Edit tour

Windows Analysis Report
321 Amita Technical 16.09.2022.exe

Overview

General Information

Sample Name:	321 Amita Technical 16.09.2022.exe
Analysis ID:	708244
MD5:	a2a924c124bbc597a76495b4fb08f906
SHA1:	7ce1c45be6abf27c1b6f6c33ad16a27c4925e51b
SHA256:	9d45370a27c72436041f3ffb82b0c245eea5191c788b574e9656a23054340a61
Tags:	exe
Infos:

Detection

AgentTesla, DarkTortilla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected DarkTortilla Crypter

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Machine Learning detection for sample

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Hides that the sample has been downloaded from the Internet (zone.identifier)

Moves itself to temp directory

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

321 Amita Technical 16.09.2022.exe (PID: 5436 cmdline: "C:\Users\user\Desktop\321 Amita Technical 16.09.2022.exe" MD5: A2A924C124BBC597A76495B4FB08F906)

phine.exe (PID: 5604 cmdline: "C:\Users\user\AppData\Local\Temp\phine.exe" MD5: A2A924C124BBC597A76495B4FB08F906)

InstallUtil.exe (PID: 5980 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "logs@multimetals.cfd", "Password": "multimetals.cfd", "Host": "asset@multimetals.cfd"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.543325516.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.543325516.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.543325516.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30184:$a13: get_DnsResolver 0x2e986:$a20: get_LastAccessed 0x30b16:$a27: set_InternalServerPort 0x30e32:$a30: set_GuidMasterKey 0x2ea8d:$a33: get_Clipboard 0x2ea9b:$a34: get_Keyboard 0x2fdb7:$a35: get_ShiftKeyDown 0x2fdc8:$a36: get_AltKeyDown 0x2eaa8:$a37: get_Password 0x2f55e:$a38: get_PasswordHash 0x30584:$a39: get_DefaultCredentials
00000000.00000002.343398236.00000000028F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.346179647.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000001.00000002.545362105.0000000003D9F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.545362105.0000000003D9F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.545362105.0000000003D9F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000001.00000002.545362105.0000000003D9F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30bd6:$a13: get_DnsResolver 0x654ac:$a13: get_DnsResolver 0x2f3d8:$a20: get_LastAccessed 0x63cae:$a20: get_LastAccessed 0x31568:$a27: set_InternalServerPort 0x65e3e:$a27: set_InternalServerPort 0x31884:$a30: set_GuidMasterKey 0x6615a:$a30: set_GuidMasterKey 0x2f4df:$a33: get_Clipboard 0x63db5:$a33: get_Clipboard 0x2f4ed:$a34: get_Keyboard 0x63dc3:$a34: get_Keyboard 0x30809:$a35: get_ShiftKeyDown 0x650df:$a35: get_ShiftKeyDown 0x3081a:$a36: get_AltKeyDown 0x650f0:$a36: get_AltKeyDown 0x2f4fa:$a37: get_Password 0x63dd0:$a37: get_Password 0x2ffb0:$a38: get_PasswordHash 0x64886:$a38: get_PasswordHash 0x30fd6:$a39: get_DefaultCredentials
00000004.00000000.447939474.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.447939474.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.447939474.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3017c:$a13: get_DnsResolver 0x2e97e:$a20: get_LastAccessed 0x30b0e:$a27: set_InternalServerPort 0x30e2a:$a30: set_GuidMasterKey 0x2ea85:$a33: get_Clipboard 0x2ea93:$a34: get_Keyboard 0x2fdaf:$a35: get_ShiftKeyDown 0x2fdc0:$a36: get_AltKeyDown 0x2eaa0:$a37: get_Password 0x2f556:$a38: get_PasswordHash 0x3057c:$a39: get_DefaultCredentials
00000001.00000002.543889878.0000000003C98000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.543889878.0000000003C98000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.543889878.0000000003C98000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000001.00000002.543889878.0000000003C98000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x65866:$a13: get_DnsResolver 0x9a156:$a13: get_DnsResolver 0xcea36:$a13: get_DnsResolver 0x64068:$a20: get_LastAccessed 0x98958:$a20: get_LastAccessed 0xcd238:$a20: get_LastAccessed 0x661f8:$a27: set_InternalServerPort 0x9aae8:$a27: set_InternalServerPort 0xcf3c8:$a27: set_InternalServerPort 0x66514:$a30: set_GuidMasterKey 0x9ae04:$a30: set_GuidMasterKey 0xcf6e4:$a30: set_GuidMasterKey 0x6416f:$a33: get_Clipboard 0x98a5f:$a33: get_Clipboard 0xcd33f:$a33: get_Clipboard 0x6417d:$a34: get_Keyboard 0x98a6d:$a34: get_Keyboard 0xcd34d:$a34: get_Keyboard 0x65499:$a35: get_ShiftKeyDown 0x99d89:$a35: get_ShiftKeyDown 0xce669:$a35: get_ShiftKeyDown
