Loading ...

Play interactive tourEdit tour

Windows Analysis Report Purchase Order No. XIV21623..exe

Overview

General Information

Sample Name:Purchase Order No. XIV21623..exe
Analysis ID:532633
MD5:5e5c83d04f20a03826b8cd80d2c4a0b5
SHA1:840248f524917151d9b44dda32cbb32ab1fd7d80
SHA256:62c4b3a0c365726907f0ac94621c85f5c52056eb94653b151144cc841502e916
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected AgentTesla
Initial sample is a PE file and has a suspicious name
Executable has a suspicious name (potential lure to open the executable)
Machine Learning detection for sample
.NET source code contains potential unpacker
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sigma detected: Suspicious aspnet_compiler.exe Execution
Detected potential crypto function
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • Purchase Order No. XIV21623..exe (PID: 496 cmdline: "C:\Users\user\Desktop\Purchase Order No. XIV21623..exe" MD5: 5E5C83D04F20A03826B8CD80D2C4A0B5)
    • aspnet_compiler.exe (PID: 1552 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "anjay@peoplesource.in", "Password": "Admin@12345", "Host": "mail.peoplesource.in"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.250031063.0000000013189000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.250031063.0000000013189000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      Process Memory Space: Purchase Order No. XIV21623..exe PID: 496JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Purchase Order No. XIV21623..exe.13454660.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0.2.Purchase Order No. XIV21623..exe.13454660.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            0.2.Purchase Order No. XIV21623..exe.13454660.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Purchase Order No. XIV21623..exe.13454660.3.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious aspnet_compiler.exe ExecutionShow sources
                Source: Process startedAuthor: frack113: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order No. XIV21623..exe" , ParentImage: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe, ParentProcessId: 496, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 1552

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus / Scanner detection for submitted sampleShow sources
                Source: Purchase Order No. XIV21623..exeAvira: detected
                Found malware configurationShow sources
                Source: 0.2.Purchase Order No. XIV21623..exe.13454660.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "anjay@peoplesource.in", "Password": "Admin@12345", "Host": "mail.peoplesource.in"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: Purchase Order No. XIV21623..exeReversingLabs: Detection: 35%
                Machine Learning detection for sampleShow sources
                Source: Purchase Order No. XIV21623..exeJoe Sandbox ML: detected
                Source: 0.0.Purchase Order No. XIV21623..exe.810000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen

                Compliance:

                barindex
                Detected unpacking (overwrites its own PE header)Show sources
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeUnpacked PE file: 0.2.Purchase Order No. XIV21623..exe.810000.0.unpack
                Source: Purchase Order No. XIV21623..exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: Purchase Order No. XIV21623..exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: ?????????????c.pdb source: Purchase Order No. XIV21623..exe, 00000000.00000002.248225365.0000000000ED0000.00000004.00020000.sdmp
                Source: Purchase Order No. XIV21623..exe, 00000000.00000002.250031063.0000000013189000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

                System Summary:

                barindex
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: Purchase Order No. XIV21623..exe
                Executable has a suspicious name (potential lure to open the executable)Show sources
                Source: Purchase Order No. XIV21623..exeStatic file information: Suspicious name
                Source: Purchase Order No. XIV21623..exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: Purchase Order No. XIV21623..exe, 00000000.00000002.247943652.0000000000850000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametaker.exeP vs Purchase Order No. XIV21623..exe
                Source: Purchase Order No. XIV21623..exe, 00000000.00000002.248225365.0000000000ED0000.00000004.00020000.sdmpBinary or memory string: OriginalFilename8l vs Purchase Order No. XIV21623..exe
                Source: Purchase Order No. XIV21623..exe, 00000000.00000002.250031063.0000000013189000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametnCUHxlBGCKFCsHpcbSvLqLWGfKD.exe4 vs Purchase Order No. XIV21623..exe
                Source: Purchase Order No. XIV21623..exe, 00000000.00000002.248059960.0000000000D19000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Purchase Order No. XIV21623..exe
                Source: Purchase Order No. XIV21623..exeBinary or memory string: OriginalFilenametaker.exeP vs Purchase Order No. XIV21623..exe
                Source: Purchase Order No. XIV21623..exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeCode function: 0_2_00007FFA1D941D0D0_2_00007FFA1D941D0D
                Source: Purchase Order No. XIV21623..exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: Purchase Order No. XIV21623..exeReversingLabs: Detection: 35%
                Source: Purchase Order No. XIV21623..exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe "C:\Users\user\Desktop\Purchase Order No. XIV21623..exe"
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Purchase Order No. XIV21623..exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/0
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: Purchase Order No. XIV21623..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Purchase Order No. XIV21623..exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: ?????????????c.pdb source: Purchase Order No. XIV21623..exe, 00000000.00000002.248225365.0000000000ED0000.00000004.00020000.sdmp

                Data Obfuscation:

                barindex
                Detected unpacking (overwrites its own PE header)Show sources
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeUnpacked PE file: 0.2.Purchase Order No. XIV21623..exe.810000.0.unpack
                .NET source code contains potential unpackerShow sources
                Source: Purchase Order No. XIV21623..exe, c5b09415cd7b0c75252f1d37810bcc5d0.cs.Net Code: c08af4a61b44020d61ee70e0d21a00651 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.Purchase Order No. XIV21623..exe.810000.0.unpack, c5b09415cd7b0c75252f1d37810bcc5d0.cs.Net Code: c08af4a61b44020d61ee70e0d21a00651 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.0.Purchase Order No. XIV21623..exe.810000.0.unpack, c5b09415cd7b0c75252f1d37810bcc5d0.cs.Net Code: c08af4a61b44020d61ee70e0d21a00651 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeCode function: 0_2_00007FFA1D94518E push edx; iretd 0_2_00007FFA1D945191
                Source: initial sampleStatic PE information: section name: .text entropy: 7.96708162926
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe TID: 2072Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Purchase Order No. XIV21623..exe, 00000000.00000002.250031063.0000000013189000.00000004.00000001.sdmpBinary or memory string: !`0QYYJVMcIQ
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeQueries volume information: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 0.2.Purchase Order No. XIV21623..exe.13454660.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Purchase Order No. XIV21623..exe.13454660.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.250031063.0000000013189000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Purchase Order No. XIV21623..exe PID: 496, type: MEMORYSTR

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 0.2.Purchase Order No. XIV21623..exe.13454660.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Purchase Order No. XIV21623..exe.13454660.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.250031063.0000000013189000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Purchase Order No. XIV21623..exe PID: 496, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing23NTDSSystem Information Discovery12Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection11LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.