Edit tour

Windows Analysis Report
2C01EPgbbjrSPr7.exe

Overview

General Information

Sample Name:	2C01EPgbbjrSPr7.exe
Analysis ID:	626545
MD5:	dc6c55fee2366dee1d9c502bf061a8dc
SHA1:	609b99bc51ea6e1512d4aa1636a4586d2f6b29d6
SHA256:	99c52b9d5bcaa8af4bae268f70a39b94c0b2879dfed2cbdabd25c6fef5ff2258
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Modifies the hosts file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

Yara detected Generic Downloader

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to detect virtual machines (SGDT)

Classification

Process Tree

System is w10x64

2C01EPgbbjrSPr7.exe (PID: 6992 cmdline: "C:\Users\user\Desktop\2C01EPgbbjrSPr7.exe" MD5: DC6C55FEE2366DEE1D9C502BF061A8DC)

RegSvcs.exe (PID: 6108 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "leakkim@dtvcambodia.com", "Password": "@DTVcambodia2017", "Host": "mail.dtvcambodia.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.507717756.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.507717756.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.279997636.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.279997636.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.279367854.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.279367854.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.286333778.000000000403F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.286333778.000000000403F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.280271675.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.280271675.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.279715834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.279715834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.509894637.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30a74:$s10: logins 0x30da70:$s11: credential 0x1e7f:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x29c3:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x1cf7:$m4: %startupfolder%\%insfolder%\%insname%/\%insfolder%\Software\Microsoft\Windows\CurrentVersion\Run%insregname%SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunTruehttp 0x1fa0:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Process Memory Space: 2C01EPgbbjrSPr7.exe PID: 6992	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 2C01EPgbbjrSPr7.exe PID: 6992	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 6108	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 6108	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6108	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x1f728:$s1: get_kbok 0x3afe0:$s1: get_kbok 0x1ffa8:$s2: get_CHoo 0x3b860:$s2: get_CHoo 0x20b5b:$s3: set_passwordIsSet 0x3c413:$s3: set_passwordIsSet 0x1f5d4:$s4: get_enableLog 0x3ae8c:$s4: get_enableLog 0x1ea46:$g1: get_Clipboard 0x3a2fe:$g1: get_Clipboard 0x1ea54:$g2: get_Keyboard 0x3a30c:$g2: get_Keyboard 0x1ea61:$g3: get_Password 0x3a319:$g3: get_Password 0x1fe82:$g4: get_CtrlKeyDown 0x3b73a:$g4: get_CtrlKeyDown 0x1fe92:$g5: get_ShiftKeyDown 0x3b74a:$g5: get_ShiftKeyDown 0x1fea3:$g6: get_AltKeyDown 0x3b75b:$g6: get_AltKeyDown 0x7522:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30dc2:$s1: get_kbok 0x316f6:$s2: get_CHoo 0x32369:$s3: set_passwordIsSet 0x30bc6:$s4: get_enableLog 0x3529a:$s8: torbrowser 0x33c76:$s10: logins 0x335f5:$s11: credential 0x2ffbb:$g1: get_Clipboard 0x2ffc9:$g2: get_Keyboard 0x2ffd6:$g3: get_Password 0x315a4:$g4: get_CtrlKeyDown 0x315b4:$g5: get_ShiftKeyDown 0x315c5:$g6: get_AltKeyDown
4.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.RegSvcs.exe.400000.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30dc2:$s1: get_kbok 0x316f6:$s2: get_CHoo 0x32369:$s3: set_passwordIsSet 0x30bc6:$s4: get_enableLog 0x3529a:$s8: torbrowser 0x33c76:$s10: logins 0x335f5:$s11: credential 0x2ffbb:$g1: get_Clipboard 0x2ffc9:$g2: get_Keyboard 0x2ffd6:$g3: get_Password 0x315a4:$g4: get_CtrlKeyDown 0x315b4:$g5: get_ShiftKeyDown 0x315c5:$g6: get_AltKeyDown
4.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30dc2:$s1: get_kbok 0x316f6:$s2: get_CHoo 0x32369:$s3: set_passwordIsSet 0x30bc6:$s4: get_enableLog 0x3529a:$s8: torbrowser 0x33c76:$s10: logins 0x335f5:$s11: credential 0x2ffbb:$g1: get_Clipboard 0x2ffc9:$g2: get_Keyboard 0x2ffd6:$g3: get_Password 0x315a4:$g4: get_CtrlKeyDown 0x315b4:$g5: get_ShiftKeyDown 0x315c5:$g6: get_AltKeyDown
