Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rPaymentAdvice-PDF.exe

Overview

General Information

Sample name:rPaymentAdvice-PDF.exe
Analysis ID:1455406
MD5:cc74321fe70654e82ead4093093b0116
SHA1:68e74f568066c31b0f2b2a2837b5ce072b0857af
SHA256:8819d137ba69b96b3f3c28cca74603e86c4ecea2c821e5332452a51258176439
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • rPaymentAdvice-PDF.exe (PID: 3620 cmdline: "C:\Users\user\Desktop\rPaymentAdvice-PDF.exe" MD5: CC74321FE70654E82EAD4093093B0116)
    • MSBuild.exe (PID: 4196 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • WerFault.exe (PID: 5048 cmdline: C:\Windows\system32\WerFault.exe -u -p 3620 -s 1152 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.motek.ro", "Username": "office@motek.ro", "Password": "[_QR4eY?2cHe"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    00000003.00000002.3384403596.0000000002C59000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.3382092463.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 11 entries
            SourceRuleDescriptionAuthorStrings
            3.2.MSBuild.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              3.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                3.2.MSBuild.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x334d9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3354b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x335d5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33667:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x336d1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33743:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x337d9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33869:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Networking

                    barindex
                    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 212.146.84.76, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 4196, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49715
                    No Snort rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.motek.ro", "Username": "office@motek.ro", "Password": "[_QR4eY?2cHe"}
                    Source: rPaymentAdvice-PDF.exeReversingLabs: Detection: 26%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability

                    Exploits

                    barindex
                    Source: Yara matchFile source: 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rPaymentAdvice-PDF.exe PID: 3620, type: MEMORYSTR
                    Source: rPaymentAdvice-PDF.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: indoC:\Windows\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdbo source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: 0C:\Windows\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: System.Core.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: symbols\dll\System.pdb.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERFFAD.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2187838193.0000024E6C387000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbll source: rPaymentAdvice-PDF.exe, 00000000.00000002.2187838193.0000024E6C387000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.pdb?lN source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA21000.00000004.00000020.00020000.00000000.sdmp