Malware Analysis Report

2024-12-07 14:15

Sample ID 241115-cqz7rawnez
Target c6472372e0ffdda068d7bf22a49003ead236fed99bc302a5afeb02372c75f918
SHA256 c6472372e0ffdda068d7bf22a49003ead236fed99bc302a5afeb02372c75f918
Tags
agenttesla discovery keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6472372e0ffdda068d7bf22a49003ead236fed99bc302a5afeb02372c75f918

Threat Level: Known bad

The file c6472372e0ffdda068d7bf22a49003ead236fed99bc302a5afeb02372c75f918 was found to be: Known bad.

Malicious Activity Summary

agenttesla discovery keylogger spyware stealer trojan

Agenttesla family

AgentTesla

Looks up external IP address via web service

Suspicious use of SetThreadContext

AutoIT Executable

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 02:17

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 02:17

Reported

2024-11-15 02:20

Platform

win7-20241010-en

Max time kernel

17s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2536 set thread context of 1272 N/A C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe

"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\uppishly

MD5 38f32ed0ac96cb9d6a3ee68ee2b6ece8
SHA1 a4ff8874c060347eb17afa37e645babd57757784
SHA256 08574f71828bb98f99c15327ed1b8085dcf95f32d448ce34b2e85c34d782d2f3
SHA512 c9a1656e599e392d5da78ba87a5536ef9ccbde76a20a58497c2d3a8f2bb658f36c58add85288264537024e85b920ca8889f016a7b02874f62480bd06dc03c3a4

memory/2536-7-0x00000000006F0000-0x0000000000AF0000-memory.dmp

memory/1272-8-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1272-10-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1272-11-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1272-12-0x000000007491E000-0x000000007491F000-memory.dmp

memory/1272-13-0x0000000000920000-0x0000000000974000-memory.dmp

memory/1272-14-0x0000000074910000-0x0000000074FFE000-memory.dmp

memory/1272-15-0x0000000074910000-0x0000000074FFE000-memory.dmp

memory/1272-16-0x0000000074910000-0x0000000074FFE000-memory.dmp

memory/1272-17-0x0000000000C60000-0x0000000000CB2000-memory.dmp

memory/1272-37-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-18-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-49-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-77-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-75-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-73-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-72-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-69-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-67-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-65-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-63-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-61-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-59-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-55-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-53-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-51-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-57-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-47-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-45-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-43-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-41-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-39-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-35-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-33-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-31-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-29-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-27-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-25-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-23-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-21-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-19-0x0000000000C60000-0x0000000000CAC000-memory.dmp

memory/1272-1050-0x0000000074910000-0x0000000074FFE000-memory.dmp

memory/1272-1051-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1272-1052-0x000000007491E000-0x000000007491F000-memory.dmp

memory/1272-1053-0x0000000074910000-0x0000000074FFE000-memory.dmp

memory/1272-1054-0x0000000074910000-0x0000000074FFE000-memory.dmp

memory/1272-1055-0x0000000074910000-0x0000000074FFE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 02:17

Reported

2024-11-15 02:20

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe

"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3156 -ip 3156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\aut701F.tmp

MD5 38f32ed0ac96cb9d6a3ee68ee2b6ece8
SHA1 a4ff8874c060347eb17afa37e645babd57757784
SHA256 08574f71828bb98f99c15327ed1b8085dcf95f32d448ce34b2e85c34d782d2f3
SHA512 c9a1656e599e392d5da78ba87a5536ef9ccbde76a20a58497c2d3a8f2bb658f36c58add85288264537024e85b920ca8889f016a7b02874f62480bd06dc03c3a4

memory/3156-8-0x0000000000DB0000-0x00000000011B0000-memory.dmp