Malware Analysis Report

2025-08-05 14:44

Sample ID 250701-h17bps1yby
Target Procentdelene.exe
SHA256 1eb25e230346fb5ff10dfd8daad216200205b958046fb2729b8666ba2f18f2a9
Tags
discovery agenttesla guloader downloader keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1eb25e230346fb5ff10dfd8daad216200205b958046fb2729b8666ba2f18f2a9

Threat Level: Known bad

The file Procentdelene.exe was found to be: Known bad.

Malicious Activity Summary

discovery agenttesla guloader downloader keylogger spyware stealer trojan

Guloader,Cloudeye

Guloader family

AgentTesla

Agenttesla family

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-01 07:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-07-01 07:13

Reported

2025-07-01 07:15

Platform

win11-20250610-en

Max time kernel

40s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2592 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2592 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2592 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2192 -ip 2192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 460

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-01 07:13

Reported

2025-07-01 07:15

Platform

win10v2004-20250610-en

Max time kernel

145s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe

"C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe"

C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe

"C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 192.210.236.175:80 192.210.236.175 tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsvA22C.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

memory/4540-25-0x0000000003500000-0x0000000004240000-memory.dmp

memory/4540-26-0x0000000010004000-0x0000000010005000-memory.dmp

memory/4540-27-0x0000000003500000-0x0000000004240000-memory.dmp

memory/2860-28-0x00000000771C8000-0x00000000771C9000-memory.dmp

memory/2860-29-0x0000000077269000-0x000000007726A000-memory.dmp

memory/2860-30-0x00000000004C0000-0x0000000001714000-memory.dmp

memory/2860-31-0x00000000004C0000-0x0000000000500000-memory.dmp

memory/2860-32-0x0000000034C80000-0x0000000035224000-memory.dmp

memory/2860-33-0x00000000353B0000-0x00000000353C0000-memory.dmp

memory/2860-34-0x0000000035330000-0x0000000035396000-memory.dmp

memory/2860-35-0x0000000035CA0000-0x0000000035CF0000-memory.dmp

memory/2860-36-0x0000000035CF0000-0x0000000035D82000-memory.dmp

memory/2860-37-0x0000000035DC0000-0x0000000035DCA000-memory.dmp

memory/2860-39-0x0000000001720000-0x0000000002460000-memory.dmp

memory/2860-40-0x0000000077269000-0x000000007726A000-memory.dmp

memory/2860-41-0x00000000353B0000-0x00000000353C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-01 07:13

Reported

2025-07-01 07:15

Platform

win11-20250619-en

Max time kernel

102s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe

"C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe"

C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe

"C:\Users\Admin\AppData\Local\Temp\Procentdelene.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5868 -ip 5868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5868 -s 440

Network

Files

C:\Users\Admin\AppData\Local\Temp\nsb70BC.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

memory/3188-25-0x00000000035B0000-0x00000000042F0000-memory.dmp

memory/3188-26-0x0000000010004000-0x0000000010005000-memory.dmp

memory/3188-27-0x00000000035B0000-0x00000000042F0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-07-01 07:13

Reported

2025-07-01 07:15

Platform

win10v2004-20250610-en

Max time kernel

106s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4088 wrote to memory of 1500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4088 wrote to memory of 1500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4088 wrote to memory of 1500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1500 -ip 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

N/A