Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Analysis ID:	756002
MD5:	d6f0e59d1bb1d559029da21e132a1c9b
SHA1:	7b760ca553c6d95126146825b1f5b846d5a69378
SHA256:	0afcaf64f298203c19ee5001aeb67a4a785a2a3a56fac3ead54c86811583d873
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe (PID: 5708 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe MD5: D6F0E59D1BB1D559029DA21E132A1C9B)

SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe (PID: 64 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe MD5: D6F0E59D1BB1D559029DA21E132A1C9B)

wPBZqbH.exe (PID: 2816 cmdline: "C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe" MD5: D6F0E59D1BB1D559029DA21E132A1C9B)

wPBZqbH.exe (PID: 5328 cmdline: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe MD5: D6F0E59D1BB1D559029DA21E132A1C9B)

wPBZqbH.exe (PID: 5316 cmdline: "C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe" MD5: D6F0E59D1BB1D559029DA21E132A1C9B)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.akademetre.com", "Username": "suletas@akademetre.com", "Password": "st6473"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.361237827.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x143c06:$a13: get_DnsResolver 0x17a426:$a13: get_DnsResolver 0x1b0a46:$a13: get_DnsResolver 0x142313:$a20: get_LastAccessed 0x178b33:$a20: get_LastAccessed 0x1af153:$a20: get_LastAccessed 0x144634:$a27: set_InternalServerPort 0x17ae54:$a27: set_InternalServerPort 0x1b1474:$a27: set_InternalServerPort 0x144969:$a30: set_GuidMasterKey 0x17b189:$a30: set_GuidMasterKey 0x1b17a9:$a30: set_GuidMasterKey 0x142425:$a33: get_Clipboard 0x178c45:$a33: get_Clipboard 0x1af265:$a33: get_Clipboard 0x142433:$a34: get_Keyboard 0x178c53:$a34: get_Keyboard 0x1af273:$a34: get_Keyboard 0x143800:$a35: get_ShiftKeyDown 0x17a020:$a35: get_ShiftKeyDown 0x1b0640:$a35: get_ShiftKeyDown
0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31d06:$a13: get_DnsResolver 0x30413:$a20: get_LastAccessed 0x32734:$a27: set_InternalServerPort 0x32a69:$a30: set_GuidMasterKey 0x30525:$a33: get_Clipboard 0x30533:$a34: get_Keyboard 0x31900:$a35: get_ShiftKeyDown 0x31911:$a36: get_AltKeyDown 0x30540:$a37: get_Password 0x3105b:$a38: get_PasswordHash 0x32168:$a39: get_DefaultCredentials
00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.295133580.00000000032AC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.292899757.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 5708	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 5708	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 5708	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x46d51:$a13: get_DnsResolver 0x45d3c:$a20: get_LastAccessed 0x473f3:$a27: set_InternalServerPort 0x475da:$a30: set_GuidMasterKey 0x45e22:$a33: get_Clipboard 0x45e30:$a34: get_Keyboard 0x46ace:$a35: get_ShiftKeyDown 0x46adf:$a36: get_AltKeyDown 0x45e3d:$a37: get_Password 0x46554:$a38: get_PasswordHash 0x47011:$a39: get_DefaultCredentials
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 64	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 64	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 64	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2a2ec:$a13: get_DnsResolver 0x28c59:$a20: get_LastAccessed 0x2acc9:$a27: set_InternalServerPort 0x2af30:$a30: set_GuidMasterKey 0x28d54:$a33: get_Clipboard 0x28d62:$a34: get_Keyboard 0x29f82:$a35: get_ShiftKeyDown 0x29f93:$a36: get_AltKeyDown 0x28d6f:$a37: get_Password 0x297e6:$a38: get_PasswordHash 0x2a722:$a39: get_DefaultCredentials
Process Memory Space: wPBZqbH.exe PID: 2816	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: wPBZqbH.exe PID: 5328	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: wPBZqbH.exe PID: 5328	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.wPBZqbH.exe.2d3063c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.wPBZqbH.exe.2d3063c.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd16a:$v1: SbieDll.dll 0xd184:$v2: USER 0xd190:$v3: SANDBOX 0xd1a2:$v4: VIRUS 0xd1f2:$v4: VIRUS 0xd1b0:$v5: MALWARE 0xd1c2:$v6: SCHMIDTI 0xd1d6:$v7: CURRENTUSER
11.2.wPBZqbH.exe.2d12e6c.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.wPBZqbH.exe.2d12e6c.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2a93a:$v1: SbieDll.dll 0x2a954:$v2: USER 0x2a960:$v3: SANDBOX 0x2a972:$v4: VIRUS 0x2a9c2:$v4: VIRUS 0x2a980:$v5: MALWARE 0x2a992:$v6: SCHMIDTI 0x2a9a6:$v7: CURRENTUSER
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2ff0724.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2ff0724.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd16a:$v1: SbieDll.dll 0xd184:$v2: USER 0xd190:$v3: SANDBOX 0xd1a2:$v4: VIRUS 0xd1f2:$v4: VIRUS 0xd1b0:$v5: MALWARE 0xd1c2:$v6: SCHMIDTI 0xd1d6:$v7: CURRENTUSER
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x1458e0:$s10: logins 0x17c100:$s10: logins 0x1b2720:$s10: logins 0x14535a:$s11: credential 0x17bb7a:$s11: credential 0x1b219a:$s11: credential 0x1415bd:$g1: get_Clipboard 0x177ddd:$g1: get_Clipboard 0x1ae3fd:$g1: get_Clipboard 0x1415cb:$g2: get_Keyboard 0x177deb:$g2: get_Keyboard 0x1ae40b:$g2: get_Keyboard 0x1415d8:$g3: get_Password 0x177df8:$g3: get_Password 0x1ae418:$g3: get_Password 0x142988:$g4: get_CtrlKeyDown 0x1791a8:$g4: get_CtrlKeyDown 0x1af7c8:$g4: get_CtrlKeyDown 0x142998:$g5: get_ShiftKeyDown 0x1791b8:$g5: get_ShiftKeyDown 0x1af7d8:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xb327f:$s1: file:/// 0xb318f:$s2: {11111-22222-10009-11112} 0xb320f:$s3: {11111-22222-50001-00000} 0xb2411:$s4: get_Module 0xb278c:$s5: Reverse 0x141b6e:$s5: Reverse 0x17838e:$s5: Reverse 0x1ae9ae:$s5: Reverse 0xad995:$s6: BlockCopy 0x143bb4:$s6: BlockCopy 0x17a3d4:$s6: BlockCopy 0x1b09f4:$s6: BlockCopy 0x141e2c:$s7: ReadByte 0x17864c:$s7: ReadByte 0x1aec6c:$s7: ReadByte 0xb3291:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x142d9e:$a13: get_DnsResolver 0x1795be:$a13: get_DnsResolver 0x1afbde:$a13: get_DnsResolver 0x1414ab:$a20: get_LastAccessed 0x177ccb:$a20: get_LastAccessed 0x1ae2eb:$a20: get_LastAccessed 0x1437cc:$a27: set_InternalServerPort 0x179fec:$a27: set_InternalServerPort 0x1b060c:$a27: set_InternalServerPort 0x143b01:$a30: set_GuidMasterKey 0x17a321:$a30: set_GuidMasterKey 0x1b0941:$a30: set_GuidMasterKey 0x1415bd:$a33: get_Clipboard 0x177ddd:$a33: get_Clipboard 0x1ae3fd:$a33: get_Clipboard 0x1415cb:$a34: get_Keyboard 0x177deb:$a34: get_Keyboard 0x1ae40b:$a34: get_Keyboard 0x142998:$a35: get_ShiftKeyDown 0x1791b8:$a35: get_ShiftKeyDown 0x1af7d8:$a35: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2fd2f54.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2fd2f54.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2a93a:$v1: SbieDll.dll 0x2a954:$v2: USER 0x2a960:$v3: SANDBOX 0x2a972:$v4: VIRUS 0x2a9c2:$v4: VIRUS 0x2a980:$v5: MALWARE 0x2a992:$v6: SCHMIDTI 0x2a9a6:$v7: CURRENTUSER
