Analysis Overview
SHA256
0f332fd82cac206ac5ad266b95ec432b85b285317709ea00ee5f31648a1fc512
Threat Level: Known bad
The file PO-070724-WA00002.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Looks up external IP address via web service
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-19 13:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 13:11
Reported
2024-06-19 13:14
Platform
win7-20240221-en
Max time kernel
148s
Max time network
122s
Command Line
Signatures
AgentTesla
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PO-070724-WA00002.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PO-070724-WA00002.exe
"C:\Users\Admin\AppData\Local\Temp\PO-070724-WA00002.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
Files
memory/1924-0-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp
memory/1924-1-0x000000013FF30000-0x000000013FFE8000-memory.dmp
memory/1924-2-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp
memory/1924-3-0x0000000002290000-0x00000000022B4000-memory.dmp
memory/1924-4-0x0000000002410000-0x0000000002426000-memory.dmp
memory/1924-5-0x0000000000880000-0x0000000000894000-memory.dmp
memory/1924-6-0x000000001C450000-0x000000001C4D0000-memory.dmp
memory/1924-7-0x000000001B490000-0x000000001B4D0000-memory.dmp
memory/1924-8-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp
memory/1924-9-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 13:11
Reported
2024-06-19 13:14
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
AgentTesla
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PO-070724-WA00002.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PO-070724-WA00002.exe
"C:\Users\Admin\AppData\Local\Temp\PO-070724-WA00002.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smtp.brianberrills-ie.com | udp |
| US | 208.91.198.143:587 | smtp.brianberrills-ie.com | tcp |
| US | 8.8.8.8:53 | 143.198.91.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/648-0-0x00007FF8C7A13000-0x00007FF8C7A15000-memory.dmp
memory/648-1-0x0000000000B00000-0x0000000000BB8000-memory.dmp
memory/648-2-0x000000001CCD0000-0x000000001D1F8000-memory.dmp
memory/648-3-0x00007FF8C7A10000-0x00007FF8C84D1000-memory.dmp
memory/648-4-0x0000000003740000-0x0000000003764000-memory.dmp
memory/648-5-0x000000001C760000-0x000000001C776000-memory.dmp
memory/648-6-0x000000001C880000-0x000000001C894000-memory.dmp
memory/648-7-0x000000001F1E0000-0x000000001F260000-memory.dmp
memory/648-8-0x000000001FA60000-0x000000001FAA0000-memory.dmp
memory/648-9-0x0000000022660000-0x00000000226B0000-memory.dmp
memory/648-10-0x00007FF8C7A13000-0x00007FF8C7A15000-memory.dmp
memory/648-11-0x00007FF8C7A10000-0x00007FF8C84D1000-memory.dmp