Malware Analysis Report

2024-11-13 14:21

Sample ID 240618-h7kfhssgpd
Target Purchase order (2).exe
SHA256 631d62fd42b300f67847a6de30a21a7821abdc328491e0565f67bd1f879f9522
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

631d62fd42b300f67847a6de30a21a7821abdc328491e0565f67bd1f879f9522

Threat Level: Known bad

The file Purchase order (2).exe was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

Loads dropped DLL

Drops startup file

Executes dropped EXE

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-18 07:22

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 07:22

Reported

2024-06-18 07:25

Platform

win7-20240419-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs C:\Users\Admin\AppData\Local\directory\name.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2092 set thread context of 2616 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2276 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2276 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2276 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2092 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2092 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2092 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2092 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2092 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2092 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2092 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2092 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"

Network

N/A

Files

memory/2276-10-0x00000000001A0000-0x00000000001A4000-memory.dmp

\Users\Admin\AppData\Local\directory\name.exe

MD5 968e02a095413348de99f2044213505a
SHA1 1c181d224fb48a7351370c525bbff9cca0380200
SHA256 631d62fd42b300f67847a6de30a21a7821abdc328491e0565f67bd1f879f9522
SHA512 fca992251073d992f93ef5da97b048d9e2fb8473fc0306d9e735e52a7ee852b4f1547acdb576ea26b85cdc623aed8807295095da18a211f747f637b33e25bd77

C:\Users\Admin\AppData\Local\Temp\tapestring

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\holloing

MD5 37d004d0812c87ff4ac152c4fbb44eb5
SHA1 624baa6221603385ef086689b18ba3e7fcf87511
SHA256 808c22e2a18e0e47b3e02edb6659cfbad7c842e3152a812f7504fe3af9ce5551
SHA512 6905f9d1245d2b2b7c30e32763890fa3fb06acbb1d1a6fb5d70fc597c02754c3f9c3ec979ba5b2ecb333fe7b1b65cd9725f69d98ac52474b894bafb5aadc796e

memory/2616-30-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2616-34-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2616-33-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2616-35-0x0000000073C5E000-0x0000000073C5F000-memory.dmp

memory/2616-36-0x0000000073C50000-0x000000007433E000-memory.dmp

memory/2616-37-0x0000000073C5E000-0x0000000073C5F000-memory.dmp

memory/2616-38-0x0000000073C50000-0x000000007433E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 07:22

Reported

2024-06-18 07:25

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs C:\Users\Admin\AppData\Local\directory\name.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4928 set thread context of 4088 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"

Network

Files

memory/2968-10-0x0000000000C60000-0x0000000000C64000-memory.dmp

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 968e02a095413348de99f2044213505a
SHA1 1c181d224fb48a7351370c525bbff9cca0380200
SHA256 631d62fd42b300f67847a6de30a21a7821abdc328491e0565f67bd1f879f9522
SHA512 fca992251073d992f93ef5da97b048d9e2fb8473fc0306d9e735e52a7ee852b4f1547acdb576ea26b85cdc623aed8807295095da18a211f747f637b33e25bd77

C:\Users\Admin\AppData\Local\Temp\tapestring

MD5 8b20cb2646439c7f18e57136aae5bac3
SHA1 fa9f00c44d1b7d3208d276ef901dd4b2be492182
SHA256 34ab7d1ee752ed88d892b69a21a38ec0ad54362a0349c9a19fdac6f4bf373615
SHA512 6a0edf66b072153d0758201067c84c31151942f773997c07403cee4dc9f0548d5db0c133db2f2bf80c0140012a385b80efcaacd14ab3f36b94e31b65e6bc772e

C:\Users\Admin\AppData\Local\Temp\holloing

MD5 37d004d0812c87ff4ac152c4fbb44eb5
SHA1 624baa6221603385ef086689b18ba3e7fcf87511
SHA256 808c22e2a18e0e47b3e02edb6659cfbad7c842e3152a812f7504fe3af9ce5551
SHA512 6905f9d1245d2b2b7c30e32763890fa3fb06acbb1d1a6fb5d70fc597c02754c3f9c3ec979ba5b2ecb333fe7b1b65cd9725f69d98ac52474b894bafb5aadc796e

memory/4088-28-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4088-29-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

memory/4088-30-0x0000000005B30000-0x00000000060D4000-memory.dmp

memory/4088-31-0x00000000054B0000-0x0000000005516000-memory.dmp

memory/4088-32-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/4088-33-0x0000000006390000-0x00000000063E0000-memory.dmp

memory/4088-34-0x0000000006480000-0x0000000006512000-memory.dmp

memory/4088-35-0x0000000006420000-0x000000000642A000-memory.dmp

memory/4088-36-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

memory/4088-37-0x0000000074C90000-0x0000000075440000-memory.dmp