Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pago del 20.01.2022.PDF______________________________________.exe

Overview

General Information

Sample Name:pago del 20.01.2022.PDF______________________________________.exe
Analysis ID:558278
MD5:4a3d98a8485779447c637caf1ccad892
SHA1:972e617044f41500d54c0a9bc9304094fac5f1b4
SHA256:ab9d325dda36e6f2f7f74aa65c067a67d24b6247271b27d997520593b7105d7d
Infos:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
C2 URLs / IPs found in malware configuration
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • pago del 20.01.2022.PDF______________________________________.exe (PID: 7000 cmdline: "C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe" MD5: 4A3D98A8485779447C637CAF1CCAD892)
    • CasPol.exe (PID: 760 cmdline: "C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe" MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 4000 cmdline: "C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe" MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 6884 cmdline: "C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe" MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 6852 cmdline: "C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe" MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 6872 cmdline: "C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe" MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 6840 cmdline: "C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe" MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 6828 cmdline: "C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe" MD5: F866FC1C2E928779C7119353C3091F0C)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
{"Payload URL": "https://drive.google.com/uc?export=downl"}
{"Exfil Mode": "SMTP", "SMTP Info": "droidyandex@centraldefiltros.clicui4cu2@@mail.centraldefiltros.cldroidyandexreports@centraldefiltros.cl"}
SourceRuleDescriptionAuthorStrings
00000011.00000000.336536519.00000000011B0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000000.00000000.274115774.000000000040B000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x3f8c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000000.00000002.381759640.000000000040B000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x3f8c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000011.00000002.548336072.000000001E151000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000011.00000002.548336072.000000001E151000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 2 entries
        No Sigma rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: 00000011.00000000.336536519.00000000011B0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downl"}
        Source: CasPol.exe.6852.14.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "droidyandex@centraldefiltros.clicui4cu2@@mail.centraldefiltros.cldroidyandexreports@centraldefiltros.cl"}
        Source: pago del 20.01.2022.PDF______________________________________.exeVirustotal: Detection: 17%Perma Link
        Source: pago del 20.01.2022.PDF______________________________________.exeMetadefender: Detection: 23%Perma Link
        Source: pago del 20.01.2022.PDF______________________________________.exeReversingLabs: Detection: 64%
        Source: pago del 20.01.2022.PDF______________________________________.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: unknownHTTPS traffic detected: 216.58.205.78:443 -> 192.168.2.3:49746 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 216.58.198.33:443 -> 192.168.2.3:49748 version: TLS 1.2

        Networking

        barindex
        Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=downl
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1BKTAGEWv-q5Ke_0MnBa_Ml90CTgLrdi9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/t5k36709iuadumo1ammtf5pl877g3aab/1642928325000/08383092466185559033/*/1BKTAGEWv-q5Ke_0MnBa_Ml90CTgLrdi9?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-6k-docs.googleusercontent.comConnection: Keep-Alive
        Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
        Source: CasPol.exe, 00000011.00000002.548336072.000000001E151000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
        Source: CasPol.exe, 00000011.00000002.548336072.000000001E151000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
        Source: pago del 20.01.2022.PDF______________________________________.exe