\\jBpFfg\\jBpFfg.exe" | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3056 set thread context of 2624 | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe
"C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe"
C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe
"C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
Files
memory/3056-0-0x000000007441E000-0x000000007441F000-memory.dmp
memory/3056-1-0x0000000000A40000-0x0000000000AF6000-memory.dmp
memory/3056-2-0x0000000074410000-0x0000000074AFE000-memory.dmp
memory/3056-3-0x0000000000580000-0x00000000005A2000-memory.dmp
memory/3056-4-0x0000000000360000-0x0000000000370000-memory.dmp
memory/3056-5-0x00000000058B0000-0x0000000005932000-memory.dmp
memory/2624-7-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2624-14-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2624-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3056-20-0x000000007441E000-0x000000007441F000-memory.dmp
memory/2624-19-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2624-11-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2624-10-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2624-21-0x0000000074410000-0x0000000074AFE000-memory.dmp
memory/2624-23-0x0000000074410000-0x0000000074AFE000-memory.dmp
memory/3056-22-0x0000000074410000-0x0000000074AFE000-memory.dmp
memory/2624-16-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2624-8-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2624-25-0x0000000074410000-0x0000000074AFE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 01:42
Reported
2024-06-12 01:45
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
AgentTesla
Detect packed .NET executables. Mostly AgentTeslaV4.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing Windows vault credential objects. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many email and collaboration clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many file transfer clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jBpFfg = "C:\\Users\\Admin\\AppData\\Roaming\\jBpFfg\\jBpFfg.exe" | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 692 set thread context of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe
"C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4076,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=1276 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe
"C:\Users\Admin\AppData\Local\Temp\SOA MAY 2024.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | mail.bredband2.com | udp |
Files
memory/692-0-0x00007FF969F30000-0x00007FF96A125000-memory.dmp
memory/692-1-0x00000000003A0000-0x0000000000456000-memory.dmp
memory/692-2-0x0000000005360000-0x0000000005904000-memory.dmp
memory/692-3-0x0000000004E50000-0x0000000004EE2000-memory.dmp
memory/692-4-0x00007FF969F30000-0x00007FF96A125000-memory.dmp
memory/692-5-0x0000000005000000-0x000000000500A000-memory.dmp
memory/692-6-0x0000000006710000-0x0000000006732000-memory.dmp
memory/692-7-0x0000000004800000-0x0000000004810000-memory.dmp
memory/692-8-0x00000000063D0000-0x0000000006452000-memory.dmp
memory/692-9-0x000000000BD60000-0x000000000BDFC000-memory.dmp
memory/1900-10-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA MAY 2024.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/1900-13-0x00007FF969F30000-0x00007FF96A125000-memory.dmp
memory/1900-15-0x00007FF969F30000-0x00007FF96A125000-memory.dmp
memory/1900-14-0x0000000005160000-0x00000000051C6000-memory.dmp
memory/1900-17-0x0000000006A90000-0x0000000006AE0000-memory.dmp
memory/1900-18-0x00007FF969F30000-0x00007FF96A125000-memory.dmp