Analysis Overview
SHA256
2b848ef7410e9f7d10525c534d036e5dc1ee8754865726cf645299076696568e
Threat Level: Known bad
The file 2b848ef7410e9f7d10525c534d036e5dc1ee8754865726cf645299076696568e was found to be: Known bad.
Malicious Activity Summary
Agenttesla family
AgentTesla
Looks up external IP address via web service
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-15 01:57
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-15 01:57
Reported
2024-11-15 02:00
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
147s
Command Line
Signatures
AgentTesla
Agenttesla family
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3764 set thread context of 3948 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RFQ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RFQ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RFQ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\autB0B2.tmp
| MD5 | 75e36a537617bbf6823ab5aeafe483fe |
| SHA1 | 33aca30482dbefc7b1732a29c81be751304cd791 |
| SHA256 | e78355ad9b37c572e8a4c700cdb837b5f5bafb743afa036ca8f2a063a04a2d1b |
| SHA512 | 2637250f09b045b92997d05b48ae8b63966cfb05b8eaae8a105f4af72233cf83d42951998e898c7d57624d787bfe5d3a0ded55ddfc14aa8ca3ae1245e1024a5a |
memory/4996-8-0x00000000017D0000-0x0000000001BD0000-memory.dmp
memory/1668-18-0x0000000001530000-0x0000000001930000-memory.dmp
memory/3764-28-0x0000000001510000-0x0000000001910000-memory.dmp
memory/3948-29-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3948-31-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3948-30-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3948-32-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3948-33-0x000000007448E000-0x000000007448F000-memory.dmp
memory/3948-34-0x0000000005650000-0x00000000056A6000-memory.dmp
memory/3948-35-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/3948-36-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/3948-37-0x0000000005D80000-0x0000000006324000-memory.dmp
memory/3948-38-0x00000000056F0000-0x0000000005744000-memory.dmp
memory/3948-68-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-70-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-78-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-98-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-96-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-94-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-92-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-90-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-88-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-86-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-84-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-82-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-76-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-74-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-72-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-66-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-64-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-63-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-60-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-58-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-56-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-54-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-52-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-50-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-48-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-46-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-44-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-42-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-40-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-80-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-39-0x00000000056F0000-0x000000000573E000-memory.dmp
memory/3948-1107-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/3948-1108-0x0000000005940000-0x00000000059A6000-memory.dmp
memory/3948-1109-0x0000000006C20000-0x0000000006C70000-memory.dmp
memory/3948-1110-0x0000000006D10000-0x0000000006DA2000-memory.dmp
memory/3948-1111-0x0000000006CA0000-0x0000000006CAA000-memory.dmp
memory/3948-1112-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3948-1113-0x000000007448E000-0x000000007448F000-memory.dmp
memory/3948-1114-0x0000000074480000-0x0000000074C30000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-15 01:57
Reported
2024-11-15 02:00
Platform
win7-20240903-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
AgentTesla
Agenttesla family
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1880 set thread context of 2508 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RFQ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\unrosined
| MD5 | 75e36a537617bbf6823ab5aeafe483fe |
| SHA1 | 33aca30482dbefc7b1732a29c81be751304cd791 |
| SHA256 | e78355ad9b37c572e8a4c700cdb837b5f5bafb743afa036ca8f2a063a04a2d1b |
| SHA512 | 2637250f09b045b92997d05b48ae8b63966cfb05b8eaae8a105f4af72233cf83d42951998e898c7d57624d787bfe5d3a0ded55ddfc14aa8ca3ae1245e1024a5a |
memory/1880-7-0x0000000000B50000-0x0000000000F50000-memory.dmp
memory/2508-8-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2508-10-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2508-11-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2508-12-0x000000007484E000-0x000000007484F000-memory.dmp
memory/2508-13-0x00000000004B0000-0x0000000000506000-memory.dmp
memory/2508-14-0x0000000074840000-0x0000000074F2E000-memory.dmp
memory/2508-15-0x0000000002060000-0x00000000020B4000-memory.dmp
memory/2508-70-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-76-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-131-0x0000000074840000-0x0000000074F2E000-memory.dmp
memory/2508-74-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-72-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-68-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-66-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-64-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-62-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-60-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-58-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-56-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-54-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-52-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-50-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-48-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-46-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-44-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-42-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-41-0x0000000074840000-0x0000000074F2E000-memory.dmp
memory/2508-39-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-37-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-35-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-33-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-31-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-29-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-27-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-25-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-23-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-21-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-19-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-17-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-16-0x0000000002060000-0x00000000020AE000-memory.dmp
memory/2508-1086-0x0000000074840000-0x0000000074F2E000-memory.dmp
memory/2508-1087-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2508-1088-0x0000000074840000-0x0000000074F2E000-memory.dmp
memory/2508-1089-0x000000007484E000-0x000000007484F000-memory.dmp
memory/2508-1090-0x0000000074840000-0x0000000074F2E000-memory.dmp