Malware Analysis Report

2024-11-30 05:44

Sample ID 240619-qq8qsa1dqd
Target NEW PO#101.exe
SHA256 fd34291b03a43dba1465cc1ad12ff3fb705bad671c1e175e234aba9a39ea215e
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd34291b03a43dba1465cc1ad12ff3fb705bad671c1e175e234aba9a39ea215e

Threat Level: Known bad

The file NEW PO#101.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 13:29

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 13:29

Reported

2024-06-19 13:31

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2396 set thread context of 2284 N/A C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe

"C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp

Files

memory/2396-10-0x0000000000C50000-0x0000000000C54000-memory.dmp

memory/2284-11-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2284-12-0x00000000738FE000-0x00000000738FF000-memory.dmp

memory/2284-13-0x0000000005660000-0x0000000005C04000-memory.dmp

memory/2284-14-0x00000000050B0000-0x0000000005116000-memory.dmp

memory/2284-15-0x00000000738F0000-0x00000000740A0000-memory.dmp

memory/2284-16-0x0000000006600000-0x0000000006650000-memory.dmp

memory/2284-17-0x00000000066F0000-0x0000000006782000-memory.dmp

memory/2284-18-0x00000000065E0000-0x00000000065EA000-memory.dmp

memory/2284-19-0x00000000738FE000-0x00000000738FF000-memory.dmp

memory/2284-20-0x00000000738F0000-0x00000000740A0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 13:29

Reported

2024-06-19 13:31

Platform

win7-20240611-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2960 set thread context of 1188 N/A C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe

"C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\NEW PO#101.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp

Files

memory/2960-10-0x0000000000120000-0x0000000000124000-memory.dmp

memory/1188-11-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1188-15-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1188-13-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1188-16-0x0000000073C0E000-0x0000000073C0F000-memory.dmp

memory/1188-17-0x0000000073C00000-0x00000000742EE000-memory.dmp

memory/1188-18-0x0000000073C0E000-0x0000000073C0F000-memory.dmp

memory/1188-19-0x0000000073C00000-0x00000000742EE000-memory.dmp