Malware Analysis Report

2024-10-19 09:23

Sample ID 240612-cm1zwayeja
Target c5ede20ffafcd5a794af3bea7ac1f7817a399da89c4c28903d319afd8b76ea4d.zip
SHA256 c5ede20ffafcd5a794af3bea7ac1f7817a399da89c4c28903d319afd8b76ea4d
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5ede20ffafcd5a794af3bea7ac1f7817a399da89c4c28903d319afd8b76ea4d

Threat Level: Known bad

The file c5ede20ffafcd5a794af3bea7ac1f7817a399da89c4c28903d319afd8b76ea4d.zip was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects executables referencing many file transfer clients. Observed in information stealers

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Reads WinSCP keys stored on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 02:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 02:12

Reported

2024-06-12 02:14

Platform

win10v2004-20240508-en

Max time kernel

52s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4.

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many file transfer clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2964 set thread context of 2532 N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe
PID 2964 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe
PID 2964 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe
PID 2964 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe
PID 2964 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe
PID 2964 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe
PID 2964 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe
PID 2964 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe
PID 2964 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe
PID 2964 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe
PID 2964 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe

"C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe"

C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe

"C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe"

C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe

"C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 mail.destinationtoplan.com udp

Files

memory/2964-0-0x000000007500E000-0x000000007500F000-memory.dmp

memory/2964-1-0x00000000005A0000-0x0000000000656000-memory.dmp

memory/2964-2-0x0000000005660000-0x0000000005C04000-memory.dmp

memory/2964-3-0x00000000050B0000-0x0000000005142000-memory.dmp

memory/2964-4-0x0000000005040000-0x000000000504A000-memory.dmp

memory/2964-5-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/2964-6-0x0000000005630000-0x0000000005652000-memory.dmp

memory/2964-7-0x00000000028D0000-0x00000000028E0000-memory.dmp

memory/2964-8-0x00000000066D0000-0x0000000006752000-memory.dmp

memory/2964-9-0x0000000007D40000-0x0000000007DDC000-memory.dmp

memory/2532-10-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Consigment Docs.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/2532-13-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/2964-14-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/2532-16-0x0000000075000000-0x00000000757B0000-memory.dmp

memory/2532-15-0x0000000005190000-0x00000000051F6000-memory.dmp

memory/2532-17-0x0000000006940000-0x0000000006990000-memory.dmp

memory/2532-18-0x0000000075000000-0x00000000757B0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 02:12

Reported

2024-06-12 02:14

Platform

win7-20231129-en

Max time kernel

118s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many file transfer clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1632 set thread context of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe

"C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe"

C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe

"C:\Users\Admin\AppData\Local\Temp\Consigment Docs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp

Files

memory/1632-0-0x000000007498E000-0x000000007498F000-memory.dmp

memory/1632-1-0x0000000000930000-0x00000000009E6000-memory.dmp

memory/1632-2-0x0000000074980000-0x000000007506E000-memory.dmp

memory/1632-3-0x0000000000430000-0x0000000000452000-memory.dmp

memory/1632-4-0x0000000000450000-0x0000000000460000-memory.dmp

memory/1632-5-0x0000000004E90000-0x0000000004F12000-memory.dmp

memory/2744-6-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2744-7-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2744-9-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2744-10-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2744-14-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2744-18-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2744-16-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2744-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1632-20-0x0000000074980000-0x000000007506E000-memory.dmp

memory/2744-19-0x0000000074980000-0x000000007506E000-memory.dmp

memory/2744-21-0x0000000074980000-0x000000007506E000-memory.dmp

memory/2744-36-0x0000000074980000-0x000000007506E000-memory.dmp