Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL Shipping documents 0020398484995500.exe

Overview

General Information

Sample name:DHL Shipping documents 0020398484995500.exe
Analysis ID:1523785
MD5:1506261e1a6e12c9eadfcbe91a859f76
SHA1:061aa09172c0daef3fc975919a02413ab3a6f01e
SHA256:0dc8ced22931e20ec965bc36c06a974016fe223434d9553007b4a6c04973b2cb
Tags:DHLDHLIndonesiaexeuser-ngokoptmp
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains potential unpacker
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
{"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}
SourceRuleDescriptionAuthorStrings
00000003.00000002.4517263503.0000000002EBC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.4517263503.0000000002E91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.4517263503.0000000002E91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.4513145018.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries
            SourceRuleDescriptionAuthorStrings
            3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33afd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33b6f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33bf9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33c8b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33cf5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33d67:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33dfd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33e8d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x30e3d:$s2: GetPrivateProfileString
                • 0x30540:$s3: get_OSFullName
                • 0x31c11:$s5: remove_Key
                • 0x31dd9:$s5: remove_Key
                • 0x32d01:$s6: FtpWebRequest
                • 0x33adf:$s7: logins
                • 0x34051:$s7: logins
                • 0x36d62:$s7: logins
                • 0x36e14:$s7: logins
                • 0x38766:$s7: logins
                • 0x379ae:$s9: 1.85 (Hash, version 2, native byte-order)
                0.2.DHL Shipping documents 0020398484995500.exe.405c9b0.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 7 entries
                  No Sigma rule has matched
                  No Suricata rule has matched

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: DHL Shipping documents 0020398484995500.exeAvira: detected
                  Source: 3.2.DHL Shipping documents 0020398484995500.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}
                  Source: ftp.concaribe.comVirustotal: Detection: 6%Perma Link
                  Source: http://ftp.concaribe.comVirustotal: Detection: 6%Perma Link
                  Source: DHL Shipping documents 0020398484995500.exeReversingLabs: Detection: 34%
                  Source: DHL Shipping documents 0020398484995500.exeVirustotal: Detection: 40%Perma Link
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: DHL Shipping documents 0020398484995500.exeJoe Sandbox ML: detected
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49706 version: TLS 1.2
                  Source: DHL Shipping documents 0020398484995500.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                  Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                  Source: Joe Sandbox ViewIP Address: 192.185.13.234 192.185.13.234
                  Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: