Malware Analysis Report

2024-11-30 05:46

Sample ID 240619-cxt93swgkr
Target bf8fb3b88d40bcf605f71c1cdc2b41c3c605016d3a846598ab8e7ea6ef28689b
SHA256 bf8fb3b88d40bcf605f71c1cdc2b41c3c605016d3a846598ab8e7ea6ef28689b
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf8fb3b88d40bcf605f71c1cdc2b41c3c605016d3a846598ab8e7ea6ef28689b

Threat Level: Known bad

The file bf8fb3b88d40bcf605f71c1cdc2b41c3c605016d3a846598ab8e7ea6ef28689b was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

Agenttesla family

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 02:27

Signatures

Agenttesla family

agenttesla

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 02:27

Reported

2024-06-19 02:30

Platform

win7-20240508-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf8fb3b88d40bcf605f71c1cdc2b41c3c605016d3a846598ab8e7ea6ef28689b.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf8fb3b88d40bcf605f71c1cdc2b41c3c605016d3a846598ab8e7ea6ef28689b.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf8fb3b88d40bcf605f71c1cdc2b41c3c605016d3a846598ab8e7ea6ef28689b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf8fb3b88d40bcf605f71c1cdc2b41c3c605016d3a846598ab8e7ea6ef28689b.exe

"C:\Users\Admin\AppData\Local\Temp\bf8fb3b88d40bcf605f71c1cdc2b41c3c605016d3a846598ab8e7ea6ef28689b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp

Files

memory/2072-0-0x000000007446E000-0x000000007446F000-memory.dmp

memory/2072-1-0x00000000012E0000-0x0000000001324000-memory.dmp

memory/2072-2-0x0000000074460000-0x0000000074B4E000-memory.dmp

memory/2072-3-0x000000007446E000-0x000000007446F000-memory.dmp

memory/2072-4-0x0000000074460000-0x0000000074B4E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 02:27

Reported

2024-06-19 02:30

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf8fb3b88d40bcf605f71c1cdc2b41c3c605016d3a846598ab8e7ea6ef28689b.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf8fb3b88d40bcf605f71c1cdc2b41c3c605016d3a846598ab8e7ea6ef28689b.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf8fb3b88d40bcf605f71c1cdc2b41c3c605016d3a846598ab8e7ea6ef28689b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf8fb3b88d40bcf605f71c1cdc2b41c3c605016d3a846598ab8e7ea6ef28689b.exe

"C:\Users\Admin\AppData\Local\Temp\bf8fb3b88d40bcf605f71c1cdc2b41c3c605016d3a846598ab8e7ea6ef28689b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp

Files

memory/4208-0-0x000000007484E000-0x000000007484F000-memory.dmp

memory/4208-1-0x00000000004A0000-0x00000000004E4000-memory.dmp

memory/4208-2-0x0000000005580000-0x0000000005B24000-memory.dmp

memory/4208-3-0x0000000004F20000-0x0000000004F86000-memory.dmp

memory/4208-4-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/4208-5-0x0000000006560000-0x00000000065B0000-memory.dmp

memory/4208-6-0x0000000006650000-0x00000000066EC000-memory.dmp

memory/4208-7-0x0000000006890000-0x0000000006922000-memory.dmp

memory/4208-8-0x0000000006880000-0x000000000688A000-memory.dmp

memory/4208-9-0x000000007484E000-0x000000007484F000-memory.dmp

memory/4208-10-0x0000000074840000-0x0000000074FF0000-memory.dmp