Windows Analysis Report
b2.exe

Overview

General Information

Sample Name:	b2.exe
Analysis ID:	626045
MD5:	b23f3235c02c47b25ea90d9830aa37c7
SHA1:	8dbaf4ec74cc2710582157100afe98ff9158d994
SHA256:	46b7d84280339d0b887a8e225d0649e1fcf86302bd553c33716b9c42d3894cc7
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Injects a PE file into a foreign processes

Yara detected Generic Downloader

.NET source code contains very large array initializations

Tries to detect virtualization through RDTSC time measurements

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Found malware configuration

Source: 12.0.b2.exe.400000.4.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1329186530", "Chat URL": "https://api.telegram.org/bot1324911145:AAEQBcai78GJtNdHHMwAX0xQhP0p7EcyOuo/sendDocument"}
Source: b2.exe.7148.12.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1324911145:AAEQBcai78GJtNdHHMwAX0xQhP0p7EcyOuo/sendMessage"}

Multi AV Scanner detection for submitted file

Source: b2.exe	Virustotal: Detection: 64%			Perma Link
Source: b2.exe	ReversingLabs: Detection: 75%

Antivirus / Scanner detection for submitted sample

Source: b2.exe

Avira: detected

Machine Learning detection for sample

Source: b2.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 12.0.b2.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 12.0.b2.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 12.0.b2.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 12.0.b2.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 12.0.b2.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 12.2.b2.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Uses 32bit PE files

Source: b2.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: b2.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:

Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: f.dll.0.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 12.0.b2.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.b2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.4.unpack, type: UNPACKEDPE

Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: f.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: f.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: f.dll.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: f.dll.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: f.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: f.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: f.dll.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: f.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: f.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: f.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: f.dll.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: f.dll.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xqtbof.com
Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: b2.exe, 00000000.00000003.516030971.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.515670250.0000000006376000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.516280598.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.514691789.000000000636D000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.520969631.0000000006A1C000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.516074359.0000000006A14000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.519825219.0000000006A1A000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.515451731.0000000006376000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.518667846.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.519966505.0000000006A1C000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 0000000C.00000000.522653847.0000000000402000.00000040.00000400.00020000.00000000.sdmp, b2.exe, 0000000C.00000000.522219203.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot1324911145:AAEQBcai78GJtNdHHMwAX0xQhP0p7EcyOuo/
Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot1324911145:AAEQBcai78GJtNdHHMwAX0xQhP0p7EcyOuo/sendDocumentdocument-----
Source: f.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: f.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: b2.exe, 00000000.00000003.516030971.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.515670250.0000000006376000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.516280598.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.514691789.000000000636D000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.520969631.0000000006A1C000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.516074359.0000000006A14000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.519825219.0000000006A1A000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.515451731.0000000006376000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.518667846.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.519966505.0000000006A1C000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 0000000C.00000000.522653847.0000000000402000.00000040.00000400.00020000.00000000.sdmp, b2.exe, 0000000C.00000000.522219203.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Creates a DirectInput object (often for capturing keystrokes)

Source: b2.exe, 00000000.00000002.533971800.0000000000C09000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.0.b2.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.0.b2.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.0.b2.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.0.b2.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.2.b2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.0.b2.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: b2.exe PID: 7148, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

.NET source code contains very large array initializations

Source: b2.exe, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 0.0.b2.exe.4c0000.0.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 0.2.b2.exe.4c0000.0.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.e00000.9.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bFEC5A5F0u002d0C6Eu002d486Fu002d9208u002d7549C4E59E3Cu007d/u00332F6BFD2u002d9E8Bu002d4D29u002d8410u002dA27354B95FB9.cs	Large array initialization: .cctor: array initializer size 12014
Source: 12.2.b2.exe.e00000.1.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.e00000.5.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.e00000.0.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.e00000.3.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.e00000.13.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.e00000.1.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bFEC5A5F0u002d0C6Eu002d486Fu002d9208u002d7549C4E59E3Cu007d/u00332F6BFD2u002d9E8Bu002d4D29u002d8410u002dA27354B95FB9.cs	Large array initialization: .cctor: array initializer size 12014
Source: 12.0.b2.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bFEC5A5F0u002d0C6Eu002d486Fu002d9208u002d7549C4E59E3Cu007d/u00332F6BFD2u002d9E8Bu002d4D29u002d8410u002dA27354B95FB9.cs	Large array initialization: .cctor: array initializer size 12014
Source: 12.0.b2.exe.e00000.7.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bFEC5A5F0u002d0C6Eu002d486Fu002d9208u002d7549C4E59E3Cu007d/u00332F6BFD2u002d9E8Bu002d4D29u002d8410u002dA27354B95FB9.cs	Large array initialization: .cctor: array initializer size 12014

