Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Turkiye_2023_order_hitado_pdf.exe

Overview

General Information

Sample Name:Turkiye_2023_order_hitado_pdf.exe
Analysis ID:1313695
MD5:4649f9a0a86c4cd85493e581676597ed
SHA1:03b06aa5a25bb6db5b18d5a31f0f2d26d4909f06
SHA256:751dbee7818c202e60ffa8d060cc3c7c05e4ccda824569381c01a948364a8a96
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

  • System is w10x64
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
{"Exfil Mode": "SMTP", "Host": "nl9.nlkoddos.com", "Username": "cm1@avindarou.net", "Password": "f=g^~XO{Pk7s"}
SourceRuleDescriptionAuthorStrings
00000004.00000002.476429792.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
    00000000.00000002.282051451.000000000314C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.282500292.0000000006900000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000000.00000002.282195758.000000000425A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000000.00000002.282051451.000000000333B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 8 entries
            SourceRuleDescriptionAuthorStrings
            0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.Turkiye_2023_order_hitado_pdf.exe.421ab6d.8.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.Turkiye_2023_order_hitado_pdf.exe.425aa40.9.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.2.Turkiye_2023_order_hitado_pdf.exe.6900000.14.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    0.2.Turkiye_2023_order_hitado_pdf.exe.421ab6d.8.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                      Click to see the 6 entries
                      No Sigma rule has matched
                      No Snort rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "nl9.nlkoddos.com", "Username": "cm1@avindarou.net", "Password": "f=g^~XO{Pk7s"}
                      Source: Turkiye_2023_order_hitado_pdf.exeReversingLabs: Detection: 18%
                      Source: Turkiye_2023_order_hitado_pdf.exeJoe Sandbox ML: detected
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: /log.tmp
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: <br>[
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: yyyy-MM-dd HH:mm:ss
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: ]<br>
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: <br>
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: Time:
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: <br>User Name:
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: <br>Computer Name:
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: <br>OSFullName:
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: <br>CPU:
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: <br>RAM:
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: <br>
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: IP Address:
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: <br>
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: <hr>
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: New
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: IP Address:
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: true
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: https://api.ipify.org
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: true
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: true
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: true
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: false
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: false
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: false
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: true
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: false
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: nl9.nlkoddos.com
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: cm1@avindarou.net
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: f=g^~XO{Pk7s
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: cm2@avindarou.net
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: false
                      Source: 0.2.Turkiye_2023_order_hitado_pdf.exe.4184a30.10.raw.unpackString decryptor: f