Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4EBE6@3.exe

Overview

General Information

Sample Name:4EBE6@3.exe
Analysis ID:679195
MD5:ade71491b076ca7a43effaf0214dd030
SHA1:75623647a35d7bfbfc0df5dfc24646c8d53367d1
SHA256:81baf55c19c00ec38dd62ea3b30a3af669be588442dc0648865f80195665d2b2
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Drops executable to a common third party application directory
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Moves itself to temp directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • 4EBE6@3.exe (PID: 400 cmdline: "C:\Users\user\Desktop\4EBE6@3.exe" MD5: ADE71491B076CA7A43EFFAF0214DD030)
    • noise.exe (PID: 1600 cmdline: "C:\Users\user\AppData\Local\Temp\noise.exe" MD5: ADE71491B076CA7A43EFFAF0214DD030)
      • InstallUtil.exe (PID: 6036 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • Acrobat.exe (PID: 4876 cmdline: "C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe" MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 1112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
{"Exfil Mode": "SMTP", "Username": "logs@multimetals.cfd", "Password": "multimetals.cfd", "Host": "asset@multimetals.cfd"}
SourceRuleDescriptionAuthorStrings
00000001.00000002.342705097.00000000049B5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.342705097.00000000049B5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000002.342705097.00000000049B5000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x65a3a:$a13: get_DnsResolver
      • 0x9a32a:$a13: get_DnsResolver
      • 0xcec0a:$a13: get_DnsResolver
      • 0x6421e:$a20: get_LastAccessed
      • 0x98b0e:$a20: get_LastAccessed
      • 0xcd3ee:$a20: get_LastAccessed
      • 0x663cc:$a27: set_InternalServerPort
      • 0x9acbc:$a27: set_InternalServerPort
      • 0xcf59c:$a27: set_InternalServerPort
      • 0x666e8:$a30: set_GuidMasterKey
      • 0x9afd8:$a30: set_GuidMasterKey
      • 0xcf8b8:$a30: set_GuidMasterKey
      • 0x64325:$a33: get_Clipboard
      • 0x98c15:$a33: get_Clipboard
      • 0xcd4f5:$a33: get_Clipboard
      • 0x64333:$a34: get_Keyboard
      • 0x98c23:$a34: get_Keyboard
      • 0xcd503:$a34: get_Keyboard
      • 0x65655:$a35: get_ShiftKeyDown
      • 0x99f45:$a35: get_ShiftKeyDown
      • 0xce825:$a35: get_ShiftKeyDown
      0000000D.00000002.532021277.0000000003E1A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000D.00000002.532021277.0000000003E1A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 22 entries
          SourceRuleDescriptionAuthorStrings
          13.2.noise.exe.3ea9c02.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            13.2.noise.exe.3ea9c02.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              13.2.noise.exe.3ea9c02.2.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x30eba:$s10: logins
              • 0x30921:$s11: credential
              • 0x2cec3:$g1: get_Clipboard
              • 0x2ced1:$g2: get_Keyboard
              • 0x2cede:$g3: get_Password
              • 0x2e1e3:$g4: get_CtrlKeyDown
              • 0x2e1f3:$g5: get_ShiftKeyDown
              • 0x2e204:$g6: get_AltKeyDown
              13.2.noise.exe.3ea9c02.2.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x2e5d8:$a13: get_DnsResolver
              • 0x2cdbc:$a20: get_LastAccessed
              • 0x2ef6a:$a27: set_InternalServerPort
              • 0x2f286:$a30: set_GuidMasterKey
              • 0x2cec3:$a33: get_Clipboard
              • 0x2ced1:$a34: get_Keyboard
              • 0x2e1f3:$a35: get_ShiftKeyDown
              • 0x2e204:$a36: get_AltKeyDown
              • 0x2cede:$a37: get_Password
              • 0x2d99a:$a38: get_PasswordHash
              • 0x2e9d8:$a39: get_DefaultCredentials
              1.2.4EBE6@3.exe.4a1ef52.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security