Uses 32bit PE files

Source: b2.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 12.0.b2.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.0.b2.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.0.b2.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.0.b2.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.2.b2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.0.b2.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: b2.exe PID: 7148, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Detected potential crypto function

Source: C:\Users\user\Desktop\b2.exe	Code function: 0_2_00BEE3F8	0_2_00BEE3F8
Source: C:\Users\user\Desktop\b2.exe	Code function: 0_2_00BEE3E9	0_2_00BEE3E9
Source: C:\Users\user\Desktop\b2.exe	Code function: 0_2_00BE9BB0	0_2_00BE9BB0
Source: C:\Users\user\Desktop\b2.exe	Code function: 0_2_00BE9BC0	0_2_00BE9BC0
Source: C:\Users\user\Desktop\b2.exe	Code function: 12_2_01604800	12_2_01604800
Source: C:\Users\user\Desktop\b2.exe	Code function: 12_2_01603EB8	12_2_01603EB8
Source: C:\Users\user\Desktop\b2.exe	Code function: 12_2_016081C0	12_2_016081C0
Source: C:\Users\user\Desktop\b2.exe	Code function: 12_2_01604710	12_2_01604710

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\b2.exe

Code function: String function: 00BE2970 appears 61 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\b2.exe

Code function: 0_2_00BED438 CreateProcessAsUserW,

0_2_00BED438

Sample file is different than original file name gathered from version info

Source: b2.exe	Binary or memory string: OriginalFilename vs b2.exe
Source: b2.exe, 00000000.00000002.533971800.0000000000C09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs b2.exe
Source: b2.exe, 00000000.00000000.344905302.00000000004D8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename009273620200110_pdf.exe< vs b2.exe
Source: b2.exe	Binary or memory string: OriginalFilename vs b2.exe
Source: b2.exe, 0000000C.00000000.513142471.0000000000E18000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename009273620200110_pdf.exe< vs b2.exe
Source: b2.exe, 0000000C.00000000.522653847.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHITvAreWBkWWDoLFBJGDIdpxGN.exe4 vs b2.exe
Source: b2.exe	Binary or memory string: OriginalFilename009273620200110_pdf.exe< vs b2.exe

Source: b2.exe	Virustotal: Detection: 64%
Source: b2.exe	ReversingLabs: Detection: 75%

Source: b2.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\b2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\b2.exe "C:\Users\user\Desktop\b2.exe"
Source: C:\Users\user\Desktop\b2.exe	Process created: C:\Users\user\Desktop\b2.exe C:\Users\user\Desktop\b2.exe
Source: C:\Users\user\Desktop\b2.exe	Process created: C:\Users\user\Desktop\b2.exe C:\Users\user\Desktop\b2.exe	Jump to behavior

Source: C:\Users\user\Desktop\b2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\b2.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\b2.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b2.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\b2.exe

File created: C:\Users\user\AppData\Local\Temp\19f93e2a-4d97-4e0c-ade5-972e41ee6cf8

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/2@0/0

Source: C:\Users\user\Desktop\b2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: 12.0.b2.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.0.b2.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.0.b2.exe.400000.12.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.0.b2.exe.400000.12.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.0.b2.exe.400000.6.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.0.b2.exe.400000.6.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\b2.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: b2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: b2.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:

Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: f.dll.0.dr

PE file contains sections with non-standard names

Source: f.dll.0.dr	Static PE information: section name: .didat
Source: f.dll.0.dr	Static PE information: section name: .00cfg

Source: initial sample

Static PE information: section name: .text entropy: 7.42416946268

Drops PE files

Source: C:\Users\user\Desktop\b2.exe

File created: C:\Users\user\AppData\Local\Temp\19f93e2a-4d97-4e0c-ade5-972e41ee6cf8\f.dll

