Malware Analysis Report

2025-08-05 10:12

Sample ID 241017-bfrbesxbmr
Target 980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7
SHA256 980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7
Tags
agenttesla collection discovery keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7

Threat Level: Known bad

The file 980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7 was found to be: Known bad.

Malicious Activity Summary

agenttesla collection discovery keylogger spyware stealer trojan

AgentTesla

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious use of WriteProcessMemory

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 01:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 01:05

Reported

2024-10-17 01:08

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2728 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2728 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2728 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2728 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2728 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2728 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2728 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2728 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2728 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2728 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2728 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe

"C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ftp.aminhacorretora.com.br udp
US 162.241.203.30:21 ftp.aminhacorretora.com.br tcp
US 162.241.203.30:36794 ftp.aminhacorretora.com.br tcp

Files

memory/2728-0-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

memory/2728-1-0x0000000000F70000-0x0000000001042000-memory.dmp

memory/2728-2-0x0000000000D90000-0x0000000000E2E000-memory.dmp

memory/2728-3-0x0000000073F40000-0x000000007462E000-memory.dmp

memory/2728-4-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

memory/2728-5-0x0000000073F40000-0x000000007462E000-memory.dmp

memory/2728-6-0x0000000000710000-0x000000000072A000-memory.dmp

memory/2728-7-0x0000000000460000-0x0000000000466000-memory.dmp

memory/2728-8-0x0000000073F40000-0x000000007462E000-memory.dmp

memory/2220-10-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2220-9-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2220-12-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2220-11-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2220-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2728-15-0x0000000073F40000-0x000000007462E000-memory.dmp

memory/2220-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2728-20-0x0000000073F40000-0x000000007462E000-memory.dmp

memory/2220-19-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2220-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2220-22-0x0000000073F40000-0x000000007462E000-memory.dmp

memory/2220-21-0x0000000073F40000-0x000000007462E000-memory.dmp

memory/2220-29-0x0000000073F40000-0x000000007462E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 01:05

Reported

2024-10-17 01:08

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1376 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1376 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1376 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1376 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1376 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1376 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1376 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe

"C:\Users\Admin\AppData\Local\Temp\980f9194127787aa86528f74982938a0e8ae15ff556c567f7704db23ac23f0a7.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 5.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 ftp.aminhacorretora.com.br udp
US 162.241.203.30:21 ftp.aminhacorretora.com.br tcp
US 162.241.203.30:42158 ftp.aminhacorretora.com.br tcp
US 8.8.8.8:53 30.203.241.162.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1376-0-0x000000007514E000-0x000000007514F000-memory.dmp

memory/1376-1-0x0000000000F20000-0x0000000000FF2000-memory.dmp

memory/1376-2-0x0000000005550000-0x00000000055E2000-memory.dmp

memory/1376-3-0x00000000055F0000-0x000000000568C000-memory.dmp

memory/1376-4-0x0000000005C40000-0x00000000061E4000-memory.dmp

memory/1376-5-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/1376-6-0x0000000005690000-0x000000000572E000-memory.dmp

memory/1376-7-0x0000000005760000-0x000000000576A000-memory.dmp

memory/1376-8-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/1376-9-0x000000007514E000-0x000000007514F000-memory.dmp

memory/1376-10-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/1376-11-0x00000000070F0000-0x000000000710A000-memory.dmp

memory/1376-12-0x00000000097D0000-0x00000000097D6000-memory.dmp

memory/660-13-0x0000000000400000-0x0000000000430000-memory.dmp

memory/660-15-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/1376-16-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/660-17-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/660-18-0x00000000054B0000-0x0000000005516000-memory.dmp

memory/660-19-0x0000000006880000-0x00000000068D0000-memory.dmp

memory/660-20-0x0000000006BB0000-0x0000000006D72000-memory.dmp

memory/660-30-0x0000000075140000-0x00000000758F0000-memory.dmp