0.2.2C01EPgbbjrSPr7.exe.41888c8.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.2C01EPgbbjrSPr7.exe.41888c8.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.2C01EPgbbjrSPr7.exe.41888c8.3.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2efc2:$s1: get_kbok 0x2f8f6:$s2: get_CHoo 0x30569:$s3: set_passwordIsSet 0x2edc6:$s4: get_enableLog 0x3349a:$s8: torbrowser 0x31e76:$s10: logins 0x317f5:$s11: credential 0x2e1bb:$g1: get_Clipboard 0x2e1c9:$g2: get_Keyboard 0x2e1d6:$g3: get_Password 0x2f7a4:$g4: get_CtrlKeyDown 0x2f7b4:$g5: get_ShiftKeyDown 0x2f7c5:$g6: get_AltKeyDown
4.0.RegSvcs.exe.400000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.RegSvcs.exe.400000.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.RegSvcs.exe.400000.3.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.RegSvcs.exe.400000.3.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30dc2:$s1: get_kbok 0x316f6:$s2: get_CHoo 0x32369:$s3: set_passwordIsSet 0x30bc6:$s4: get_enableLog 0x3529a:$s8: torbrowser 0x33c76:$s10: logins 0x335f5:$s11: credential 0x2ffbb:$g1: get_Clipboard 0x2ffc9:$g2: get_Keyboard 0x2ffd6:$g3: get_Password 0x315a4:$g4: get_CtrlKeyDown 0x315b4:$g5: get_ShiftKeyDown 0x315c5:$g6: get_AltKeyDown
4.0.RegSvcs.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.RegSvcs.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.RegSvcs.exe.400000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.RegSvcs.exe.400000.4.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30dc2:$s1: get_kbok 0x316f6:$s2: get_CHoo 0x32369:$s3: set_passwordIsSet 0x30bc6:$s4: get_enableLog 0x3529a:$s8: torbrowser 0x33c76:$s10: logins 0x335f5:$s11: credential 0x2ffbb:$g1: get_Clipboard 0x2ffc9:$g2: get_Keyboard 0x2ffd6:$g3: get_Password 0x315a4:$g4: get_CtrlKeyDown 0x315b4:$g5: get_ShiftKeyDown 0x315c5:$g6: get_AltKeyDown
4.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.RegSvcs.exe.400000.2.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30dc2:$s1: get_kbok 0x316f6:$s2: get_CHoo 0x32369:$s3: set_passwordIsSet 0x30bc6:$s4: get_enableLog 0x3529a:$s8: torbrowser 0x33c76:$s10: logins 0x335f5:$s11: credential 0x2ffbb:$g1: get_Clipboard 0x2ffc9:$g2: get_Keyboard 0x2ffd6:$g3: get_Password 0x315a4:$g4: get_CtrlKeyDown 0x315b4:$g5: get_ShiftKeyDown 0x315c5:$g6: get_AltKeyDown
0.2.2C01EPgbbjrSPr7.exe.41888c8.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.2C01EPgbbjrSPr7.exe.41888c8.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.2C01EPgbbjrSPr7.exe.41888c8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.2C01EPgbbjrSPr7.exe.41888c8.3.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30dc2:$s1: get_kbok 0x66de2:$s1: get_kbok 0x316f6:$s2: get_CHoo 0x67716:$s2: get_CHoo 0x32369:$s3: set_passwordIsSet 0x68389:$s3: set_passwordIsSet 0x30bc6:$s4: get_enableLog 0x66be6:$s4: get_enableLog 0x3529a:$s8: torbrowser 0x6b2ba:$s8: torbrowser 0x33c76:$s10: logins 0x69c96:$s10: logins 0x335f5:$s11: credential 0x69615:$s11: credential 0x2ffbb:$g1: get_Clipboard 0x65fdb:$g1: get_Clipboard 0x2ffc9:$g2: get_Keyboard 0x65fe9:$g2: get_Keyboard 0x2ffd6:$g3: get_Password 0x65ff6:$g3: get_Password 0x315a4:$g4: get_CtrlKeyDown
Click to see the 26 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 4.0.RegSvcs.exe.400000.2.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "leakkim@dtvcambodia.com", "Password": "@DTVcambodia2017", "Host": "mail.dtvcambodia.com"}

Multi AV Scanner detection for submitted file

Source: 2C01EPgbbjrSPr7.exe	Virustotal: Detection: 32%			Perma Link
Source: 2C01EPgbbjrSPr7.exe	ReversingLabs: Detection: 61%

Machine Learning detection for sample

Source: 2C01EPgbbjrSPr7.exe

Joe Sandbox ML: detected

Source: 4.0.RegSvcs.exe.400000.2.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.RegSvcs.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.RegSvcs.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.RegSvcs.exe.400000.3.unpack	Avira: Label: TR/Spy.Gen8

Source: 2C01EPgbbjrSPr7.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 2C01EPgbbjrSPr7.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
2C01EPgbbjrSPr7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2C01EPgbbjrSPr7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Windows Analysis Report
2C01EPgbbjrSPr7.exe