Edit tour

Windows Analysis Report
love.exe

Overview

General Information

Sample Name:	love.exe
Analysis ID:	651266
MD5:	f3c4ce7dd49e5728b3dd941ef7e95313
SHA1:	2c833a4195815f3fdeddc7996e10b17fc2abb3e8
SHA256:	139da5e39dff492d6163311fdcba5daaf916877cc8575e120ffba9b2bda65536
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Yara detected Costura Assembly Loader

Uses the Telegram API (likely for C&C communication)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

love.exe (PID: 6232 cmdline: "C:\Users\user\Desktop\love.exe" MD5: F3C4CE7DD49E5728B3DD941EF7E95313)

cmd.exe (PID: 6972 cmdline: "C:\Windows\System32\cmd.exe" /c timeout 20 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 7012 cmdline: timeout 20 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

InstallUtil.exe (PID: 4528 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

Grjwvl.exe (PID: 6984 cmdline: "C:\Users\user\AppData\Roaming\Mgfknof\Grjwvl.exe" MD5: F3C4CE7DD49E5728B3DD941EF7E95313)

cmd.exe (PID: 2292 cmdline: "C:\Windows\System32\cmd.exe" /c timeout 20 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 4400 cmdline: timeout 20 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

InstallUtil.exe (PID: 5096 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

Grjwvl.exe (PID: 5632 cmdline: "C:\Users\user\AppData\Roaming\Mgfknof\Grjwvl.exe" MD5: F3C4CE7DD49E5728B3DD941EF7E95313)

BackgroundTransferHost.exe (PID: 3896 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)

cmd.exe (PID: 5872 cmdline: "C:\Windows\System32\cmd.exe" /c timeout 20 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 3952 cmdline: timeout 20 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

