Malware Analysis Report

2024-11-30 05:47

Sample ID 240619-cz3dgascnh
Target 7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77
SHA256 7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77

Threat Level: Known bad

The file 7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77 was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 02:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 02:31

Reported

2024-06-19 02:34

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe

"C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe"

Network

N/A

Files

memory/2988-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

memory/2988-1-0x0000000001280000-0x0000000001890000-memory.dmp

memory/2988-2-0x000000001C520000-0x000000001C750000-memory.dmp

memory/2988-6-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-8-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-10-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-12-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-16-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-22-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-20-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-18-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-14-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-4-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-3-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-24-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-26-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-30-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-44-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-66-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-64-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-62-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-60-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-58-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-56-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-54-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-52-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-50-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-48-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-46-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-42-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-40-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-38-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-36-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-34-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-32-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-4890-0x00000000009D0000-0x0000000000A1C000-memory.dmp

memory/2988-4889-0x0000000000DF0000-0x0000000000E5C000-memory.dmp

memory/2988-28-0x000000001C520000-0x000000001C74A000-memory.dmp

memory/2988-4892-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

memory/2988-4891-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

memory/2988-4893-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

memory/2988-4894-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

memory/2988-4895-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

memory/2988-4896-0x0000000000E60000-0x0000000000EB4000-memory.dmp

memory/2988-4897-0x0000000001060000-0x00000000010A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 02:31

Reported

2024-06-19 02:34

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe

"C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mail.confidencegroup.co udp

Files

memory/1876-0-0x00007FFB55063000-0x00007FFB55065000-memory.dmp

memory/1876-1-0x000001EEA8820000-0x000001EEA8E30000-memory.dmp

memory/1876-2-0x000001EEC3370000-0x000001EEC35A0000-memory.dmp

memory/1876-6-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-8-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-4-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-14-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-12-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-24-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-10-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-3-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-46-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-56-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-66-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-64-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-62-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-60-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-58-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-54-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-53-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-50-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-48-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-44-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-42-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-40-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-38-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-36-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-34-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-32-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-30-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-28-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-26-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-22-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-20-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-18-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-16-0x000001EEC3370000-0x000001EEC359A000-memory.dmp

memory/1876-4889-0x00007FFB55060000-0x00007FFB55B21000-memory.dmp

memory/1876-4890-0x00007FFB55060000-0x00007FFB55B21000-memory.dmp

memory/1876-4891-0x000001EEC35A0000-0x000001EEC360C000-memory.dmp

memory/1876-4892-0x000001EEC3610000-0x000001EEC365C000-memory.dmp

memory/1876-4893-0x00007FFB55063000-0x00007FFB55065000-memory.dmp

memory/1876-4894-0x00007FFB55060000-0x00007FFB55B21000-memory.dmp

memory/1876-4895-0x000001EEC40E0000-0x000001EEC4134000-memory.dmp

memory/1876-4896-0x000001EEC4130000-0x000001EEC4170000-memory.dmp

memory/1876-4897-0x000001EEC41C0000-0x000001EEC4210000-memory.dmp