00000001.00000002.528157488.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.350191112.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.350191112.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.350191112.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.350191112.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x6543e:$a13: get_DnsResolver 0x99d2e:$a13: get_DnsResolver 0xce60e:$a13: get_DnsResolver 0x63c40:$a20: get_LastAccessed 0x98530:$a20: get_LastAccessed 0xcce10:$a20: get_LastAccessed 0x65dd0:$a27: set_InternalServerPort 0x9a6c0:$a27: set_InternalServerPort 0xcefa0:$a27: set_InternalServerPort 0x660ec:$a30: set_GuidMasterKey 0x9a9dc:$a30: set_GuidMasterKey 0xcf2bc:$a30: set_GuidMasterKey 0x63d47:$a33: get_Clipboard 0x98637:$a33: get_Clipboard 0xccf17:$a33: get_Clipboard 0x63d55:$a34: get_Keyboard 0x98645:$a34: get_Keyboard 0xccf25:$a34: get_Keyboard 0x65071:$a35: get_ShiftKeyDown 0x99961:$a35: get_ShiftKeyDown 0xce241:$a35: get_ShiftKeyDown
00000000.00000002.351247039.0000000003AB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.351247039.0000000003AB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.351247039.0000000003AB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.351247039.0000000003AB0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x307ae:$a13: get_DnsResolver 0x65084:$a13: get_DnsResolver 0x2efb0:$a20: get_LastAccessed 0x63886:$a20: get_LastAccessed 0x31140:$a27: set_InternalServerPort 0x65a16:$a27: set_InternalServerPort 0x3145c:$a30: set_GuidMasterKey 0x65d32:$a30: set_GuidMasterKey 0x2f0b7:$a33: get_Clipboard 0x6398d:$a33: get_Clipboard 0x2f0c5:$a34: get_Keyboard 0x6399b:$a34: get_Keyboard 0x303e1:$a35: get_ShiftKeyDown 0x64cb7:$a35: get_ShiftKeyDown 0x303f2:$a36: get_AltKeyDown 0x64cc8:$a36: get_AltKeyDown 0x2f0d2:$a37: get_Password 0x639a8:$a37: get_Password 0x2fb88:$a38: get_PasswordHash 0x6445e:$a38: get_PasswordHash 0x30bae:$a39: get_DefaultCredentials
00000004.00000002.562334194.0000000003131000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.562334194.0000000003131000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 321 Amita Technical 16.09.2022.exe PID: 5436	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 321 Amita Technical 16.09.2022.exe PID: 5436	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: 321 Amita Technical 16.09.2022.exe PID: 5436	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x95828:$a13: get_DnsResolver 0xc4566:$a13: get_DnsResolver 0x9428a:$a20: get_LastAccessed 0xc2fc8:$a20: get_LastAccessed 0x96169:$a27: set_InternalServerPort 0xc4ea7:$a27: set_InternalServerPort 0x963c5:$a30: set_GuidMasterKey 0xc5103:$a30: set_GuidMasterKey 0x9437d:$a33: get_Clipboard 0xc30bb:$a33: get_Clipboard 0x9438b:$a34: get_Keyboard 0xc30c9:$a34: get_Keyboard 0x954fa:$a35: get_ShiftKeyDown 0xc4238:$a35: get_ShiftKeyDown 0x9550b:$a36: get_AltKeyDown 0xc4249:$a36: get_AltKeyDown 0x94398:$a37: get_Password 0xc30d6:$a37: get_Password 0x94daa:$a38: get_PasswordHash 0xc3ae8:$a38: get_PasswordHash 0x95bfc:$a39: get_DefaultCredentials
Process Memory Space: phine.exe PID: 5604	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: phine.exe PID: 5604	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: phine.exe PID: 5604	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xf90a:$a13: get_DnsResolver 0x2362a:$a13: get_DnsResolver 0x3969d:$a13: get_DnsResolver 0xe36c:$a20: get_LastAccessed 0x2208c:$a20: get_LastAccessed 0x380ff:$a20: get_LastAccessed 0x1024b:$a27: set_InternalServerPort 0x23f6b:$a27: set_InternalServerPort 0x39fde:$a27: set_InternalServerPort 0x104a7:$a30: set_GuidMasterKey 0x241c7:$a30: set_GuidMasterKey 0x3a23a:$a30: set_GuidMasterKey 0xe45f:$a33: get_Clipboard 0x2217f:$a33: get_Clipboard 0x381f2:$a33: get_Clipboard 0xe46d:$a34: get_Keyboard 0x2218d:$a34: get_Keyboard 0x38200:$a34: get_Keyboard 0xf5dc:$a35: get_ShiftKeyDown 0x232fc:$a35: get_ShiftKeyDown 0x3936f:$a35: get_ShiftKeyDown
