Edit tour

Windows Analysis Report
From Richard.exe

Overview

General Information

Sample Name:	From Richard.exe
Analysis ID:	626543
MD5:	fa530d1cf018a5cc8c8215344b09d2f7
SHA1:	bbd46bf5bead0b503ce045e5d5a856745bca49b9
SHA256:	fe581076f8a8cd90b93b2bca8fde7fa8008c2c1c0962fc0282f785354fcda4a4
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

From Richard.exe (PID: 6432 cmdline: "C:\Users\user\Desktop\From Richard.exe" MD5: FA530D1CF018A5CC8C8215344B09D2F7)

From Richard.exe (PID: 6732 cmdline: C:\Users\user\Desktop\From Richard.exe MD5: FA530D1CF018A5CC8C8215344B09D2F7)

From Richard.exe (PID: 6740 cmdline: C:\Users\user\Desktop\From Richard.exe MD5: FA530D1CF018A5CC8C8215344B09D2F7)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "btc@imfalert.com", "Password": "dontgiveup@2022", "Host": "mail.imfalert.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000000.271694098.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.271694098.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000000.271208855.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.271208855.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000002.508749383.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.508749383.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000000.270510923.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.270510923.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000000.270879293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.270879293.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.277272933.0000000003481000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.281354781.00000000045DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.281354781.00000000045DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: From Richard.exe PID: 6432	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: From Richard.exe PID: 6432	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: From Richard.exe PID: 6740	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: From Richard.exe PID: 6740	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.0.From Richard.exe.400000.12.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.From Richard.exe.400000.12.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.From Richard.exe.400000.12.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b21:$s10: logins 0x32588:$s11: credential 0x2eb72:$g1: get_Clipboard 0x2eb80:$g2: get_Keyboard 0x2eb8d:$g3: get_Password 0x2fe91:$g4: get_CtrlKeyDown 0x2fea1:$g5: get_ShiftKeyDown 0x2feb2:$g6: get_AltKeyDown
5.2.From Richard.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.From Richard.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.2.From Richard.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b21:$s10: logins 0x32588:$s11: credential 0x2eb72:$g1: get_Clipboard 0x2eb80:$g2: get_Keyboard 0x2eb8d:$g3: get_Password 0x2fe91:$g4: get_CtrlKeyDown 0x2fea1:$g5: get_ShiftKeyDown 0x2feb2:$g6: get_AltKeyDown
5.0.From Richard.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.From Richard.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.From Richard.exe.400000.4.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b21:$s10: logins 0x32588:$s11: credential 0x2eb72:$g1: get_Clipboard 0x2eb80:$g2: get_Keyboard 0x2eb8d:$g3: get_Password 0x2fe91:$g4: get_CtrlKeyDown 0x2fea1:$g5: get_ShiftKeyDown 0x2feb2:$g6: get_AltKeyDown
5.0.From Richard.exe.400000.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.From Richard.exe.400000.10.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.From Richard.exe.400000.10.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b21:$s10: logins 0x32588:$s11: credential 0x2eb72:$g1: get_Clipboard 0x2eb80:$g2: get_Keyboard 0x2eb8d:$g3: get_Password 0x2fe91:$g4: get_CtrlKeyDown 0x2fea1:$g5: get_ShiftKeyDown 0x2feb2:$g6: get_AltKeyDown
