Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pago del 20.01.2022.PDF______________________________________.exe

Overview

General Information

Sample Name:pago del 20.01.2022.PDF______________________________________.exe
Analysis ID:558577
MD5:4a3d98a8485779447c637caf1ccad892
SHA1:972e617044f41500d54c0a9bc9304094fac5f1b4
SHA256:ab9d325dda36e6f2f7f74aa65c067a67d24b6247271b27d997520593b7105d7d
Infos:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
C2 URLs / IPs found in malware configuration
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • pago del 20.01.2022.PDF______________________________________.exe (PID: 6452 cmdline: "C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe" MD5: 4A3D98A8485779447C637CAF1CCAD892)
    • CasPol.exe (PID: 2132 cmdline: "C:\Users\user\Desktop\pago del 20.01.2022.PDF______________________________________.exe" MD5: F866FC1C2E928779C7119353C3091F0C)
      • conhost.exe (PID: 2976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
{"Payload URL": "https://drive.google.com/uc?export=downl"}
{"Exfil Mode": "SMTP", "SMTP Info": "droidyandex@centraldefiltros.clicui4cu2@@mail.centraldefiltros.cldroidyandexreports@centraldefiltros.cl"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.371007980.000000000040B000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x3f8c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000000.00000000.274792398.000000000040B000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x3f8c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000D.00000002.548386393.000000001DB81000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000D.00000002.548386393.000000001DB81000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000D.00000000.325076127.0000000000D00000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Click to see the 2 entries
        No Sigma rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: 0000000D.00000000.325076127.0000000000D00000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downl"}
        Source: conhost.exe.2976.15.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "droidyandex@centraldefiltros.clicui4cu2@@mail.centraldefiltros.cldroidyandexreports@centraldefiltros.cl"}
        Source: pago del 20.01.2022.PDF______________________________________.exeVirustotal: Detection: 53%Perma Link
        Source: pago del 20.01.2022.PDF______________________________________.exeMetadefender: Detection: 23%Perma Link
        Source: pago del 20.01.2022.PDF______________________________________.exeReversingLabs: Detection: 57%
        Source: pago del 20.01.2022.PDF______________________________________.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: unknownHTTPS traffic detected: 216.58.205.78:443 -> 192.168.2.3:49785 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 216.58.198.33:443 -> 192.168.2.3:49786 version: TLS 1.2

        Networking

        barindex
        Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=downl
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1BKTAGEWv-q5Ke_0MnBa_Ml90CTgLrdi9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/terpfju9qddp0r9mjehva49e9rt3lobm/1643010900000/08383092466185559033/*/1BKTAGEWv-q5Ke_0MnBa_Ml90CTgLrdi9?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-6k-docs.googleusercontent.comConnection: Keep-Alive
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
        Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
        Source: CasPol.exe, 0000000D.00000002.548386393.000000001DB81000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
        Source: CasPol.exe, 0000000D.00000002.548386393.000000001DB81000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
        Source: pago del 20.01.2022.PDF______________________________________.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: pago del 20.01.2022.PDF______________________________________.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
        Source: CasPol.exe, 0000000D.00000003.364907661.000000000102F000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.544453919.0000000001029000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: pago del 20.01.2022.PDF______________________________________.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
        Source: pago del 20.01.2022.PDF______________________________________.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
        Source: pago del 20.01.2022.PDF______________________________________.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: pago del 20.01.2022.PDF______________________________________.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
        Source: CasPol.exe, 0000000D.00000002.548386393.000000001DB81000.00000004.00000001.sdmpString found in binary or memory: http://mglNPC.com
        Source: pago del 20.01.2022.PDF______________________________________.exeString found in binary or memory: http://ocsp.digicert.com0C
        Source: pago del 20.01.2022.PDF______________________________________.exeString found in binary or memory: http://ocsp.digicert.com0O
        Source: pago del 20.01.2022.PDF______________________________________.exeString found in binary or memory: http://www.digicert.com/CPS0
        Source: CasPol.exe, 0000000D.00000003.364907661.000000000102F000.00000004.00000001.sdmp, CasPol.exe, 0000000D.00000002.544372729.0000000001004000.00000004.00000020.sdmpString found in binary or memory: https://doc-00-6k-docs.googleusercontent.com/
        Source: CasPol.exe, 0000000D.00000002.544453919.0000000001029000.00000004.00000020.sdmpString found in binary or memory: https://doc-00-6k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/terpfju9
        Source: CasPol.exe, 0000000D.00000002.544265522.0000000000FD3000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
        Source: CasPol.exe, 0000000D.00000002.544265522.0000000000FD3000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1BKTAGEWv-q5Ke_0MnBa_Ml90CTgLrdi9
        Source: pago del 20.01.2022.PDF______________________________________.exeString found in binary or memory: https://www.digicert.com/CPS0
        Source: CasPol.exe, 0000000D.00000002.548386393.000000001DB81000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
        Source: unknownDNS traffic detected: queries for: drive.google.com
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1BKTAGEWv-q5Ke_0MnBa_Ml90CTgLrdi9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/terpfju9qddp0r9mjehva49e9rt3lobm/1643010900000/08383092466185559033/*/1BKTAGEWv-q5Ke_0MnBa_Ml90CTgLrdi9?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-6k-docs.googleusercontent.comConnection: Keep-Alive
        Source: unknownHTTPS traffic detected: 216.58.205.78:443 -> 192.168.2.3:49785 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 216.58.198.33:443 -> 192.168.2.3:49786 version: TLS 1.2
        Source: pago del 20.01.2022.PDF______________________________________.exe, 00000000.00000002.371207766.000000000079A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        System Summary