Process Memory Space: InstallUtil.exe PID: 5980	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 5980	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 5980	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1b36f:$a13: get_DnsResolver 0x19dd1:$a20: get_LastAccessed 0x1bcb0:$a27: set_InternalServerPort 0x1bf0c:$a30: set_GuidMasterKey 0x19ec4:$a33: get_Clipboard 0x19ed2:$a34: get_Keyboard 0x1b041:$a35: get_ShiftKeyDown 0x1b052:$a36: get_AltKeyDown 0x19edf:$a37: get_Password 0x1a8f1:$a38: get_PasswordHash 0x1b743:$a39: get_DefaultCredentials
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.phine.exe.3d366ba.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.phine.exe.3d366ba.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.phine.exe.3d366ba.2.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
1.2.phine.exe.3d366ba.2.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30e75:$s10: logins 0x308dc:$s11: credential 0x2ce85:$g1: get_Clipboard 0x2ce93:$g2: get_Keyboard 0x2cea0:$g3: get_Password 0x2e19f:$g4: get_CtrlKeyDown 0x2e1af:$g5: get_ShiftKeyDown 0x2e1c0:$g6: get_AltKeyDown
1.2.phine.exe.3d366ba.2.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2e57c:$a13: get_DnsResolver 0x2cd7e:$a20: get_LastAccessed 0x2ef0e:$a27: set_InternalServerPort 0x2f22a:$a30: set_GuidMasterKey 0x2ce85:$a33: get_Clipboard 0x2ce93:$a34: get_Keyboard 0x2e1af:$a35: get_ShiftKeyDown 0x2e1c0:$a36: get_AltKeyDown 0x2cea0:$a37: get_Password 0x2d956:$a38: get_PasswordHash 0x2e97c:$a39: get_DefaultCredentials
1.2.phine.exe.3ccd4ea.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.phine.exe.3ccd4ea.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.phine.exe.3ccd4ea.3.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
1.2.phine.exe.3ccd4ea.3.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c75:$s10: logins 0x67565:$s10: logins 0x9be45:$s10: logins 0x326dc:$s11: credential 0x66fcc:$s11: credential 0x9b8ac:$s11: credential 0x2ec85:$g1: get_Clipboard 0x63575:$g1: get_Clipboard 0x97e55:$g1: get_Clipboard 0x2ec93:$g2: get_Keyboard 0x63583:$g2: get_Keyboard 0x97e63:$g2: get_Keyboard 0x2eca0:$g3: get_Password 0x63590:$g3: get_Password 0x97e70:$g3: get_Password 0x2ff9f:$g4: get_CtrlKeyDown 0x6488f:$g4: get_CtrlKeyDown 0x9916f:$g4: get_CtrlKeyDown 0x2ffaf:$g5: get_ShiftKeyDown 0x6489f:$g5: get_ShiftKeyDown 0x9917f:$g5: get_ShiftKeyDown
1.2.phine.exe.3ccd4ea.3.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3037c:$a13: get_DnsResolver 0x64c6c:$a13: get_DnsResolver 0x9954c:$a13: get_DnsResolver 0x2eb7e:$a20: get_LastAccessed 0x6346e:$a20: get_LastAccessed 0x97d4e:$a20: get_LastAccessed 0x30d0e:$a27: set_InternalServerPort 0x655fe:$a27: set_InternalServerPort 0x99ede:$a27: set_InternalServerPort 0x3102a:$a30: set_GuidMasterKey 0x6591a:$a30: set_GuidMasterKey 0x9a1fa:$a30: set_GuidMasterKey 0x2ec85:$a33: get_Clipboard 0x63575:$a33: get_Clipboard 0x97e55:$a33: get_Clipboard 0x2ec93:$a34: get_Keyboard 0x63583:$a34: get_Keyboard 0x97e63:$a34: get_Keyboard 0x2ffaf:$a35: get_ShiftKeyDown 0x6489f:$a35: get_ShiftKeyDown 0x9917f:$a35: get_ShiftKeyDown
1.2.phine.exe.3dd4130.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.phine.exe.3dd4130.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.phine.exe.3dd4130.5.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c75:$s10: logins 0x326dc:$s11: credential 0x2ec85:$g1: get_Clipboard 0x2ec93:$g2: get_Keyboard 0x2eca0:$g3: get_Password 0x2ff9f:$g4: get_CtrlKeyDown 0x2ffaf:$g5: get_ShiftKeyDown 0x2ffc0:$g6: get_AltKeyDown
1.2.phine.exe.3dd4130.5.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3037c:$a13: get_DnsResolver 0x2eb7e:$a20: get_LastAccessed 0x30d0e:$a27: set_InternalServerPort 0x3102a:$a30: set_GuidMasterKey 0x2ec85:$a33: get_Clipboard

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
321 Amita Technical 16.09.2022.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 321 Amita Technical 16.09.2022.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Windows Analysis Report
321 Amita Technical 16.09.2022.exe