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0xc7868:$s10: logins 0xfe088:$s10: logins 0x1346a8:$s10: logins 0xc72e2:$s11: credential 0xfdb02:$s11: credential 0x134122:$s11: credential 0xc3545:$g1: get_Clipboard 0xf9d65:$g1: get_Clipboard 0x130385:$g1: get_Clipboard 0xc3553:$g2: get_Keyboard 0xf9d73:$g2: get_Keyboard 0x130393:$g2: get_Keyboard 0xc3560:$g3: get_Password 0xf9d80:$g3: get_Password 0x1303a0:$g3: get_Password 0xc4910:$g4: get_CtrlKeyDown 0xfb130:$g4: get_CtrlKeyDown 0x131750:$g4: get_CtrlKeyDown 0xc4920:$g5: get_ShiftKeyDown 0xfb140:$g5: get_ShiftKeyDown 0x131760:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x35207:$s1: file:/// 0x35117:$s2: {11111-22222-10009-11112} 0x35197:$s3: {11111-22222-50001-00000} 0x34399:$s4: get_Module 0x34714:$s5: Reverse 0xc3af6:$s5: Reverse 0xfa316:$s5: Reverse 0x130936:$s5: Reverse 0x2f91d:$s6: BlockCopy 0xc5b3c:$s6: BlockCopy 0xfc35c:$s6: BlockCopy 0x13297c:$s6: BlockCopy 0xc3db4:$s7: ReadByte 0xfa5d4:$s7: ReadByte 0x130bf4:$s7: ReadByte 0x35219:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xc4d26:$a13: get_DnsResolver 0xfb546:$a13: get_DnsResolver 0x131b66:$a13: get_DnsResolver 0xc3433:$a20: get_LastAccessed 0xf9c53:$a20: get_LastAccessed 0x130273:$a20: get_LastAccessed 0xc5754:$a27: set_InternalServerPort 0xfbf74:$a27: set_InternalServerPort 0x132594:$a27: set_InternalServerPort 0xc5a89:$a30: set_GuidMasterKey 0xfc2a9:$a30: set_GuidMasterKey 0x1328c9:$a30: set_GuidMasterKey 0xc3545:$a33: get_Clipboard 0xf9d65:$a33: get_Clipboard 0x130385:$a33: get_Clipboard 0xc3553:$a34: get_Keyboard 0xf9d73:$a34: get_Keyboard 0x130393:$a34: get_Keyboard 0xc4920:$a35: get_ShiftKeyDown 0xfb140:$a35: get_ShiftKeyDown 0x131760:$a35: get_ShiftKeyDown
7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a48:$s10: logins 0x344c2:$s11: credential 0x30725:$g1: get_Clipboard 0x30733:$g2: get_Keyboard 0x30740:$g3: get_Password 0x31af0:$g4: get_CtrlKeyDown 0x31b00:$g5: get_ShiftKeyDown 0x31b11:$g6: get_AltKeyDown
7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31f06:$a13: get_DnsResolver 0x30613:$a20: get_LastAccessed 0x32934:$a27: set_InternalServerPort 0x32c69:$a30: set_GuidMasterKey 0x30725:$a33: get_Clipboard 0x30733:$a34: get_Keyboard 0x31b00:$a35: get_ShiftKeyDown 0x31b11:$a36: get_AltKeyDown 0x30740:$a37: get_Password 0x3125b:$a38: get_PasswordHash 0x32368:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c48:$s10: logins 0x326c2:$s11: credential 0x2e925:$g1: get_Clipboard 0x2e933:$g2: get_Keyboard 0x2e940:$g3: get_Password 0x2fcf0:$g4: get_CtrlKeyDown 0x2fd00:$g5: get_ShiftKeyDown 0x2fd11:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30106:$a13: get_DnsResolver 0x2e813:$a20: get_LastAccessed 0x30b34:$a27: set_InternalServerPort 0x30e69:$a30: set_GuidMasterKey 0x2e925:$a33: get_Clipboard 0x2e933:$a34: get_Keyboard 0x2fd00:$a35: get_ShiftKeyDown 0x2fd11:$a36: get_AltKeyDown 0x2e940:$a37: get_Password 0x2f45b:$a38: get_PasswordHash 0x30568:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe