Edit tour

Windows Analysis Report
Outstanding Balance.exe

Overview

General Information

Sample Name:	Outstanding Balance.exe
Analysis ID:	626553
MD5:	eddb51444437ebe5e42164dd30ea5759
SHA1:	dcac53c6badd60c7b042067d496b4e589eb3f49e
SHA256:	a1d11129a5202dec1927642f82f5d766217d8abfb00fa88c79e9266cbdcb4f08
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Modifies the hosts file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Adds a directory exclusion to Windows Defender

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Outstanding Balance.exe (PID: 6512 cmdline: "C:\Users\user\Desktop\Outstanding Balance.exe" MD5: EDDB51444437EBE5E42164DD30EA5759)

powershell.exe (PID: 6900 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wBKXRefcPdWgIF.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6916 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBKXRefcPdWgIF" /XML "C:\Users\user\AppData\Local\Temp\tmp2F3E.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Outstanding Balance.exe (PID: 7068 cmdline: C:\Users\user\Desktop\Outstanding Balance.exe MD5: EDDB51444437EBE5E42164DD30EA5759)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "gm@ramcoadvanced.com", "Password": "Mohcomvet97373315", "Host": "a2plcpnl0484.prod.iad2.secureserver.net"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000000.278451114.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000000.278451114.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000008.00000002.504676152.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.504676152.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.282083109.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000008.00000000.279068177.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000000.279068177.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000008.00000000.277927770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000000.277927770.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000008.00000002.506715989.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.506715989.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000000.276115153.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000000.276115153.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.284064952.0000000004445000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.284064952.0000000004445000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: Outstanding Balance.exe PID: 6512	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Outstanding Balance.exe PID: 6512	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Outstanding Balance.exe PID: 7068	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Outstanding Balance.exe PID: 7068	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Outstanding Balance.exe.45003d0.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Outstanding Balance.exe.45003d0.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Outstanding Balance.exe.45003d0.8.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30ea4:$s10: logins 0x3090b:$s11: credential 0x2ceda:$g1: get_Clipboard 0x2cee8:$g2: get_Keyboard 0x2cef5:$g3: get_Password 0x2e1e6:$g4: get_CtrlKeyDown 0x2e1f6:$g5: get_ShiftKeyDown 0x2e207:$g6: get_AltKeyDown
8.0.Outstanding Balance.exe.400000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.0.Outstanding Balance.exe.400000.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
8.0.Outstanding Balance.exe.400000.8.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32ca4:$s10: logins 0x3270b:$s11: credential 0x2ecda:$g1: get_Clipboard 0x2ece8:$g2: get_Keyboard 0x2ecf5:$g3: get_Password 0x2ffe6:$g4: get_CtrlKeyDown 0x2fff6:$g5: get_ShiftKeyDown 0x30007:$g6: get_AltKeyDown
8.2.Outstanding Balance.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.Outstanding Balance.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
8.2.Outstanding Balance.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32ca4:$s10: logins 0x3270b:$s11: credential 0x2ecda:$g1: get_Clipboard 0x2ece8:$g2: get_Keyboard 0x2ecf5:$g3: get_Password 0x2ffe6:$g4: get_CtrlKeyDown 0x2fff6:$g5: get_ShiftKeyDown 0x30007:$g6: get_AltKeyDown
8.0.Outstanding Balance.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.0.Outstanding Balance.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
8.0.Outstanding Balance.exe.400000.4.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32ca4:$s10: logins 0x3270b:$s11: credential 0x2ecda:$g1: get_Clipboard 0x2ece8:$g2: get_Keyboard 0x2ecf5:$g3: get_Password 0x2ffe6:$g4: get_CtrlKeyDown 0x2fff6:$g5: get_ShiftKeyDown 0x30007:$g6: get_AltKeyDown
8.0.Outstanding Balance.exe.400000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.0.Outstanding Balance.exe.400000.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
