Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report


General Information

Sample Name:4EBE6@3.exe
Analysis ID:679195


Range:0 - 100


Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Drops executable to a common third party application directory
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Moves itself to temp directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)


  • System is w10x64
  • 4EBE6@3.exe (PID: 400 cmdline: "C:\Users\user\Desktop\4EBE6@3.exe" MD5: ADE71491B076CA7A43EFFAF0214DD030)
    • noise.exe (PID: 1600 cmdline: "C:\Users\user\AppData\Local\Temp\noise.exe" MD5: ADE71491B076CA7A43EFFAF0214DD030)
      • InstallUtil.exe (PID: 6036 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • Acrobat.exe (PID: 4876 cmdline: "C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe" MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 1112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
{"Exfil Mode": "SMTP", "Username": "logs@multimetals.cfd", "Password": "multimetals.cfd", "Host": "asset@multimetals.cfd"}
00000001.00000002.342705097.00000000049B5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.342705097.00000000049B5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      • 0x65a3a:$a13: get_DnsResolver
      • 0x9a32a:$a13: get_DnsResolver
      • 0xcec0a:$a13: get_DnsResolver
      • 0x6421e:$a20: get_LastAccessed
      • 0x98b0e:$a20: get_LastAccessed
      • 0xcd3ee:$a20: get_LastAccessed
      • 0x663cc:$a27: set_InternalServerPort
      • 0x9acbc:$a27: set_InternalServerPort
      • 0xcf59c:$a27: set_InternalServerPort
      • 0x666e8:$a30: set_GuidMasterKey
      • 0x9afd8:$a30: set_GuidMasterKey
      • 0xcf8b8:$a30: set_GuidMasterKey
      • 0x64325:$a33: get_Clipboard
      • 0x98c15:$a33: get_Clipboard
      • 0xcd4f5:$a33: get_Clipboard
      • 0x64333:$a34: get_Keyboard
      • 0x98c23:$a34: get_Keyboard
      • 0xcd503:$a34: get_Keyboard
      • 0x65655:$a35: get_ShiftKeyDown
      • 0x99f45:$a35: get_ShiftKeyDown
      • 0xce825:$a35: get_ShiftKeyDown
      0000000D.00000002.532021277.0000000003E1A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000D.00000002.532021277.0000000003E1A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 22 entries
          13.2.noise.exe.3ea9c02.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            13.2.noise.exe.3ea9c02.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              13.2.noise.exe.3ea9c02.2.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x30eba:$s10: logins
              • 0x30921:$s11: credential
              • 0x2cec3:$g1: get_Clipboard
              • 0x2ced1:$g2: get_Keyboard
              • 0x2cede:$g3: get_Password
              • 0x2e1e3:$g4: get_CtrlKeyDown
              • 0x2e1f3:$g5: get_ShiftKeyDown
              • 0x2e204:$g6: get_AltKeyDown
              • 0x2e5d8:$a13: get_DnsResolver
              • 0x2cdbc:$a20: get_LastAccessed
              • 0x2ef6a:$a27: set_InternalServerPort
              • 0x2f286:$a30: set_GuidMasterKey
              • 0x2cec3:$a33: get_Clipboard
              • 0x2ced1:$a34: get_Keyboard
              • 0x2e1f3:$a35: get_ShiftKeyDown
              • 0x2e204:$a36: get_AltKeyDown
              • 0x2cede:$a37: get_Password
              • 0x2d99a:$a38: get_PasswordHash
              • 0x2e9d8:$a39: get_DefaultCredentials
              1.2.4EBE6@3.exe.4a1ef52.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security