Jump to dropped file

Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\b2.exe

RDTSC instruction interceptor: First address: 0000000072B81D36 second address: 0000000072B82A87 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [72B953C0h], eax 0x00000020 mov dword ptr [72B953C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007F76FCDA0DEBh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007F76FCDA0E26h 0x00000037 rdtsc

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\b2.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\b2.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\b2.exe TID: 6848	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe TID: 6848	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe TID: 3268	Thread sleep count: 6199 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe TID: 3268	Thread sleep count: 3585 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe TID: 6440	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe TID: 6440	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe TID: 4696	Thread sleep count: 3690 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe TID: 4696	Thread sleep count: 6133 > 30	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\b2.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\b2.exe	Window / User API: threadDelayed 6199	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Window / User API: threadDelayed 3585	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Window / User API: threadDelayed 3690	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Window / User API: threadDelayed 6133	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\b2.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\b2.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\b2.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\b2.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\b2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\b2.exe

Memory written: C:\Users\user\Desktop\b2.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\b2.exe

Process created: C:\Users\user\Desktop\b2.exe C:\Users\user\Desktop\b2.exe

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Users\user\Desktop\b2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Users\user\Desktop\b2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\b2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b2.exe PID: 7148, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 12.0.b2.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.b2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.522653847.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.613014718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.523738264.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.523078417.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.522219203.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b2.exe PID: 7148, type: MEMORYSTR

Yara detected Credential Stealer

Source: Yara match	File source: 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b2.exe PID: 7148, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b2.exe PID: 7148, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 12.0.b2.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.b2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.522653847.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.613014718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.523738264.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.523078417.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.522219203.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b2.exe PID: 7148, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Found malware configuration

Source: 12.0.b2.exe.400000.4.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1329186530", "Chat URL": "https://api.telegram.org/bot1324911145:AAEQBcai78GJtNdHHMwAX0xQhP0p7EcyOuo/sendDocument"}
Source: b2.exe.7148.12.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1324911145:AAEQBcai78GJtNdHHMwAX0xQhP0p7EcyOuo/sendMessage"}

Multi AV Scanner detection for submitted file

Source: b2.exe	Virustotal: Detection: 64%			Perma Link
Source: b2.exe	ReversingLabs: Detection: 75%

Antivirus / Scanner detection for submitted sample

Source: b2.exe

Avira: detected

Machine Learning detection for sample

Source: b2.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 12.0.b2.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 12.0.b2.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 12.0.b2.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 12.0.b2.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 12.0.b2.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 12.2.b2.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Uses 32bit PE files

Source: b2.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: b2.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:

Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: f.dll.0.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 12.0.b2.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.b2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.4.unpack, type: UNPACKEDPE

Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: f.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: f.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: f.dll.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: f.dll.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: f.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: f.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: f.dll.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: f.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: f.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: f.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: f.dll.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: f.dll.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xqtbof.com
Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: b2.exe, 00000000.00000003.516030971.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.515670250.0000000006376000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.516280598.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.514691789.000000000636D000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.520969631.0000000006A1C000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.516074359.0000000006A14000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.519825219.0000000006A1A000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.515451731.0000000006376000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.518667846.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.519966505.0000000006A1C000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 0000000C.00000000.522653847.0000000000402000.00000040.00000400.00020000.00000000.sdmp, b2.exe, 0000000C.00000000.522219203.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot1324911145:AAEQBcai78GJtNdHHMwAX0xQhP0p7EcyOuo/
Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot1324911145:AAEQBcai78GJtNdHHMwAX0xQhP0p7EcyOuo/sendDocumentdocument-----
Source: f.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: f.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: b2.exe, 00000000.00000003.516030971.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.515670250.0000000006376000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.516280598.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.514691789.000000000636D000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.520969631.0000000006A1C000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.516074359.0000000006A14000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.519825219.0000000006A1A000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.515451731.0000000006376000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.518667846.000000000637B000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 00000000.00000003.519966505.0000000006A1C000.00000004.00000800.00020000.00000000.sdmp, b2.exe, 0000000C.00000000.522653847.0000000000402000.00000040.00000400.00020000.00000000.sdmp, b2.exe, 0000000C.00000000.522219203.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: b2.exe, 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Creates a DirectInput object (often for capturing keystrokes)

