Malware Analysis Report

2025-08-10 21:19

Sample ID 241031-mpdmgawgqh
Target Shipping documents 000293994900.exe
SHA256 f96b6c703fe5b13fd985d91da265c58d3d5b2f81397ebe27527e59c208819d2e
Tags
agenttesla discovery keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f96b6c703fe5b13fd985d91da265c58d3d5b2f81397ebe27527e59c208819d2e

Threat Level: Known bad

The file Shipping documents 000293994900.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla discovery keylogger spyware stealer trojan

AgentTesla

Agenttesla family

Loads dropped DLL

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 10:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 10:38

Reported

2024-10-31 10:41

Platform

win7-20240903-en

Max time kernel

145s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2112 set thread context of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe

"C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe"

C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe

"C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe"

Network

Country Destination Domain Proto
NL 84.38.133.42:80 84.38.133.42 tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp

Files

\Users\Admin\AppData\Local\Temp\nsyAF55.tmp\System.dll

MD5 7399323923e3946fe9140132ac388132
SHA1 728257d06c452449b1241769b459f091aabcffc5
SHA256 5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3
SHA512 d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

memory/2112-14-0x0000000077300000-0x00000000774A9000-memory.dmp

memory/2112-13-0x0000000077301000-0x0000000077402000-memory.dmp

memory/2172-15-0x0000000077300000-0x00000000774A9000-memory.dmp

memory/2172-16-0x0000000000490000-0x00000000014F2000-memory.dmp

memory/2172-18-0x0000000077300000-0x00000000774A9000-memory.dmp

memory/2172-19-0x0000000000490000-0x00000000004D2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 10:38

Reported

2024-10-31 10:41

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4908 set thread context of 944 N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe

"C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe"

C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe

"C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 84.38.133.42:80 84.38.133.42 tcp
US 8.8.8.8:53 42.133.38.84.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 ftp.concaribe.com udp
US 192.185.13.234:21 ftp.concaribe.com tcp
US 192.185.13.234:31139 ftp.concaribe.com tcp
US 8.8.8.8:53 234.13.185.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\nsbA386.tmp\System.dll

MD5 7399323923e3946fe9140132ac388132
SHA1 728257d06c452449b1241769b459f091aabcffc5
SHA256 5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3
SHA512 d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

memory/4908-13-0x0000000076FC1000-0x00000000770E1000-memory.dmp

memory/4908-15-0x0000000010004000-0x0000000010005000-memory.dmp

memory/4908-14-0x0000000076FC1000-0x00000000770E1000-memory.dmp

memory/944-16-0x0000000077048000-0x0000000077049000-memory.dmp

memory/944-17-0x0000000077065000-0x0000000077066000-memory.dmp

memory/944-18-0x0000000000490000-0x00000000016E4000-memory.dmp

memory/944-19-0x0000000076FC1000-0x00000000770E1000-memory.dmp

memory/944-20-0x00000000721FE000-0x00000000721FF000-memory.dmp

memory/944-21-0x0000000000490000-0x00000000004D2000-memory.dmp

memory/944-22-0x0000000037990000-0x0000000037F34000-memory.dmp

memory/944-23-0x00000000357F0000-0x0000000035856000-memory.dmp

memory/944-24-0x00000000721F0000-0x00000000729A0000-memory.dmp

memory/944-26-0x0000000038900000-0x0000000038950000-memory.dmp

memory/944-27-0x0000000038970000-0x0000000038A0C000-memory.dmp

memory/944-28-0x0000000038BD0000-0x0000000038C62000-memory.dmp

memory/944-29-0x0000000038CB0000-0x0000000038CBA000-memory.dmp

memory/944-30-0x00000000721FE000-0x00000000721FF000-memory.dmp

memory/944-31-0x00000000721F0000-0x00000000729A0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-31 10:38

Reported

2024-10-31 10:42

Platform

win7-20241010-en

Max time kernel

12s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 228

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-31 10:38

Reported

2024-10-31 10:41

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3548 wrote to memory of 3496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3548 wrote to memory of 3496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3548 wrote to memory of 3496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3496 -ip 3496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A