Edit tour
Windows
Analysis Report
SecuriteInfo.com.MSIL.Generik.FMUPQYX.tr.3045.24667.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.MSIL.Generik.FMUPQYX.tr.3045.24667.exe |
| Analysis ID: | 1361205 |
| MD5: | fb2853c7d12653c71eba4c498a42dbee |
| SHA1: | b8cfc97efdde5544922afd7316b4328b6db3c7fd |
| SHA256: | f8ee8795b3fd842a279823aa8925cb2c681457194f6d0bb5e392ab1b24d360fb |
| Tags: | exe |
| Infos: |  |
 | |
Detection
AgentTesla, PureLog Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected AgentTesla
Yara detected PureLog Stealer
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Downloads files with wrong headers with respect to MIME Content-Type
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
SecuriteInfo.com.MSIL.Generik.FMUPQYX.tr.3045.24667.exe (PID: 5896 cmdline: C:\Users\u ser\Deskto p\Securite Info.com.M SIL.Generi k.FMUPQYX. tr.3045.24 667.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - SecuriteInfo.com.MSIL.Generik.FMUPQYX.tr.3045.24667.exe (PID: 5628 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.M SIL.Generi k.FMUPQYX. tr.3045.24 667.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - SecuriteInfo.com.MSIL.Generik.FMUPQYX.tr.3045.24667.exe (PID: 4708 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.M SIL.Generi k.FMUPQYX. tr.3045.24 667.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - SecuriteInfo.com.MSIL.Generik.FMUPQYX.tr.3045.24667.exe (PID: 6804 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.M SIL.Generi k.FMUPQYX. tr.3045.24 667.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - SecuriteInfo.com.MSIL.Generik.FMUPQYX.tr.3045.24667.exe (PID: 6976 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.M SIL.Generi k.FMUPQYX. tr.3045.24 667.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - SecuriteInfo.com.MSIL.Generik.FMUPQYX.tr.3045.24667.exe (PID: 4352 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.M SIL.Generi k.FMUPQYX. tr.3045.24 667.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - SecuriteInfo.com.MSIL.Generik.FMUPQYX.tr.3045.24667.exe (PID: 7116 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.M SIL.Generi k.FMUPQYX. tr.3045.24 667.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - SecuriteInfo.com.MSIL.Generik.FMUPQYX.tr.3045.24667.exe (PID: 3364 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.M SIL.Generi k.FMUPQYX. tr.3045.24 667.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - SecuriteInfo.com.MSIL.Generik.FMUPQYX.tr.3045.24667.exe (PID: 5560 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.M SIL.Generi k.FMUPQYX. tr.3045.24 667.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - SecuriteInfo.com.MSIL.Generik.FMUPQYX.tr.3045.24667.exe (PID: 5324 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.M SIL.Generi k.FMUPQYX. tr.3045.24 667.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - SecuriteInfo.com.MSIL.Generik.FMUPQYX.tr.3045.24667.exe (PID: 1876 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.M SIL.Generi k.FMUPQYX. tr.3045.24 667.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 4352 cmdline:
"C:\Users\ user\AppDa ta\Roaming \henn.exe" MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 2668 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 4372 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 7124 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 6664 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 6020 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 3480 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 3144 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 4712 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 1016 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 5460 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE)
- henn.exe (PID: 5788 cmdline:
"C:\Users\ user\AppDa ta\Roaming \henn.exe" MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 3252 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 2724 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 3652 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 3920 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 4336 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 6448 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 4112 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 3676 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 4848 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE) - henn.exe (PID: 6008 cmdline:
C:\Users\u ser\AppDat a\Roaming\ henn.exe MD5: FB2853C7D12653C71EBA4C498A42DBEE)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.asiaparadisehotel.com", "Username": "asia@asiaparadisehotel.com", "Password": "^b2ycDldex$@"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 23 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 8 entries | ||||
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | Bad PDF prefix: | ||