Source: b2.exe, 00000000.00000002.533971800.0000000000C09000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.0.b2.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.0.b2.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.0.b2.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.0.b2.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.2.b2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.0.b2.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: b2.exe PID: 7148, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

.NET source code contains very large array initializations

Source: b2.exe, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 0.0.b2.exe.4c0000.0.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 0.2.b2.exe.4c0000.0.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.e00000.9.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bFEC5A5F0u002d0C6Eu002d486Fu002d9208u002d7549C4E59E3Cu007d/u00332F6BFD2u002d9E8Bu002d4D29u002d8410u002dA27354B95FB9.cs	Large array initialization: .cctor: array initializer size 12014
Source: 12.2.b2.exe.e00000.1.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.e00000.5.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.e00000.0.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.e00000.3.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.e00000.13.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.e00000.1.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bFEC5A5F0u002d0C6Eu002d486Fu002d9208u002d7549C4E59E3Cu007d/u00332F6BFD2u002d9E8Bu002d4D29u002d8410u002dA27354B95FB9.cs	Large array initialization: .cctor: array initializer size 12014
Source: 12.0.b2.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bFEC5A5F0u002d0C6Eu002d486Fu002d9208u002d7549C4E59E3Cu007d/u00332F6BFD2u002d9E8Bu002d4D29u002d8410u002dA27354B95FB9.cs	Large array initialization: .cctor: array initializer size 12014
Source: 12.0.b2.exe.e00000.7.unpack, u0034cu003azu00400u002d6mwu00212u007c3siu003e87ru005bgu002c15ou0029bu003b/u0032su003eau007d68nu0029u002d7zxu00231.cs	Large array initialization: 3f%s:74w(?2a0t[;6bn~1<5d9: array initializer size 151552
Source: 12.0.b2.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bFEC5A5F0u002d0C6Eu002d486Fu002d9208u002d7549C4E59E3Cu007d/u00332F6BFD2u002d9E8Bu002d4D29u002d8410u002dA27354B95FB9.cs	Large array initialization: .cctor: array initializer size 12014

Uses 32bit PE files

Source: b2.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 12.0.b2.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.0.b2.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.0.b2.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.0.b2.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.2.b2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.0.b2.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: b2.exe PID: 7148, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Detected potential crypto function

Source: C:\Users\user\Desktop\b2.exe	Code function: 0_2_00BEE3F8	0_2_00BEE3F8
Source: C:\Users\user\Desktop\b2.exe	Code function: 0_2_00BEE3E9	0_2_00BEE3E9
Source: C:\Users\user\Desktop\b2.exe	Code function: 0_2_00BE9BB0	0_2_00BE9BB0
Source: C:\Users\user\Desktop\b2.exe	Code function: 0_2_00BE9BC0	0_2_00BE9BC0
Source: C:\Users\user\Desktop\b2.exe	Code function: 12_2_01604800	12_2_01604800
Source: C:\Users\user\Desktop\b2.exe	Code function: 12_2_01603EB8	12_2_01603EB8
Source: C:\Users\user\Desktop\b2.exe	Code function: 12_2_016081C0	12_2_016081C0
Source: C:\Users\user\Desktop\b2.exe	Code function: 12_2_01604710	12_2_01604710

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\b2.exe

Code function: String function: 00BE2970 appears 61 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\b2.exe

Code function: 0_2_00BED438 CreateProcessAsUserW,

0_2_00BED438

Sample file is different than original file name gathered from version info

Source: b2.exe	Binary or memory string: OriginalFilename vs b2.exe
Source: b2.exe, 00000000.00000002.533971800.0000000000C09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs b2.exe
Source: b2.exe, 00000000.00000000.344905302.00000000004D8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename009273620200110_pdf.exe< vs b2.exe
Source: b2.exe	Binary or memory string: OriginalFilename vs b2.exe
Source: b2.exe, 0000000C.00000000.513142471.0000000000E18000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename009273620200110_pdf.exe< vs b2.exe
Source: b2.exe, 0000000C.00000000.522653847.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHITvAreWBkWWDoLFBJGDIdpxGN.exe4 vs b2.exe
Source: b2.exe	Binary or memory string: OriginalFilename009273620200110_pdf.exe< vs b2.exe

