Loading ...

Play interactive tourEdit tour

Analysis Report w1Bg82lgdc.exe

Overview

General Information

Sample Name:w1Bg82lgdc.exe
MD5:c22fb2cd44fd947b974c3925463f3722
SHA1:ee937b6c274c3132c63232685ac616d18fd9d041
SHA256:984c40f793e0939e252c99adbbb5670ff6bb6019b5f7a393cd1d05dcc9cef865

Most interesting Screenshot:

Detection

AgentTesla
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for sample
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Contains functionality to inject code into remote processes
Machine Learning detection for sample
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sample file is different than original file name gathered from version info

Classification

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.798222249.0000000005590000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.795472626.0000000004340000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.796110366.0000000004561000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: w1Bg82lgdc.exe PID: 4416JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.w1Bg82lgdc.exe.5590000.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.w1Bg82lgdc.exe.5590000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus detection for sampleShow sources
              Source: w1Bg82lgdc.exeAvira: detection malicious, Label: HEUR/AGEN.1039761
              Multi AV Scanner detection for submitted fileShow sources
              Source: w1Bg82lgdc.exeVirustotal: Detection: 58%Perma Link
              Source: w1Bg82lgdc.exeReversingLabs: Detection: 77%
              Machine Learning detection for sampleShow sources
              Source: w1Bg82lgdc.exeJoe Sandbox ML: detected

              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeCode function: 0_2_05530054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,0_2_05530054
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeCode function: 0_2_05530000 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,0_2_05530000
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeCode function: 0_2_02F700900_2_02F70090
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeCode function: 0_2_02F715000_2_02F71500
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeCode function: 0_2_02F704E00_2_02F704E0
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeCode function: 0_2_02F714F10_2_02F714F1
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeCode function: 0_2_02F71A710_2_02F71A71
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeCode function: 0_2_02F700810_2_02F70081
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeCode function: 0_2_02F71A800_2_02F71A80
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeCode function: 0_2_02F728080_2_02F72808
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 72
              Source: w1Bg82lgdc.exe, 00000000.00000002.798222249.0000000005590000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs w1Bg82lgdc.exe
              Source: w1Bg82lgdc.exe, 00000000.00000002.798222249.0000000005590000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamefirefox.exe4 vs w1Bg82lgdc.exe
              Source: w1Bg82lgdc.exe, 00000000.00000002.798222249.0000000005590000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameUAUIQGNKHQOSDFGOBYWFGNSKIMGXYJHCDURSDFXP_20190305061405120.exe4 vs w1Bg82lgdc.exe
              Source: w1Bg82lgdc.exe, 00000000.00000002.798031541.0000000005490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs w1Bg82lgdc.exe
              Source: w1Bg82lgdc.exe, 00000000.00000000.777794111.0000000000C72000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameizuchi.exe0 vs w1Bg82lgdc.exe
              Source: w1Bg82lgdc.exe, 00000002.00000002.1635448357.00000000002E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameizuchi.exe0 vs w1Bg82lgdc.exe
              Source: w1Bg82lgdc.exeBinary or memory string: OriginalFilenameizuchi.exe0 vs w1Bg82lgdc.exe
              Source: w1Bg82lgdc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal72.troj.evad.winEXE@4/1@0/0
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\w1Bg82lgdc.exe.logJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1428
              Source: w1Bg82lgdc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: w1Bg82lgdc.exeVirustotal: Detection: 58%
              Source: w1Bg82lgdc.exeReversingLabs: Detection: 77%
              Source: unknownProcess created: C:\Users\user\Desktop\w1Bg82lgdc.exe 'C:\Users\user\Desktop\w1Bg82lgdc.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\w1Bg82lgdc.exe C:\Users\user\Desktop\w1Bg82lgdc.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 72
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess created: C:\Users\user\Desktop\w1Bg82lgdc.exe C:\Users\user\Desktop\w1Bg82lgdc.exeJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
              Source: w1Bg82lgdc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Source: w1Bg82lgdc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: w1Bg82lgdc.exe, 00000000.00000002.798222249.0000000005590000.00000040.00000001.sdmp
              Source: Binary string: mscorrc.pdb source: w1Bg82lgdc.exe, 00000000.00000002.798031541.0000000005490000.00000002.00000001.sdmp

              Source: initial sampleStatic PE information: section name: .text entropy: 7.99488457573

              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exe TID: 4348Thread sleep time: -922337203685477s >= -30000sJump to behavior

              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Contains functionality to inject code into remote processesShow sources
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeCode function: 0_2_05530054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,0_2_05530054
              Source: C:\Users\user\Desktop\w1Bg82lgdc.exeProcess created: C:\Users\user\Desktop\w1Bg82lgdc.exe C:\Users\user\Desktop\w1Bg82lgdc.exeJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000002.798222249.0000000005590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.795472626.0000000004340000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.796110366.0000000004561000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: w1Bg82lgdc.exe PID: 4416, type: MEMORY
              Source: Yara matchFile source: 0.2.w1Bg82lgdc.exe.5590000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.w1Bg82lgdc.exe.5590000.2.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000002.798222249.0000000005590000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.795472626.0000000004340000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.796110366.0000000004561000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: w1Bg82lgdc.exe PID: 4416, type: MEMORY
              Source: Yara matchFile source: 0.2.w1Bg82lgdc.exe.5590000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.w1Bg82lgdc.exe.5590000.2.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection111Masquerading1Credential DumpingVirtualization/Sandbox Evasion3Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing2Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureSystem Information Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion3Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
              Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection111Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information1Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.