Analysis Overview
SHA256
8d682f1a9fdb8afb144352e40aefb7baddc1a8ee100a37325aaa04983546fdce
Threat Level: Known bad
The file 90384630603db9e5a555e63b50542c67.bin was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 02:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 02:15
Reported
2024-06-12 02:17
Platform
win7-20240220-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
AgentTesla
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2196 set thread context of 2252 | N/A | C:\Users\Admin\AppData\Local\Temp\7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe
"C:\Users\Admin\AppData\Local\Temp\7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2196 -s 652
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mail.b-trust.org | udp |
| BG | 193.41.190.42:25 | mail.b-trust.org | tcp |
Files
memory/2196-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp
memory/2196-1-0x0000000000890000-0x000000000089A000-memory.dmp
memory/2196-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2196-3-0x000000001B570000-0x000000001B606000-memory.dmp
memory/2252-4-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2252-11-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2252-15-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2252-13-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2252-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2252-8-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2252-6-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2252-5-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2252-16-0x000000007488E000-0x000000007488F000-memory.dmp
memory/2252-17-0x0000000074880000-0x0000000074F6E000-memory.dmp
memory/2196-18-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp
memory/2196-19-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2252-20-0x000000007488E000-0x000000007488F000-memory.dmp
memory/2252-21-0x0000000074880000-0x0000000074F6E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 02:15
Reported
2024-06-12 02:17
Platform
win10v2004-20240611-en
Max time kernel
114s
Max time network
126s
Command Line
Signatures
AgentTesla
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3300 set thread context of 1680 | N/A | C:\Users\Admin\AppData\Local\Temp\7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe
"C:\Users\Admin\AppData\Local\Temp\7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4272,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.b-trust.org | udp |
| BG | 193.41.190.42:25 | mail.b-trust.org | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
Files
memory/3300-1-0x00007FFD3B923000-0x00007FFD3B925000-memory.dmp
memory/3300-0-0x00000177125D0000-0x00000177125DA000-memory.dmp
memory/3300-2-0x000001772CDA0000-0x000001772CE36000-memory.dmp
memory/3300-3-0x00007FFD3B920000-0x00007FFD3C3E1000-memory.dmp
memory/1680-4-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1680-5-0x0000000074C7E000-0x0000000074C7F000-memory.dmp
memory/1680-6-0x0000000005E20000-0x00000000063C4000-memory.dmp
memory/1680-7-0x0000000005990000-0x00000000059F6000-memory.dmp
memory/1680-8-0x0000000074C70000-0x0000000075420000-memory.dmp
memory/3300-9-0x00007FFD3B920000-0x00007FFD3C3E1000-memory.dmp
memory/1680-10-0x0000000006830000-0x0000000006880000-memory.dmp
memory/1680-11-0x0000000006920000-0x00000000069BC000-memory.dmp
memory/1680-12-0x0000000074C7E000-0x0000000074C7F000-memory.dmp
memory/1680-13-0x0000000074C70000-0x0000000075420000-memory.dmp
memory/1680-14-0x0000000006CE0000-0x0000000006D72000-memory.dmp
memory/1680-15-0x0000000006CC0000-0x0000000006CCA000-memory.dmp