5.0.From Richard.exe.400000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.From Richard.exe.400000.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.From Richard.exe.400000.8.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b21:$s10: logins 0x32588:$s11: credential 0x2eb72:$g1: get_Clipboard 0x2eb80:$g2: get_Keyboard 0x2eb8d:$g3: get_Password 0x2fe91:$g4: get_CtrlKeyDown 0x2fea1:$g5: get_ShiftKeyDown 0x2feb2:$g6: get_AltKeyDown
0.2.From Richard.exe.46b62b0.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.From Richard.exe.46b62b0.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.From Richard.exe.46b62b0.8.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d21:$s10: logins 0x30788:$s11: credential 0x2cd72:$g1: get_Clipboard 0x2cd80:$g2: get_Keyboard 0x2cd8d:$g3: get_Password 0x2e091:$g4: get_CtrlKeyDown 0x2e0a1:$g5: get_ShiftKeyDown 0x2e0b2:$g6: get_AltKeyDown
0.2.From Richard.exe.47058b0.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.From Richard.exe.47058b0.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.From Richard.exe.47058b0.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0xb8541:$s10: logins 0xec961:$s10: logins 0xb7fa8:$s11: credential 0xec3c8:$s11: credential 0xb4592:$g1: get_Clipboard 0xe89b2:$g1: get_Clipboard 0xb45a0:$g2: get_Keyboard 0xe89c0:$g2: get_Keyboard 0xb45ad:$g3: get_Password 0xe89cd:$g3: get_Password 0xb58b1:$g4: get_CtrlKeyDown 0xe9cd1:$g4: get_CtrlKeyDown 0xb58c1:$g5: get_ShiftKeyDown 0xe9ce1:$g5: get_ShiftKeyDown 0xb58d2:$g6: get_AltKeyDown 0xe9cf2:$g6: get_AltKeyDown
0.2.From Richard.exe.47058b0.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x47f43:$s1: file:/// 0x47e53:$s2: {11111-22222-10009-11112} 0x47ed3:$s3: {11111-22222-50001-00000} 0x458fe:$s4: get_Module 0x45d6d:$s5: Reverse 0xb4b19:$s5: Reverse 0xe8f39:$s5: Reverse 0x47a27:$s6: BlockCopy 0xb69c7:$s6: BlockCopy 0xeade7:$s6: BlockCopy 0xb4dba:$s7: ReadByte 0xe91da:$s7: ReadByte 0x47f55:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
5.0.From Richard.exe.400000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.From Richard.exe.400000.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.From Richard.exe.400000.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b21:$s10: logins 0x32588:$s11: credential 0x2eb72:$g1: get_Clipboard 0x2eb80:$g2: get_Keyboard 0x2eb8d:$g3: get_Password 0x2fe91:$g4: get_CtrlKeyDown 0x2fea1:$g5: get_ShiftKeyDown 0x2feb2:$g6: get_AltKeyDown
0.2.From Richard.exe.46b62b0.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.From Richard.exe.46b62b0.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.From Richard.exe.46b62b0.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b21:$s10: logins 0x107b41:$s10: logins 0x13bf61:$s10: logins 0x32588:$s11: credential 0x1075a8:$s11: credential 0x13b9c8:$s11: credential 0x2eb72:$g1: get_Clipboard 0x103b92:$g1: get_Clipboard 0x137fb2:$g1: get_Clipboard 0x2eb80:$g2: get_Keyboard 0x103ba0:$g2: get_Keyboard 0x137fc0:$g2: get_Keyboard 0x2eb8d:$g3: get_Password 0x103bad:$g3: get_Password 0x137fcd:$g3: get_Password 0x2fe91:$g4: get_CtrlKeyDown 0x104eb1:$g4: get_CtrlKeyDown 0x1392d1:$g4: get_CtrlKeyDown 0x2fea1:$g5: get_ShiftKeyDown 0x104ec1:$g5: get_ShiftKeyDown 0x1392e1:$g5: get_ShiftKeyDown
