Malware Analysis Report

2024-11-13 14:21

Sample ID 240618-janbkstakb
Target Purchase order (2).exe
SHA256 631d62fd42b300f67847a6de30a21a7821abdc328491e0565f67bd1f879f9522
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

631d62fd42b300f67847a6de30a21a7821abdc328491e0565f67bd1f879f9522

Threat Level: Known bad

The file Purchase order (2).exe was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

Drops startup file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-18 07:28

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 07:28

Reported

2024-06-18 07:30

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs C:\Users\Admin\AppData\Local\directory\name.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2428 set thread context of 2668 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\directory\name.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 3008 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 3008 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 3008 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2428 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\WerFault.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\WerFault.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\WerFault.exe
PID 2428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 320

Network

N/A

Files

memory/3008-10-0x0000000000260000-0x0000000000264000-memory.dmp

\Users\Admin\AppData\Local\directory\name.exe

MD5 968e02a095413348de99f2044213505a
SHA1 1c181d224fb48a7351370c525bbff9cca0380200
SHA256 631d62fd42b300f67847a6de30a21a7821abdc328491e0565f67bd1f879f9522
SHA512 fca992251073d992f93ef5da97b048d9e2fb8473fc0306d9e735e52a7ee852b4f1547acdb576ea26b85cdc623aed8807295095da18a211f747f637b33e25bd77

C:\Users\Admin\AppData\Local\Temp\tapestring

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2668-30-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2668-33-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2668-34-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2668-37-0x0000000073E1E000-0x0000000073E1F000-memory.dmp

memory/2668-41-0x0000000073E10000-0x00000000744FE000-memory.dmp

memory/2668-42-0x0000000073E1E000-0x0000000073E1F000-memory.dmp

memory/2668-43-0x0000000073E10000-0x00000000744FE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 07:28

Reported

2024-06-18 07:30

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs C:\Users\Admin\AppData\Local\directory\name.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3432 set thread context of 4560 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3684 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

memory/4076-10-0x0000000000F40000-0x0000000000F44000-memory.dmp

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 968e02a095413348de99f2044213505a
SHA1 1c181d224fb48a7351370c525bbff9cca0380200
SHA256 631d62fd42b300f67847a6de30a21a7821abdc328491e0565f67bd1f879f9522
SHA512 fca992251073d992f93ef5da97b048d9e2fb8473fc0306d9e735e52a7ee852b4f1547acdb576ea26b85cdc623aed8807295095da18a211f747f637b33e25bd77

C:\Users\Admin\AppData\Local\Temp\tapestring

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4560-28-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4560-29-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

memory/4560-30-0x00000000059A0000-0x0000000005F44000-memory.dmp

memory/4560-31-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/4560-32-0x0000000005560000-0x00000000055C6000-memory.dmp

memory/4560-33-0x00000000062A0000-0x00000000062F0000-memory.dmp

memory/4560-34-0x0000000006390000-0x0000000006422000-memory.dmp

memory/4560-35-0x0000000006340000-0x000000000634A000-memory.dmp

memory/4560-36-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

memory/4560-37-0x0000000074E30000-0x00000000755E0000-memory.dmp