Malware Analysis Report

2024-10-19 09:22

Sample ID 240612-cj4xcsydmd
Target 782c3bb9ccc71a1660bfa7549a649457cd3d601ab817d5d0d1a006e84407b85b
SHA256 782c3bb9ccc71a1660bfa7549a649457cd3d601ab817d5d0d1a006e84407b85b
Tags
agenttesla execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

782c3bb9ccc71a1660bfa7549a649457cd3d601ab817d5d0d1a006e84407b85b

Threat Level: Known bad

The file 782c3bb9ccc71a1660bfa7549a649457cd3d601ab817d5d0d1a006e84407b85b was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Reads user/profile data of local email clients

Loads dropped DLL

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 02:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 02:07

Reported

2024-06-12 02:09

Platform

win7-20240220-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MSK872314.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Delggeres.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Delggeres.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Delggeres.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3064 set thread context of 2424 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Delggeres.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\firbens\psycholeptic.ini C:\Users\Admin\AppData\Local\Temp\MSK872314.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\boltholes.obl C:\Users\Admin\AppData\Local\Temp\MSK872314.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Delggeres.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\MSK872314.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3032 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\MSK872314.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3032 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\MSK872314.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3032 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\MSK872314.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 2596 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 2596 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 2596 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 2596 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 2424 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Delggeres.exe
PID 3064 wrote to memory of 2424 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Delggeres.exe
PID 3064 wrote to memory of 2424 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Delggeres.exe
PID 3064 wrote to memory of 2424 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Delggeres.exe
PID 3064 wrote to memory of 2424 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Delggeres.exe
PID 3064 wrote to memory of 2424 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Delggeres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MSK872314.exe

"C:\Users\Admin\AppData\Local\Temp\MSK872314.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Forretningsforbindelserne=Get-Content 'C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Insider\Pigout.Smr';$Sheetwise=$Forretningsforbindelserne.SubString(50997,3);.$Sheetwise($Forretningsforbindelserne)"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"

C:\Users\Admin\AppData\Local\Temp\Delggeres.exe

"C:\Users\Admin\AppData\Local\Temp\Delggeres.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 okecimaventures.com.ng udp
US 31.220.51.138:80 okecimaventures.com.ng tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 smtp.gmail.com udp
NL 142.250.27.108:587 smtp.gmail.com tcp

Files

memory/3064-8-0x0000000073A51000-0x0000000073A52000-memory.dmp

memory/3064-10-0x0000000073A50000-0x0000000073FFB000-memory.dmp

memory/3064-12-0x0000000073A50000-0x0000000073FFB000-memory.dmp

memory/3064-11-0x0000000073A50000-0x0000000073FFB000-memory.dmp

memory/3064-9-0x0000000073A50000-0x0000000073FFB000-memory.dmp

C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Insider\Pigout.Smr

MD5 5b666f06cc1e9de33f4f56e415241506
SHA1 8253f4854a516d91f9ac7189d108cfe2822f5a2b
SHA256 9c121e08561368b3fabba2fef46f73a398fd27b54ae7a9b511d1e782cd50dfef
SHA512 e2f444a080037474a69ecdff6545638a0a173a3e7230046f4e0a3b659511516806d13c406267d570d7b2006d7e9efbb91b8fbc02996d9ee31ffa801b5e7027f9

C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Trilogier.rea

MD5 f96b7a4776a6d23f3a50da5897f86911
SHA1 839f9621509a37133fedf3465944999a5c88b8bf
SHA256 7d6c274ad802ad0f166f4cd6bf1a72e289d55900481105029c8146265e969b29
SHA512 7f6befad553bcd030d48b5cade86c26394f3ae306abef0bf6f34eca72756947f85d1983874c993a237bfdc585b41d7bd73e8147cc2084c631df157226229580e

memory/3064-16-0x00000000065F0000-0x0000000008D23000-memory.dmp

\Users\Admin\AppData\Local\Temp\Delggeres.exe

MD5 397c71ddf48527dc363407c2dc6382fd
SHA1 8d309abbd3842e15778dad790e3bb36371060eab
SHA256 fd2ed2817b36ad04fda64c952b1a38e9a4cee86a247d0a7e9dfea5bab81b2e82
SHA512 a5b4bf00e115c99a2433ebf7f91ea7fc12e6c5a6f06d049d89b9027b29bba769ec51d3ace6a1671595d685db7e74e458cb75e39fe8c1abb9533ae19d0c308a46

memory/2424-21-0x0000000000460000-0x00000000014C2000-memory.dmp

memory/3064-22-0x0000000073A50000-0x0000000073FFB000-memory.dmp

memory/2424-24-0x0000000000460000-0x00000000004A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 02:07

Reported

2024-06-12 02:09

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MSK872314.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\firbens\psycholeptic.ini C:\Users\Admin\AppData\Local\Temp\MSK872314.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\boltholes.obl C:\Users\Admin\AppData\Local\Temp\MSK872314.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MSK872314.exe

"C:\Users\Admin\AppData\Local\Temp\MSK872314.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Forretningsforbindelserne=Get-Content 'C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Insider\Pigout.Smr';$Sheetwise=$Forretningsforbindelserne.SubString(50997,3);.$Sheetwise($Forretningsforbindelserne)"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4300 -ip 4300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 2280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8

Network

Files

memory/4300-6-0x0000000073A6E000-0x0000000073A6F000-memory.dmp

memory/4300-7-0x0000000002A70000-0x0000000002AA6000-memory.dmp

memory/4300-8-0x0000000005430000-0x0000000005A58000-memory.dmp

memory/4300-9-0x0000000073A60000-0x0000000074210000-memory.dmp

memory/4300-10-0x0000000005110000-0x0000000005132000-memory.dmp

memory/4300-12-0x00000000053A0000-0x0000000005406000-memory.dmp

memory/4300-11-0x0000000005330000-0x0000000005396000-memory.dmp

memory/4300-13-0x0000000073A60000-0x0000000074210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wtul2pbu.ufy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4300-23-0x0000000005A60000-0x0000000005DB4000-memory.dmp

memory/4300-24-0x0000000006070000-0x000000000608E000-memory.dmp

memory/4300-25-0x0000000006100000-0x000000000614C000-memory.dmp

memory/4300-27-0x0000000006590000-0x00000000065AA000-memory.dmp

memory/4300-26-0x0000000007080000-0x0000000007116000-memory.dmp

memory/4300-28-0x00000000065F0000-0x0000000006612000-memory.dmp

memory/4300-29-0x00000000076D0000-0x0000000007C74000-memory.dmp

C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Insider\Pigout.Smr

MD5 5b666f06cc1e9de33f4f56e415241506
SHA1 8253f4854a516d91f9ac7189d108cfe2822f5a2b
SHA256 9c121e08561368b3fabba2fef46f73a398fd27b54ae7a9b511d1e782cd50dfef
SHA512 e2f444a080037474a69ecdff6545638a0a173a3e7230046f4e0a3b659511516806d13c406267d570d7b2006d7e9efbb91b8fbc02996d9ee31ffa801b5e7027f9

memory/4300-31-0x0000000008300000-0x000000000897A000-memory.dmp

memory/4300-33-0x0000000073A60000-0x0000000074210000-memory.dmp