Source: b2.exe	Virustotal: Detection: 64%
Source: b2.exe	ReversingLabs: Detection: 75%

Source: b2.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\b2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\b2.exe "C:\Users\user\Desktop\b2.exe"
Source: C:\Users\user\Desktop\b2.exe	Process created: C:\Users\user\Desktop\b2.exe C:\Users\user\Desktop\b2.exe
Source: C:\Users\user\Desktop\b2.exe	Process created: C:\Users\user\Desktop\b2.exe C:\Users\user\Desktop\b2.exe	Jump to behavior

Source: C:\Users\user\Desktop\b2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\b2.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\b2.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b2.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\b2.exe

File created: C:\Users\user\AppData\Local\Temp\19f93e2a-4d97-4e0c-ade5-972e41ee6cf8

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/2@0/0

Source: C:\Users\user\Desktop\b2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: 12.0.b2.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.0.b2.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.0.b2.exe.400000.12.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.0.b2.exe.400000.12.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.0.b2.exe.400000.6.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.0.b2.exe.400000.6.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\b2.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: b2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: b2.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:

Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: f.dll.0.dr

PE file contains sections with non-standard names

Source: f.dll.0.dr	Static PE information: section name: .didat
Source: f.dll.0.dr	Static PE information: section name: .00cfg

Source: initial sample

Static PE information: section name: .text entropy: 7.42416946268

Drops PE files

Source: C:\Users\user\Desktop\b2.exe

File created: C:\Users\user\AppData\Local\Temp\19f93e2a-4d97-4e0c-ade5-972e41ee6cf8\f.dll

Jump to dropped file

Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\b2.exe

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\b2.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\b2.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\b2.exe TID: 6848	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe TID: 6848	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe TID: 3268	Thread sleep count: 6199 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe TID: 3268	Thread sleep count: 3585 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe TID: 6440	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe TID: 6440	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe TID: 4696	Thread sleep count: 3690 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe TID: 4696	Thread sleep count: 6133 > 30	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\b2.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\b2.exe	Window / User API: threadDelayed 6199	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Window / User API: threadDelayed 3585	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Window / User API: threadDelayed 3690	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Window / User API: threadDelayed 6133	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\b2.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\b2.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\b2.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\b2.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\b2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\b2.exe

Memory written: C:\Users\user\Desktop\b2.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\b2.exe

Process created: C:\Users\user\Desktop\b2.exe C:\Users\user\Desktop\b2.exe

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Users\user\Desktop\b2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Users\user\Desktop\b2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\b2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b2.exe PID: 7148, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 12.0.b2.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.b2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.522653847.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.613014718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.523738264.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.523078417.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.522219203.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b2.exe PID: 7148, type: MEMORYSTR

Yara detected Credential Stealer

Source: Yara match	File source: 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b2.exe PID: 7148, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b2.exe PID: 7148, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 12.0.b2.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.b2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.b2.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.522653847.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.613014718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.523738264.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.523078417.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.522219203.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.615030457.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b2.exe PID: 7148, type: MEMORYSTR

ID:	626045
Product:	CloudBasic
Start time:	14:32:12
Start date:	13.05.2022
Sample:	b2.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	b23f3235c02c47b25ea90d9830aa37c7
SHA1:	8dbaf4ec74cc2710582157100afe98ff9158d994
SHA256:	46b7d84280339d0b887a8e225d0649e1fcf86302bd553c33716b9c42d3894cc7
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b2.exe.log	ASCII text, with CRLF line terminators	D1F580650522B7EBD7F438FD6B22F339	768BA6465A6C6107AC504EC2E254F090021EB643	8280C0A16B5638C762196E6C892BF0940FF9C94435407C66992DA9D592999910
C:\Users\user\AppData\Local\Temp\19f93e2a-4d97-4e0c-ade5-972e41ee6cf8\f.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	14FF402962AD21B78AE0B4C43CD1F194	F8A510EB26666E875A5BDD1CADAD40602763AD72	FB9646CB956945BDC503E69645F6B5316D3826B780D3C36738D6B944E884D15B

Windows Analysis Report
b2.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report b2.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
b2.exe