Edit tour
Windows
Analysis Report
Receipt_7814002.exe
Overview
General Information
| Sample name: | Receipt_7814002.exe |
| Analysis ID: | 1429041 |
| MD5: | 67f9e0f23980b5d10af7a7eb8859fab2 |
| SHA1: | 114f660769c6b79673ce56fbc5effa50a59338fd |
| SHA256: | 2f539731282a936700c6c4797ea84beba6dd863761f607e22b32b1b67f66b09e |
| Tags: | AgentTeslaexe |
| Infos: |   |
 | |
Detection
AgentTesla, PureLog Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Downloads files with wrong headers with respect to MIME Content-Type
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
Receipt_7814002.exe (PID: 6112 cmdline: "C:\Users\ user\Deskt op\Receipt _7814002.e xe" MD5: 67F9E0F23980B5D10AF7A7EB8859FAB2) - Receipt_7814002.exe (PID: 1480 cmdline:
"C:\Users\ user\Deskt op\Receipt _7814002.e xe" MD5: 67F9E0F23980B5D10AF7A7EB8859FAB2)
- daqfbrlrs.exe (PID: 3440 cmdline:
"C:\Users\ user\AppDa ta\Roaming \daqfbrlrs .exe" MD5: 67F9E0F23980B5D10AF7A7EB8859FAB2) - daqfbrlrs.exe (PID: 3716 cmdline:
"C:\Users\ user\AppDa ta\Roaming \daqfbrlrs .exe" MD5: 67F9E0F23980B5D10AF7A7EB8859FAB2)
- daqfbrlrs.exe (PID: 6772 cmdline:
"C:\Users\ user\AppDa ta\Roaming \daqfbrlrs .exe" MD5: 67F9E0F23980B5D10AF7A7EB8859FAB2) - daqfbrlrs.exe (PID: 4580 cmdline:
"C:\Users\ user\AppDa ta\Roaming \daqfbrlrs .exe" MD5: 67F9E0F23980B5D10AF7A7EB8859FAB2)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "66.29.151.236", "Username": "senderhelpdesk@coleoffice.shop", "Password": "hpJvOH%*JutO"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 47 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 38 entries | ||||
System Summary |   |
|---|
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: frack113: | ||
| Timestamp: | 04/20/24-10:23:34.344247 |
| SID: | 2030171 |
| Source Port: | 49717 |
| Destination Port: | 587 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/20/24-10:23:34.344316 |
| SID: | 2840032 |
| Source Port: | 49717 |
| Destination Port: | 587 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/20/24-10:23:34.344316 |
| SID: | 2855542 |
| Source Port: | 49717 |
| Destination Port: | 587 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/20/24-10:23:34.344316 |
| SID: | 2855245 |
| Source Port: | 49717 |
| Destination Port: | 587 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 04/20/24-10:23:34.344316 |
| SID: | 2851779 |
| Source Port: | 49717 |
| Destination Port: | 587 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_0145DAC0 | |
| Source: | Code function: | 0_2_0145DAB8 | |
| Source: | Code function: | 5_2_04C1CC08 | |
| Source: | Code function: | 5_2_04C1CC10 | |
| Source: | Code function: | 6_2_02E4CC08 | |
| Source: | Code function: | 6_2_02E4CC10 | |
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Bad PDF prefix: | ||