Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report


General Information

Sample name:SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe
Analysis ID:1419145


Range:0 - 100


Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match


  • System is w10x64
  • SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe (PID: 5616 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe" MD5: AA4E9485A220716BCA4854AC0007A125)
    • powershell.exe (PID: 6216 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7428 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5892 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpD46C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • svchost.exe (PID: 5892 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • tXBTtgndxsp.exe (PID: 7356 cmdline: C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe MD5: AA4E9485A220716BCA4854AC0007A125)
    • schtasks.exe (PID: 8076 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXBTtgndxsp" /XML "C:\Users\user\AppData\Local\Temp\tmpE610.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tXBTtgndxsp.exe (PID: 8128 cmdline: "C:\Users\user\AppData\Roaming\tXBTtgndxsp.exe" MD5: AA4E9485A220716BCA4854AC0007A125)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
{"Exfil Mode": "SMTP", "Port": "587", "Host": "nl9.nlkoddos.com", "Username": "222@barceltricot.eu", "Password": "Myname321@"}
00000007.00000002.3700297871.0000000002EED000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.3700297871.0000000002EE5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000014.00000002.3700333358.0000000002C8B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000007.00000002.3700297871.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000007.00000002.3700297871.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 12 entries
            0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a40010.6.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x31433:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x314a5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3152f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x315c1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x3162b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3169d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x31733:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x317c3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.SecuriteInfo.com.Trojan.MulDropNET.68.25303.2606.exe.3a7a830.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 9 entries

                    System Summary