Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1631015
MD5:7c10269accd9402f875380a067bb0c37
SHA1:d5a4e57fd07f3251926e1c46c773b80126f08a0a
SHA256:143c0a3eb39da23c81043a3c1ef0a7e83321b467e2bb6f55102c87277f8fc79e
Tags:exeuser-James_inthe_box
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6212 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7C10269ACCD9402F875380A067BB0C37)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.rvoccte.com", "Username": "tempfile_canrechangepassword@rvoccte.com", "Password": "DDX#celx0w9_"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    file.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      file.exeINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
      • 0x3443d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
      • 0x344af:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
      • 0x34539:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
      • 0x345cb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
      • 0x34635:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
      • 0x346a7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
      • 0x3473d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
      • 0x347cd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
      file.exeMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
      • 0x315a6:$s2: GetPrivateProfileString
      • 0x30c83:$s3: get_OSFullName
      • 0x322fb:$s5: remove_Key
      • 0x324b5:$s5: remove_Key
      • 0x333de:$s6: FtpWebRequest
      • 0x3441f:$s7: logins
      • 0x34991:$s7: logins
      • 0x37680:$s7: logins
      • 0x37754:$s7: logins
      • 0x390a9:$s7: logins
      • 0x382ee:$s9: 1.85 (Hash, version 2, native byte-order)

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1663343367.0000000000692000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000000.1663343367.0000000000692000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.2926155579.0000000002A35000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: file.exe PID: 6212JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: file.exe PID: 6212JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.file.exe.690000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.0.file.exe.690000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.0.file.exe.690000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x3443d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x344af:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x34539:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x345cb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x34635:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x346a7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x3473d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x347cd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    0.0.file.exe.690000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                    • 0x315a6:$s2: GetPrivateProfileString
                    • 0x30c83:$s3: get_OSFullName
                    • 0x322fb:$s5: remove_Key
                    • 0x324b5:$s5: remove_Key
                    • 0x333de:$s6: FtpWebRequest
                    • 0x3441f:$s7: logins
                    • 0x34991:$s7: logins
                    • 0x37680:$s7: logins
                    • 0x37754:$s7: logins
                    • 0x390a9:$s7: logins
                    • 0x382ee:$s9: 1.85 (Hash, version 2, native byte-order)

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: file.exeAvira: detected
                    Found malware configuration
                    Source: file.exeMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.rvoccte.com", "Username": "tempfile_canrechangepassword@rvoccte.com", "Password": "DDX#celx0w9_"}
                    Multi AV Scanner detection for submitted file
                    Source: file.exeVirustotal: Detection: 77%Perma Link
                    Source: file.exeReversingLabs: Detection: 84%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: file.exe, 00000000.00000002.2926155579.0000000002ADC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2926155579.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2926155579.0000000002AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: file.exeString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: file.exe, 00000000.00000002.2926155579.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2926155579.0000000002AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: file.exeString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: file.exe, 3DlgK9re6m.cs.Net Code: VUIW0Y

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: file.exe, type: SAMPLEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: file.exe, type: SAMPLEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.0.file.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.0.file.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1A6280_2_00F1A628
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F14A800_2_00F14A80
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1DA600_2_00F1DA60
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F13E680_2_00F13E68
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F141B00_2_00F141B0
                    Source: file.exe, 00000000.00000002.2925290030.0000000000AF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs file.exe
                    Source: file.exe, 00000000.00000002.2925306779.0000000000B5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                    Source: file.exe, 00000000.00000000.1663370786.00000000006CE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename924b0ba6-e74e-4c09-aebe-86b4db498070.exe4 vs file.exe
                    Source: file.exeBinary or memory string: OriginalFilename924b0ba6-e74e-4c09-aebe-86b4db498070.exe4 vs file.exe
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: file.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: file.exe, type: SAMPLEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.0.file.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.0.file.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: file.exe, slKb.csCryptographic APIs: 'TransformFinalBlock'
                    Source: file.exe, mAKJ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: file.exe, xQRSe0Fg.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: file.exe, n3rhMa.csCryptographic APIs: 'CreateDecryptor'
                    Source: file.exe, MQzE4FWn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: file.exe, nSmgRyX5a1.csCryptographic APIs: 'TransformFinalBlock'
                    Source: file.exe, 6IMLmJtk.csCryptographic APIs: 'TransformFinalBlock'
                    Source: file.exe, 6IMLmJtk.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: file.exe, 3HroK7qN.csCryptographic APIs: 'TransformFinalBlock'
                    Source: file.exe, 3HroK7qN.csCryptographic APIs: 'TransformFinalBlock'
                    Source: file.exeBinary string: ID: 0x{0:X}qSize of the SerializedPropertyStore is less than 8 ({0})/StoreSize: {0} (0x{0X})3\Device\LanmanRedirector\[Failed to retrieve system handle information.(
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
                    Source: C:\Users\user\Desktop\file.exeMutant created: NULL
                    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: file.exe, 00000000.00000002.2926155579.0000000002AFA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: file.exeVirustotal: Detection: 77%
                    Source: file.exeReversingLabs: Detection: 84%
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: file.exeBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: F10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 2A00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 4A00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: file.exe, 00000000.00000002.2926155579.0000000002A35000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: file.exeBinary or memory string: vmware
                    Source: file.exeBinary or memory string: VMwareVBox
                    Source: file.exe, 00000000.00000002.2925306779.0000000000C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F17068 CheckRemoteDebuggerPresent,0_2_00F17068
                    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: file.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.file.exe.690000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1663343367.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6212, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: file.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.file.exe.690000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1663343367.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2926155579.0000000002A35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6212, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: file.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.file.exe.690000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1663343367.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6212, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		24
                    Virtualization/Sandbox Evasion                    		1
                    OS Credential Dumping                    		531
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		1
                    Input Capture                    		24
                    Virtualization/Sandbox Evasion                    		Remote Desktop Protocol1
                    Input Capture                    		1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                    Deobfuscate/Decode Files or Information                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    DLL Side-Loading                    		NTDS1
                    System Network Configuration Discovery                    		Distributed Component Object Model1
                    Data from Local System                    		2
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials34
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.