Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
321 Amita Technical 16.09.2022.exe


General Information

Sample Name:321 Amita Technical 16.09.2022.exe
Analysis ID:708244


AgentTesla, DarkTortilla
Range:0 - 100


Yara detected DarkTortilla Crypter
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for sample
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Moves itself to temp directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)


  • System is w10x64
  • 321 Amita Technical 16.09.2022.exe (PID: 5436 cmdline: "C:\Users\user\Desktop\321 Amita Technical 16.09.2022.exe" MD5: A2A924C124BBC597A76495B4FB08F906)
    • phine.exe (PID: 5604 cmdline: "C:\Users\user\AppData\Local\Temp\phine.exe" MD5: A2A924C124BBC597A76495B4FB08F906)
      • InstallUtil.exe (PID: 5980 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup
{"Exfil Mode": "SMTP", "Username": "logs@multimetals.cfd", "Password": "multimetals.cfd", "Host": "asset@multimetals.cfd"}
00000001.00000002.543325516.0000000003C3E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.543325516.0000000003C3E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      • 0x30184:$a13: get_DnsResolver
      • 0x2e986:$a20: get_LastAccessed
      • 0x30b16:$a27: set_InternalServerPort
      • 0x30e32:$a30: set_GuidMasterKey
      • 0x2ea8d:$a33: get_Clipboard
      • 0x2ea9b:$a34: get_Keyboard
      • 0x2fdb7:$a35: get_ShiftKeyDown
      • 0x2fdc8:$a36: get_AltKeyDown
      • 0x2eaa8:$a37: get_Password
      • 0x2f55e:$a38: get_PasswordHash
      • 0x30584:$a39: get_DefaultCredentials
      00000000.00000002.343398236.00000000028F2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
        00000000.00000002.346179647.0000000002BC0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
          Click to see the 31 entries
          1.2.phine.exe.3d366ba.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            1.2.phine.exe.3d366ba.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              1.2.phine.exe.3d366ba.2.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                1.2.phine.exe.3d366ba.2.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x30e75:$s10: logins
                • 0x308dc:$s11: credential
                • 0x2ce85:$g1: get_Clipboard
                • 0x2ce93:$g2: get_Keyboard
                • 0x2cea0:$g3: get_Password
                • 0x2e19f:$g4: get_CtrlKeyDown
                • 0x2e1af:$g5: get_ShiftKeyDown
                • 0x2e1c0:$g6: get_AltKeyDown
                • 0x2e57c:$a13: get_DnsResolver
                • 0x2cd7e:$a20: get_LastAccessed
                • 0x2ef0e:$a27: set_InternalServerPort
                • 0x2f22a:$a30: set_GuidMasterKey
                • 0x2ce85:$a33: get_Clipboard
                • 0x2ce93:$a34: get_Keyboard
                • 0x2e1af:$a35: get_ShiftKeyDown
                • 0x2e1c0:$a36: get_AltKeyDown
                • 0x2cea0:$a37: get_Password
                • 0x2d956:$a38: get_PasswordHash
                • 0x2e97c:$a39: get_DefaultCredentials