0.2.From Richard.exe.46b62b0.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x97543:$s1: file:/// 0x97453:$s2: {11111-22222-10009-11112} 0x974d3:$s3: {11111-22222-50001-00000} 0x94efe:$s4: get_Module 0x2f0f9:$s5: Reverse 0x9536d:$s5: Reverse 0x104119:$s5: Reverse 0x138539:$s5: Reverse 0x30fa7:$s6: BlockCopy 0x97027:$s6: BlockCopy 0x105fc7:$s6: BlockCopy 0x13a3e7:$s6: BlockCopy 0x2f39a:$s7: ReadByte 0x1043ba:$s7: ReadByte 0x1387da:$s7: ReadByte 0x97555:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.From Richard.exe.467fe90.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.From Richard.exe.467fe90.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.From Richard.exe.467fe90.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x68f41:$s10: logins 0x13df61:$s10: logins 0x172381:$s10: logins 0x689a8:$s11: credential 0x13d9c8:$s11: credential 0x171de8:$s11: credential 0x64f92:$g1: get_Clipboard 0x139fb2:$g1: get_Clipboard 0x16e3d2:$g1: get_Clipboard 0x64fa0:$g2: get_Keyboard 0x139fc0:$g2: get_Keyboard 0x16e3e0:$g2: get_Keyboard 0x64fad:$g3: get_Password 0x139fcd:$g3: get_Password 0x16e3ed:$g3: get_Password 0x662b1:$g4: get_CtrlKeyDown 0x13b2d1:$g4: get_CtrlKeyDown 0x16f6f1:$g4: get_CtrlKeyDown 0x662c1:$g5: get_ShiftKeyDown 0x13b2e1:$g5: get_ShiftKeyDown 0x16f701:$g5: get_ShiftKeyDown
0.2.From Richard.exe.467fe90.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xcd963:$s1: file:/// 0xcd873:$s2: {11111-22222-10009-11112} 0xcd8f3:$s3: {11111-22222-50001-00000} 0xcb31e:$s4: get_Module 0x65519:$s5: Reverse 0xcb78d:$s5: Reverse 0x13a539:$s5: Reverse 0x16e959:$s5: Reverse 0x673c7:$s6: BlockCopy 0xcd447:$s6: BlockCopy 0x13c3e7:$s6: BlockCopy 0x170807:$s6: BlockCopy 0x657ba:$s7: ReadByte 0x13a7da:$s7: ReadByte 0x16ebfa:$s7: ReadByte 0xcd975:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.From Richard.exe.34dbc04.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.From Richard.exe.34dbc04.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2489c2:$v1: SbieDll.dll 0x2489dc:$v2: USER 0x2489e8:$v3: SANDBOX 0x2489fa:$v4: VIRUS 0x248a4a:$v4: VIRUS 0x248a08:$v5: MALWARE 0x248a1a:$v6: SCHMIDTI 0x248a2e:$v7: CURRENTUSER
0.2.From Richard.exe.34e7e50.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.From Richard.exe.34e7e50.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x23c776:$v1: SbieDll.dll 0x23c790:$v2: USER 0x23c79c:$v3: SANDBOX 0x23c7ae:$v4: VIRUS 0x23c7fe:$v4: VIRUS 0x23c7bc:$v5: MALWARE 0x23c7ce:$v6: SCHMIDTI 0x23c7e2:$v7: CURRENTUSER
0.2.From Richard.exe.34d49b8.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.From Richard.exe.34d49b8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x24fc0e:$v1: SbieDll.dll 0x24fc28:$v2: USER 0x24fc34:$v3: SANDBOX 0x24fc46:$v4: VIRUS 0x24fc96:$v4: VIRUS 0x24fc54:$v5: MALWARE 0x24fc66:$v6: SCHMIDTI 0x24fc7a:$v7: CURRENTUSER
Click to see the 34 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 5.0.From Richard.exe.400000.12.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "btc@imfalert.com", "Password": "dontgiveup@2022", "Host": "mail.imfalert.com"}

Multi AV Scanner detection for submitted file

Source: From Richard.exe	Virustotal: Detection: 49%			Perma Link
Source: From Richard.exe	ReversingLabs: Detection: 46%

Machine Learning detection for sample

Source: From Richard.exe

Joe Sandbox ML: detected

Source: 5.0.From Richard.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.2.From Richard.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.From Richard.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.From Richard.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.From Richard.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.From Richard.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
From Richard.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report From Richard.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Windows Analysis Report
From Richard.exe