Edit tour
Windows
Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe
Overview
General Information
| Sample Name: | SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe |
| Analysis ID: | 1345579 |
| MD5: | 4a57aaabbc130e2ff9f78a1231680e14 |
| SHA1: | a372c732016750f03ecf5465a4b71ee170a0ae52 |
| SHA256: | 5ef8f6039eee8fa8cb4a3ae505f4f17d4a98570ec25c3279a89ee829aa6f0431 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Classification
- System is w10x64
SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe (PID: 1936 cmdline: C:\Users\u ser\Deskto p\Securite Info.com.W in32.PWSX- gen.23172. 5539.exe MD5: 4A57AAABBC130E2FF9F78A1231680E14) - SecuriteInfo.com.Win32.PWSX-gen.23172.5539.exe (PID: 6448 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.W in32.PWSX- gen.23172. 5539.exe MD5: 4A57AAABBC130E2FF9F78A1231680E14)
- cleanup