Overview

overview

10

Static

static

3

139daba492...24.exe

windows7-x64

10

139daba492...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/01/2025, 01:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    139daba4920df2b28eee8d3726b98528455c3002a0c91bdaf82bbac8a678d924.exe

  • Size

    743KB

  • MD5

    b2e13b5a8173ef717d056a348001e4cc

  • SHA1

    ebd6d6d14aaaaf47cb891406b834d5505e088271

  • SHA256

    139daba4920df2b28eee8d3726b98528455c3002a0c91bdaf82bbac8a678d924

  • SHA512

    ec8fecc4f545980209fd4a81187ff3cbec224ddf568bf007dba99b86daf4d48b1538e8fcc13ccb85b6e1000ecfcc7e25c6a92c17fa50dcb53da41784d181d91e

  • SSDEEP

    12288:iDCu7+JNLLzmHjR/Qw1iO116TWWaQjqF0UKWx2l+g05MjFvP990MeU4KBomWf:z/JlLKDRQwt4abQGF9xs+g0uFvwUlGmE

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.magnatextile.com
  • Port:
    587
  • Username:
    owais@magnatextile.com
  • Password:
    ow%{&}mti{&}$is

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.magnatextile.com
  • Port:
    587
  • Username:
    owais@magnatextile.com
  • Password:
    ow%{&}mti{&}$is
  • Email To:
    vriat.pine@gmail.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\139daba4920df2b28eee8d3726b98528455c3002a0c91bdaf82bbac8a678d924.exe
    "C:\Users\Admin\AppData\Local\Temp\139daba4920df2b28eee8d3726b98528455c3002a0c91bdaf82bbac8a678d924.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\139daba4920df2b28eee8d3726b98528455c3002a0c91bdaf82bbac8a678d924.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4732
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xprNhn.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:972
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xprNhn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC5B.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1628
    • C:\Users\Admin\AppData\Local\Temp\139daba4920df2b28eee8d3726b98528455c3002a0c91bdaf82bbac8a678d924.exe
      "C:\Users\Admin\AppData\Local\Temp\139daba4920df2b28eee8d3726b98528455c3002a0c91bdaf82bbac8a678d924.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4536

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    7.98.51.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    7.98.51.23.in-addr.arpa
    IN PTR
    Response
    7.98.51.23.in-addr.arpa
    IN PTR
    a23-51-98-7deploystaticakamaitechnologiescom
  • flag-us
    DNS
    api.ipify.org
    139daba4920df2b28eee8d3726b98528455c3002a0c91bdaf82bbac8a678d924.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN A
    172.67.74.152
    api.ipify.org
    IN A
    104.26.13.205
    api.ipify.org
    IN A
    104.26.12.205
  • flag-us
    GET
    https://api.ipify.org/
    139daba4920df2b28eee8d3726b98528455c3002a0c91bdaf82bbac8a678d924.exe
    Remote address:
    172.67.74.152:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
    Host: api.ipify.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 25 Jan 2025 01:28:55 GMT
    Content-Type: text/plain
    Content-Length: 14
    Connection: keep-alive
    Vary: Origin
    cf-cache-status: DYNAMIC
    Server: cloudflare
    CF-RAY: 90747d436ad860e4-LHR
    server-timing: cfL4;desc="?proto=TCP&rtt=53981&min_rtt=48384&rtt_var=20931&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2980&recv_bytes=452&delivery_rate=74228&cwnd=253&unsent_bytes=0&cid=f7106361ddefb3ce&ts=230&x=0"
  • flag-us
    DNS
    152.74.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    152.74.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mail.magnatextile.com
    139daba4920df2b28eee8d3726b98528455c3002a0c91bdaf82bbac8a678d924.exe
    Remote address:
    8.8.8.8:53
    Request
    mail.magnatextile.com
    IN A
    Response
    mail.magnatextile.com
    IN CNAME
    magnatextile.com
    magnatextile.com
    IN A
    164.68.127.9
  • flag-us
    DNS
    9.127.68.164.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.127.68.164.in-addr.arpa
    IN PTR
    Response
    9.127.68.164.in-addr.arpa
    IN PTR
    hosting magna-groupcom
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 172.67.74.152:443
    https://api.ipify.org/
    tls, http
    139daba4920df2b28eee8d3726b98528455c3002a0c91bdaf82bbac8a678d924.exe
    854 B
     3.9kB
     9
    10

    HTTP Request

    GET https://api.ipify.org/

    HTTP Response

    200
  • 164.68.127.9:587
    mail.magnatextile.com
    smtp-submission
    139daba4920df2b28eee8d3726b98528455c3002a0c91bdaf82bbac8a678d924.exe
    2.7kB
     5.1kB
     20
    23
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    21.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    21.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    23.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    7.98.51.23.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    7.98.51.23.in-addr.arpa

  • 8.8.8.8:53
    api.ipify.org
    dns
    139daba4920df2b28eee8d3726b98528455c3002a0c91bdaf82bbac8a678d924.exe
    59 B
     107 B
     1
    1

    DNS Request

    api.ipify.org

    DNS Response

    172.67.74.152
    104.26.13.205
    104.26.12.205

  • 8.8.8.8:53
    152.74.67.172.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    152.74.67.172.in-addr.arpa

  • 8.8.8.8:53
    mail.magnatextile.com
    dns
    139daba4920df2b28eee8d3726b98528455c3002a0c91bdaf82bbac8a678d924.exe
    67 B
     97 B
     1
    1

    DNS Request

    mail.magnatextile.com

    DNS Response

    164.68.127.9

  • 8.8.8.8:53
    9.127.68.164.in-addr.arpa
    dns
    71 B
     108 B
     1
    1

    DNS Request

    9.127.68.164.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    86.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    86.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    ca4c1f77a2f4a9c3f965c1d14bb34d3d

    SHA1

    d0083ab8b0674813c336a2b87186352ced34e990

    SHA256

    5a6aa94eee00848de150e9995b2f36060cf9fc9af173fdae1820cc71fda7e9e9

    SHA512

    1a6d97a36825b9de6223c2421ab72826a6725a584a1c54558aedca9a978983e462c11022a399890afb21f6da295f7d03c5d6a2931dd7d3cbcbdb4214b9909ec0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oihfehre.r02.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpBC5B.tmp
    Filesize

    1KB

    MD5

    fbfc121b0a416b1bac53c440f8ee9088

    SHA1

    2de23d5adad456c2f556b4c094340a13bcca1557

    SHA256

    a051f2a53d62f046fb906794b939a6f45bf352e09ed80ed1b84d954927c1d105

    SHA512

    e8cc5c3eda33de82dcd4215f50060848becce62fc787754a90ffec4ffd32593dcf3a9786f4d752aeebcc302e7f2177f5b2af6270b0f45e3f5269eae8d3177866

    Download Submit

  • memory/972-73-0x00000000079B0000-0x000000000802A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/972-21-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/972-72-0x0000000007230000-0x00000000072D3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/972-78-0x00000000075A0000-0x00000000075AE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/972-79-0x00000000075B0000-0x00000000075C4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/972-35-0x0000000005AE0000-0x0000000005E34000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/972-80-0x00000000076B0000-0x00000000076CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/972-89-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/972-23-0x0000000005070000-0x0000000005092000-memory.dmp

    Filesize

    136KB

    Download

  • memory/972-62-0x000000006F340000-0x000000006F38C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/972-20-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/972-81-0x0000000007690000-0x0000000007698000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1316-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1316-1-0x0000000000E70000-0x0000000000F30000-memory.dmp

    Filesize

    768KB

    Download

  • memory/1316-4-0x0000000005920000-0x000000000592A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1316-2-0x0000000005EA0000-0x0000000006444000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1316-10-0x0000000005330000-0x00000000053B6000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1316-47-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1316-9-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1316-3-0x0000000005990000-0x0000000005A22000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1316-5-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1316-6-0x0000000005BE0000-0x0000000005C7C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1316-8-0x00000000745DE000-0x00000000745DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1316-7-0x0000000005E80000-0x0000000005E9E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4536-85-0x0000000007100000-0x0000000007150000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4536-45-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/4732-48-0x0000000005A70000-0x0000000005A8E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4732-61-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4732-50-0x0000000005FE0000-0x0000000006012000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4732-51-0x000000006F340000-0x000000006F38C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4732-74-0x0000000006D90000-0x0000000006DAA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4732-75-0x0000000006E00000-0x0000000006E0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4732-76-0x0000000007010000-0x00000000070A6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4732-77-0x0000000006F90000-0x0000000006FA1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4732-49-0x0000000006070000-0x00000000060BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4732-24-0x0000000004C50000-0x0000000004CB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4732-25-0x0000000004CC0000-0x0000000004D26000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4732-19-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4732-84-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4732-16-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4732-18-0x00000000745D0000-0x0000000074D80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4732-17-0x0000000004D50000-0x0000000005378000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4732-15-0x0000000000CF0000-0x0000000000D26000-memory.dmp

    Filesize

    216KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.