8.0.Outstanding Balance.exe.400000.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32ca4:$s10: logins 0x3270b:$s11: credential 0x2ecda:$g1: get_Clipboard 0x2ece8:$g2: get_Keyboard 0x2ecf5:$g3: get_Password 0x2ffe6:$g4: get_CtrlKeyDown 0x2fff6:$g5: get_ShiftKeyDown 0x30007:$g6: get_AltKeyDown
8.0.Outstanding Balance.exe.400000.12.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.0.Outstanding Balance.exe.400000.12.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
8.0.Outstanding Balance.exe.400000.12.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32ca4:$s10: logins 0x3270b:$s11: credential 0x2ecda:$g1: get_Clipboard 0x2ece8:$g2: get_Keyboard 0x2ecf5:$g3: get_Password 0x2ffe6:$g4: get_CtrlKeyDown 0x2fff6:$g5: get_ShiftKeyDown 0x30007:$g6: get_AltKeyDown
0.2.Outstanding Balance.exe.4475db0.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Outstanding Balance.exe.4475db0.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Outstanding Balance.exe.4475db0.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0xbd2c4:$s10: logins 0xf1ae4:$s10: logins 0x126104:$s10: logins 0xbcd2b:$s11: credential 0xf154b:$s11: credential 0x125b6b:$s11: credential 0xb92fa:$g1: get_Clipboard 0xedb1a:$g1: get_Clipboard 0x12213a:$g1: get_Clipboard 0xb9308:$g2: get_Keyboard 0xedb28:$g2: get_Keyboard 0x122148:$g2: get_Keyboard 0xb9315:$g3: get_Password 0xedb35:$g3: get_Password 0x122155:$g3: get_Password 0xba606:$g4: get_CtrlKeyDown 0xeee26:$g4: get_CtrlKeyDown 0x123446:$g4: get_CtrlKeyDown 0xba616:$g5: get_ShiftKeyDown 0xeee36:$g5: get_ShiftKeyDown 0x123456:$g5: get_ShiftKeyDown
0.2.Outstanding Balance.exe.4475db0.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x481a3:$s1: file:/// 0x480b3:$s2: {11111-22222-10009-11112} 0x48133:$s3: {11111-22222-50001-00000} 0x45b5d:$s4: get_Module 0x45fcc:$s5: Reverse 0xb9863:$s5: Reverse 0xee083:$s5: Reverse 0x1226a3:$s5: Reverse 0x47c86:$s6: BlockCopy 0xbb73a:$s6: BlockCopy 0xeff5a:$s6: BlockCopy 0x12457a:$s6: BlockCopy 0xb9b04:$s7: ReadByte 0xee324:$s7: ReadByte 0x122944:$s7: ReadByte 0x481b5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
8.0.Outstanding Balance.exe.400000.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.0.Outstanding Balance.exe.400000.10.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
8.0.Outstanding Balance.exe.400000.10.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32ca4:$s10: logins 0x3270b:$s11: credential 0x2ecda:$g1: get_Clipboard 0x2ece8:$g2: get_Keyboard 0x2ecf5:$g3: get_Password 0x2ffe6:$g4: get_CtrlKeyDown 0x2fff6:$g5: get_ShiftKeyDown 0x30007:$g6: get_AltKeyDown
0.2.Outstanding Balance.exe.45003d0.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Outstanding Balance.exe.45003d0.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Outstanding Balance.exe.45003d0.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32ca4:$s10: logins 0x674c4:$s10: logins 0x9bae4:$s10: logins 0x3270b:$s11: credential 0x66f2b:$s11: credential 0x9b54b:$s11: credential 0x2ecda:$g1: get_Clipboard 0x634fa:$g1: get_Clipboard 0x97b1a:$g1: get_Clipboard 0x2ece8:$g2: get_Keyboard 0x63508:$g2: get_Keyboard 0x97b28:$g2: get_Keyboard 0x2ecf5:$g3: get_Password 0x63515:$g3: get_Password 0x97b35:$g3: get_Password 0x2ffe6:$g4: get_CtrlKeyDown 0x64806:$g4: get_CtrlKeyDown 0x98e26:$g4: get_CtrlKeyDown 0x2fff6:$g5: get_ShiftKeyDown 0x64816:$g5: get_ShiftKeyDown 0x98e36:$g5: get_ShiftKeyDown
0.2.Outstanding Balance.exe.4445598.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Outstanding Balance.exe.4445598.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Outstanding Balance.exe.4445598.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0xedadc:$s10: logins 0x1222fc:$s10: logins 0x15691c:$s10: logins 0xed543:$s11: credential 0x121d63:$s11: credential 0x156383:$s11: credential 0xe9b12:$g1: get_Clipboard 0x11e332:$g1: get_Clipboard 0x152952:$g1: get_Clipboard 0xe9b20:$g2: get_Keyboard 0x11e340:$g2: get_Keyboard 0x152960:$g2: get_Keyboard 0xe9b2d:$g3: get_Password 0x11e34d:$g3: get_Password 0x15296d:$g3: get_Password 0xeae1e:$g4: get_CtrlKeyDown 0x11f63e:$g4: get_CtrlKeyDown 0x153c5e:$g4: get_CtrlKeyDown 0xeae2e:$g5: get_ShiftKeyDown 0x11f64e:$g5: get_ShiftKeyDown 0x153c6e:$g5: get_ShiftKeyDown
0.2.Outstanding Balance.exe.4445598.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x789bb:$s1: file:/// 0x788cb:$s2: {11111-22222-10009-11112} 0x7894b:$s3: {11111-22222-50001-00000} 0x76375:$s4: get_Module 0x767e4:$s5: Reverse 0xea07b:$s5: Reverse 0x11e89b:$s5: Reverse 0x152ebb:$s5: Reverse 0x7849e:$s6: BlockCopy 0xebf52:$s6: BlockCopy 0x120772:$s6: BlockCopy 0x154d92:$s6: BlockCopy 0xea31c:$s7: ReadByte 0x11eb3c:$s7: ReadByte 0x15315c:$s7: ReadByte 0x789cd:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 27 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Outstanding Balance.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Outstanding Balance.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Windows Analysis Report
Outstanding Balance.exe