Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Raeue.exe

Overview

General Information

Sample Name:Raeue.exe
Analysis ID:626539
MD5:47d09683fc102a85a7dea2516ca81fa3
SHA1:f64cc824abd8804458c3f31f06c16d0bec9338dd
SHA256:848ce511daf9046ab1ab3bed080d5c20bdeb3fd0bebc016fc3af70b892ebb5c9
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Sigma detected: MSBuild connects to smtp port
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Creates multiple autostart registry keys
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • Raeue.exe (PID: 6964 cmdline: "C:\Users\user\Desktop\Raeue.exe" MD5: 47D09683FC102A85A7DEA2516CA81FA3)
    • cmd.exe (PID: 7028 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 7076 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 7120 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 7164 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 5812 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5260 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 5228 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6384 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 6436 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6476 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 2972 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 2948 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 4756 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 4592 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 4180 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6292 cmdline: timeout /t 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 6944 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)