Malware Analysis Report

2024-11-30 05:41

Sample ID 240619-cgr5sawenl
Target 9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e
SHA256 9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e

Threat Level: Known bad

The file 9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 02:03

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 02:03

Reported

2024-06-19 02:05

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1976 set thread context of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe

"C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\exhilaratingly

MD5 57526393506d5a53e6a40ade71ee8af6
SHA1 62ea25d35a4e8dab1acd3cf7c991e26079b767a8
SHA256 29232b112c00397078c4e59864cd323c60227b6f2dad38c944f695926ebfb575
SHA512 8581543251d75918724e3c90f446678f957dd5175ccd686364217a4264d9e2bc830a773d39f9320750fb1e0999b1ced6ed79d4044a40a088688feb73559597dc

memory/1976-11-0x00000000000B0000-0x00000000000B4000-memory.dmp

memory/2948-12-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2948-14-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2948-15-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2948-16-0x0000000073CEE000-0x0000000073CEF000-memory.dmp

memory/2948-17-0x0000000000A60000-0x0000000000AB4000-memory.dmp

memory/2948-18-0x0000000000B10000-0x0000000000B62000-memory.dmp

memory/2948-19-0x0000000073CE0000-0x00000000743CE000-memory.dmp

memory/2948-59-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-84-0x0000000073CE0000-0x00000000743CE000-memory.dmp

memory/2948-181-0x0000000073CE0000-0x00000000743CE000-memory.dmp

memory/2948-79-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-77-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-75-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-73-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-71-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-69-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-67-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-65-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-63-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-61-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-57-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-55-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-53-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-51-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-49-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-47-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-45-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-41-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-39-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-37-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-35-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-33-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-31-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-29-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-27-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-25-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-23-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-21-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-20-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-43-0x0000000000B10000-0x0000000000B5D000-memory.dmp

memory/2948-1052-0x0000000073CE0000-0x00000000743CE000-memory.dmp

memory/2948-1053-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2948-1054-0x0000000073CEE000-0x0000000073CEF000-memory.dmp

memory/2948-1055-0x0000000073CE0000-0x00000000743CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 02:03

Reported

2024-06-19 02:05

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1004 set thread context of 2756 N/A C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe

"C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4028,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4224 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\autE02E.tmp

MD5 57526393506d5a53e6a40ade71ee8af6
SHA1 62ea25d35a4e8dab1acd3cf7c991e26079b767a8
SHA256 29232b112c00397078c4e59864cd323c60227b6f2dad38c944f695926ebfb575
SHA512 8581543251d75918724e3c90f446678f957dd5175ccd686364217a4264d9e2bc830a773d39f9320750fb1e0999b1ced6ed79d4044a40a088688feb73559597dc

memory/1004-12-0x00000000035D0000-0x00000000035D4000-memory.dmp

memory/2756-13-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2756-15-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2756-14-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2756-16-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2756-17-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

memory/2756-18-0x0000000003160000-0x00000000031B4000-memory.dmp

memory/2756-19-0x0000000073F60000-0x0000000074710000-memory.dmp

memory/2756-22-0x0000000073F60000-0x0000000074710000-memory.dmp

memory/2756-21-0x0000000005640000-0x0000000005692000-memory.dmp

memory/2756-23-0x0000000073F60000-0x0000000074710000-memory.dmp

memory/2756-20-0x0000000005BF0000-0x0000000006194000-memory.dmp

memory/2756-45-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-55-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-83-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-79-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-77-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-75-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-73-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-71-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-69-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-67-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-63-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-61-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-59-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-57-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-53-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-51-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-49-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-47-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-43-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-41-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-39-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-37-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-36-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-33-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-31-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-29-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-81-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-65-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-27-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-25-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-24-0x0000000005640000-0x000000000568D000-memory.dmp

memory/2756-1055-0x0000000073F60000-0x0000000074710000-memory.dmp

memory/2756-1054-0x0000000005820000-0x0000000005886000-memory.dmp

memory/2756-1056-0x0000000006780000-0x00000000067D0000-memory.dmp

memory/2756-1057-0x0000000006870000-0x0000000006902000-memory.dmp

memory/2756-1058-0x00000000067D0000-0x00000000067DA000-memory.dmp

memory/2756-1059-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2756-1060-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

memory/2756-1061-0x0000000073F60000-0x0000000074710000-memory.dmp