InstallUtil.exe (PID: 3896 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

InstallUtil.exe (PID: 1296 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5310370668:AAEdB2nfvvFj53YoaxJ-AleA2m93WUxxyM0/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "5334267822", "Chat URL": "https://api.telegram.org/bot5310370668:AAEdB2nfvvFj53YoaxJ-AleA2m93WUxxyM0/sendDocument"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000015.00000003.391274838.0000000007C61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.343016197.00000000040FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.343016197.00000000040FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000003.276619656.0000000008226000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000015.00000002.464002231.00000000040BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000015.00000002.464002231.00000000040BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000023.00000000.439095104.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000023.00000000.439095104.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000025.00000000.457726338.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000025.00000000.457726338.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000003.280202235.00000000041F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000011.00000000.336914407.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000011.00000000.336914407.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.342398829.0000000004070000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.342398829.0000000004070000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000015.00000002.463441760.0000000004030000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000015.00000002.463441760.0000000004030000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000025.00000000.458487817.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000025.00000000.458487817.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000012.00000002.444831530.00000000037F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.444831530.00000000037F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000015.00000002.466534836.0000000007C60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000015.00000002.466534836.0000000007C60000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x5d42a:$s1: file:/// 0x5d386:$s2: {11111-22222-10009-11112} 0x5d3ba:$s3: {11111-22222-50001-00000} 0x5a080:$s4: get_Module 0x5a19c:$s5: Reverse 0x5b89f:$s6: BlockCopy 0x5bf21:$s7: ReadByte 0x5d43e:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
00000012.00000002.445090863.00000000038CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.445090863.00000000038CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.342152559.0000000004021000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.342152559.0000000004021000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000012.00000002.448199916.00000000074B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000012.00000002.448199916.00000000074B0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x5d42a:$s1: file:/// 0x5d386:$s2: {11111-22222-10009-11112} 0x5d3ba:$s3: {11111-22222-50001-00000} 0x5a080:$s4: get_Module 0x5a19c:$s5: Reverse 0x5b89f:$s6: BlockCopy 0x5bf21:$s7: ReadByte 0x5d43e:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
00000023.00000000.440160932.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000023.00000000.440160932.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000015.00000003.395977770.00000000041B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000011.00000002.441757056.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000011.00000002.441757056.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000023.00000002.461376169.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000023.00000002.461376169.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000023.00000000.439743779.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000023.00000000.439743779.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.352376984.0000000008220000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.352376984.0000000008220000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x5d42a:$s1: file:/// 0x5d386:$s2: {11111-22222-10009-11112} 0x5d3ba:$s3: {11111-22222-50001-00000} 0x5a080:$s4: get_Module 0x5a19c:$s5: Reverse 0x5b89f:$s6: BlockCopy 0x5bf21:$s7: ReadByte 0x5d43e:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
00000025.00000002.515244386.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000025.00000002.515244386.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000015.00000002.461894221.000000000302E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000011.00000000.337477695.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000011.00000000.337477695.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000011.00000000.337195399.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000011.00000000.337195399.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000015.00000002.463052631.0000000003FE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000015.00000002.463052631.0000000003FE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000012.00000002.444046902.000000000283E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000011.00000000.337854647.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000011.00000000.337854647.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000025.00000000.458149795.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000025.00000000.458149795.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000012.00000002.444909008.0000000003840000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.444909008.0000000003840000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000025.00000000.459235290.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000025.00000000.459235290.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000023.00000000.438645429.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000023.00000000.438645429.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.341099204.000000000306E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000012.00000003.369603767.00000000074B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000012.00000003.374621966.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000011.00000002.442994108.0000000003111000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000011.00000002.442994108.0000000003111000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000011.00000002.442994108.0000000003111000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000002.517983992.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000025.00000002.517983992.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000025.00000002.517983992.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000023.00000002.462835712.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000023.00000002.462835712.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000023.00000002.462835712.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: love.exe PID: 6232	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: love.exe PID: 6232	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: InstallUtil.exe PID: 4528	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 4528	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 4528	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Grjwvl.exe PID: 6984	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Grjwvl.exe PID: 6984	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Grjwvl.exe PID: 5632	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Grjwvl.exe PID: 5632	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: InstallUtil.exe PID: 5096	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 5096	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 5096	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 1296	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 1296	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 1296	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 82 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.Grjwvl.exe.387fd08.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
18.2.Grjwvl.exe.387fd08.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
18.2.Grjwvl.exe.387fd08.2.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30e1c:$s10: logins 0x30883:$s11: credential 0x2cdc3:$g1: get_Clipboard 0x2cdd1:$g2: get_Keyboard 0x2cdde:$g3: get_Password 0x2e0cf:$g4: get_CtrlKeyDown 0x2e0df:$g5: get_ShiftKeyDown 0x2e0f0:$g6: get_AltKeyDown
21.2.Grjwvl.exe.406fd08.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
21.2.Grjwvl.exe.406fd08.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
21.2.Grjwvl.exe.406fd08.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
21.2.Grjwvl.exe.406fd08.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c1c:$s10: logins 0x32683:$s11: credential 0x2ebc3:$g1: get_Clipboard 0x2ebd1:$g2: get_Keyboard 0x2ebde:$g3: get_Password 0x2fecf:$g4: get_CtrlKeyDown 0x2fedf:$g5: get_ShiftKeyDown 0x2fef0:$g6: get_AltKeyDown
17.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
17.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
17.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.InstallUtil.exe.400000.2.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c1c:$s10: logins 0x32683:$s11: credential 0x2ebc3:$g1: get_Clipboard 0x2ebd1:$g2: get_Keyboard 0x2ebde:$g3: get_Password 0x2fecf:$g4: get_CtrlKeyDown 0x2fedf:$g5: get_ShiftKeyDown 0x2fef0:$g6: get_AltKeyDown
17.0.InstallUtil.exe.400000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
17.0.InstallUtil.exe.400000.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
17.0.InstallUtil.exe.400000.3.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.InstallUtil.exe.400000.3.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c1c:$s10: logins 0x32683:$s11: credential 0x2ebc3:$g1: get_Clipboard 0x2ebd1:$g2: get_Keyboard 0x2ebde:$g3: get_Password 0x2fecf:$g4: get_CtrlKeyDown 0x2fedf:$g5: get_ShiftKeyDown 0x2fef0:$g6: get_AltKeyDown
35.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
35.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
35.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
35.2.InstallUtil.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c1c:$s10: logins 0x32683:$s11: credential 0x2ebc3:$g1: get_Clipboard 0x2ebd1:$g2: get_Keyboard 0x2ebde:$g3: get_Password 0x2fecf:$g4: get_CtrlKeyDown 0x2fedf:$g5: get_ShiftKeyDown 0x2fef0:$g6: get_AltKeyDown
18.2.Grjwvl.exe.38cfd28.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
18.2.Grjwvl.exe.38cfd28.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
18.2.Grjwvl.exe.38cfd28.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
18.2.Grjwvl.exe.38cfd28.3.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c1c:$s10: logins 0x32683:$s11: credential 0x2ebc3:$g1: get_Clipboard 0x2ebd1:$g2: get_Keyboard 0x2ebde:$g3: get_Password 0x2fecf:$g4: get_CtrlKeyDown 0x2fedf:$g5: get_ShiftKeyDown 0x2fef0:$g6: get_AltKeyDown
37.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
37.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
37.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
37.0.InstallUtil.exe.400000.2.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c1c:$s10: logins 0x32683:$s11: credential 0x2ebc3:$g1: get_Clipboard 0x2ebd1:$g2: get_Keyboard 0x2ebde:$g3: get_Password 0x2fecf:$g4: get_CtrlKeyDown 0x2fedf:$g5: get_ShiftKeyDown 0x2fef0:$g6: get_AltKeyDown
0.2.love.exe.40ffd28.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.love.exe.40ffd28.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.love.exe.40ffd28.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.love.exe.40ffd28.3.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c1c:$s10: logins 0x

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
love.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report love.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Windows Analysis Report
love.exe