Analysis Report SecuriteInfo.com.Trojan.MulDrop16.9965.2278.18780

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.MulDrop16.9965.2278.18780 (renamed file extension from 18780 to exe)
Analysis ID:	345042
MD5:	e750511892ab532fb2147f4537dabcfd
SHA1:	d78aa528d38fa57bd3a5bf591cbd4437ebcdf377
SHA256:	4328e4ac330339d884b95d99128404d4f8b5d6b695a9f583ff4c3f3a61ac4ff8

Detection

AgentTesla

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM_3

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Signatures

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XdwuEt.exe	Virustotal: Detection: 35%			Perma Link
Source: C:\Users\user\AppData\Roaming\XdwuEt.exe	ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Virustotal: Detection: 35%			Perma Link
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	ReversingLabs: Detection: 13%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XdwuEt.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Joe Sandbox ML: detected

Compliance:

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225631461.0000000002DD1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.226077491.0000000012DE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Code function: 3_2_00909369	3_2_00909369
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Code function: 4_2_00179369	4_2_00179369
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Code function: 5_2_00E99369	5_2_00E99369
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Code function: 6_2_006E9369	6_2_006E9369
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Code function: 7_2_00F39369	7_2_00F39369

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XdwuEt.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal96.troj.evad.winEXE@14/4@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

File created: C:\Users\user\AppData\Roaming\XdwuEt.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Mutant created: \Sessions\1\BaseNamedObjects\bekswvIDa
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4700:120:WilError_01

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

File created: C:\Users\user\AppData\Local\Temp\tmpCBF8.tmp

Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Virustotal: Detection: 35%
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe'
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XdwuEt' /XML 'C:\Users\user\AppData\Local\Temp\tmpCBF8.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XdwuEt' /XML 'C:\Users\user\AppData\Local\Temp\tmpCBF8.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Source: initial sample	Static PE information: section name: .text entropy: 7.80365257713
Source: initial sample	Static PE information: section name: .text entropy: 7.80365257713

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

File created: C:\Users\user\AppData\Roaming\XdwuEt.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XdwuEt' /XML 'C:\Users\user\AppData\Local\Temp\tmpCBF8.tmp'

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000000.00000002.225631461.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.225667409.0000000002E28000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe PID: 5660, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225667409.0000000002E28000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225667409.0000000002E28000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Code function: 3_2_0090471C sldt word ptr [edx]

3_2_0090471C

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe TID: 5936	Thread sleep time: -53886s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe TID: 6136	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225667409.0000000002E28000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225667409.0000000002E28000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225667409.0000000002E28000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225667409.0000000002E28000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XdwuEt' /XML 'C:\Users\user\AppData\Local\Temp\tmpCBF8.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000000.00000002.226077491.0000000012DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe PID: 5660, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000000.00000002.226077491.0000000012DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe PID: 5660, type: MEMORY

Screenshots

No Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XdwuEt.exe	Virustotal: Detection: 35%			Perma Link
Source: C:\Users\user\AppData\Roaming\XdwuEt.exe	ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Virustotal: Detection: 35%			Perma Link
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	ReversingLabs: Detection: 13%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XdwuEt.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Joe Sandbox ML: detected

Compliance:

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225631461.0000000002DD1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.226077491.0000000012DE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Code function: 3_2_00909369	3_2_00909369
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Code function: 4_2_00179369	4_2_00179369
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Code function: 5_2_00E99369	5_2_00E99369
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Code function: 6_2_006E9369	6_2_006E9369
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Code function: 7_2_00F39369	7_2_00F39369

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XdwuEt.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal96.troj.evad.winEXE@14/4@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

File created: C:\Users\user\AppData\Roaming\XdwuEt.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Mutant created: \Sessions\1\BaseNamedObjects\bekswvIDa
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4700:120:WilError_01

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

File created: C:\Users\user\AppData\Local\Temp\tmpCBF8.tmp

Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Virustotal: Detection: 35%
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe'
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XdwuEt' /XML 'C:\Users\user\AppData\Local\Temp\tmpCBF8.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XdwuEt' /XML 'C:\Users\user\AppData\Local\Temp\tmpCBF8.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Source: initial sample	Static PE information: section name: .text entropy: 7.80365257713
Source: initial sample	Static PE information: section name: .text entropy: 7.80365257713

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

File created: C:\Users\user\AppData\Roaming\XdwuEt.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XdwuEt' /XML 'C:\Users\user\AppData\Local\Temp\tmpCBF8.tmp'

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000000.00000002.225631461.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.225667409.0000000002E28000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe PID: 5660, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225667409.0000000002E28000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225667409.0000000002E28000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Code function: 3_2_0090471C sldt word ptr [edx]

3_2_0090471C

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe TID: 5936	Thread sleep time: -53886s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe TID: 6136	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225667409.0000000002E28000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225667409.0000000002E28000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225667409.0000000002E28000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225667409.0000000002E28000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XdwuEt' /XML 'C:\Users\user\AppData\Local\Temp\tmpCBF8.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000000.00000002.226077491.0000000012DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe PID: 5660, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000000.00000002.226077491.0000000012DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe PID: 5660, type: MEMORY

ID:	345042
Product:	CloudBasic
Start time:	16:14:38
Start date:	27.01.2021
Sample:	SecuriteInfo.com.Trojan.MulDrop16.9965.2278.18780
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e750511892ab532fb2147f4537dabcfd
SHA1:	d78aa528d38fa57bd3a5bf591cbd4437ebcdf377
SHA256:	4328e4ac330339d884b95d99128404d4f8b5d6b695a9f583ff4c3f3a61ac4ff8
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe.log	ASCII text, with CRLF line terminators	978918F6120A43D1FA5899938A5A542F	6567A2E687B40BFD3A46246F51F4C89D93D89455	F814F290A540B3FD755D05F3434317D7B26F2C33D2087F9E63233CD88AB510FC
C:\Users\user\AppData\Local\Temp\tmpCBF8.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	90BBB757FD516A98CE985F615199C9C5	D17490C1D27995F6B68F137D14E6732A3E156C2C	C90368DA6B08D81AF46467FCD1F37550E9A11393DFDFBE0FBE372C61416D1708
C:\Users\user\AppData\Roaming\XdwuEt.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	E750511892AB532FB2147F4537DABCFD	D78AA528D38FA57BD3A5BF591CBD4437EBCDF377	4328E4AC330339D884B95D99128404D4F8B5D6B695A9F583FF4C3F3A61AC4FF8
C:\Users\user\AppData\Roaming\XdwuEt.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000000.213372307.0000000000982000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLocalActivator.exe vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225583426.0000000002C00000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSoapName.dll2 vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.229284290.000000001B760000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225597685.0000000002C60000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225597685.0000000002C60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225528629.0000000002B30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.226077491.0000000012DE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePositiveSign.dll< vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.226077491.0000000012DE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameblDfexytmIsjktOhVhedavVGNLfjoGevXVht.exe4 vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225398705.0000000000F4B000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000003.00000000.221181067.0000000000902000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLocalActivator.exe vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000004.00000002.222227234.0000000000172000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLocalActivator.exe vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000005.00000000.223073350.0000000000E92000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLocalActivator.exe vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000006.00000000.223922655.00000000006E2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLocalActivator.exe vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000007.00000002.224874903.0000000000F32000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLocalActivator.exe vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source: SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe	Binary or memory string: OriginalFilenameLocalActivator.exe vs SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Analysis Report SecuriteInfo.com.Trojan.MulDrop16.9965.2278.18780

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map