Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
Analysis ID:	756005
MD5:	d55d9c72b27c17af9a53847bec4dad00
SHA1:	dbfa157d95af9d351b7051802e5e80a0a78daa05
SHA256:	36143d6674053884d6bf2ce1e5bc8dd6f31b9d6b4d2fae272e37ac5649d00520
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Yara detected AntiVM3

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses the Telegram API (likely for C&C communication)

Machine Learning detection for sample

Yara detected Generic Downloader

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe (PID: 5996 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe MD5: D55D9C72B27C17AF9A53847BEC4DAD00)

SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe (PID: 3096 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe MD5: D55D9C72B27C17AF9A53847BEC4DAD00)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5083863399:AAH9g72QTdN88jNOd6_tBrE8gEd-FpXnfHE/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5083863399:AAH9g72QTdN88jNOd6_tBrE8gEd-FpXnfHE/sendDocumentsendMessage?chat_id=document"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31109:$a3: MailAccountConfiguration 0x31122:$a5: SmtpAccountConfiguration 0x310e9:$a8: set_BindingAccountConfiguration 0x30057:$a11: get_securityProfile 0x2fef8:$a12: get_useSeparateFolderTree 0x3184c:$a13: get_DnsResolver 0x30307:$a14: get_archivingScope 0x3012f:$a15: get_providerName 0x32837:$a17: get_priority 0x31e0b:$a18: get_advancedParameters 0x31223:$a19: get_disabledByRestriction 0x2fcce:$a20: get_LastAccessed 0x303a1:$a21: get_avatarType 0x31f22:$a22: get_signaturePresets 0x309c8:$a23: get_enableLog 0x301ac:$a26: set_accountName 0x3236d:$a27: set_InternalServerPort 0x2f63d:$a28: set_bindingConfigurationUID 0x31ee8:$a29: set_IdnAddress 0x326eb:$a30: set_GuidMasterKey 0x30207:$a31: set_username
00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x3dd4:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
00000000.00000002.364684955.000000000300C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x143a89:$a3: MailAccountConfiguration 0x179ca9:$a3: MailAccountConfiguration 0x1afcc9:$a3: MailAccountConfiguration 0x143aa2:$a5: SmtpAccountConfiguration 0x179cc2:$a5: SmtpAccountConfiguration 0x1afce2:$a5: SmtpAccountConfiguration 0x143a69:$a8: set_BindingAccountConfiguration 0x179c89:$a8: set_BindingAccountConfiguration 0x1afca9:$a8: set_BindingAccountConfiguration 0x1429d7:$a11: get_securityProfile 0x178bf7:$a11: get_securityProfile 0x1aec17:$a11: get_securityProfile 0x142878:$a12: get_useSeparateFolderTree 0x178a98:$a12: get_useSeparateFolderTree 0x1aeab8:$a12: get_useSeparateFolderTree 0x1441cc:$a13: get_DnsResolver 0x17a3ec:$a13: get_DnsResolver 0x1b040c:$a13: get_DnsResolver 0x142c87:$a14: get_archivingScope 0x178ea7:$a14: get_archivingScope 0x1aeec7:$a14: get_archivingScope
00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x116754:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x14c974:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x182994:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
00000000.00000002.361380481.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2fc84:$s10: logins 0x2fa354:$s11: credential 0x1e62:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x2430:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x297c:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x1f83:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 5996	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 5996	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 5996	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 5996	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x22190:$a3: MailAccountConfiguration 0x221a9:$a5: SmtpAccountConfiguration 0x22170:$a8: set_BindingAccountConfiguration 0x21648:$a11: get_securityProfile 0x2156e:$a12: get_useSeparateFolderTree 0x22673:$a13: get_DnsResolver 0x21874:$a14: get_archivingScope 0x216e4:$a15: get_providerName 0x2311a:$a17: get_priority 0x22a0d:$a18: get_advancedParameters 0x2224b:$a19: get_disabledByRestriction 0x213f4:$a20: get_LastAccessed 0x21904:$a21: get_avatarType 0x22b03:$a22: get_signaturePresets 0x21d02:$a23: get_enableLog 0x21754:$a26: set_accountName 0x22e27:$a27: set_InternalServerPort 0x21256:$a28: set_bindingConfigurationUID 0x22ac9:$a29: set_IdnAddress 0x23053:$a30: set_GuidMasterKey 0x217a2:$a31: set_username
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 3096	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 3096	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 3096	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 3096	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x1a1f5:$s1: get_kbok 0x1aa75:$s2: get_CHoo 0x1b610:$s3: set_passwordIsSet 0x1a0a1:$s4: get_enableLog 0x19512:$g1: get_Clipboard 0x19520:$g2: get_Keyboard 0x1952d:$g3: get_Password 0x1a94f:$g4: get_CtrlKeyDown 0x1a95f:$g5: get_ShiftKeyDown 0x1a970:$g6: get_AltKeyDown 0x2eb29:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x30d95:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x2f0f7:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x31362:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x2f643:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x318ae:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x2ec4a:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera 0x30eb6:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 3096	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1a6b6:$a3: MailAccountConfiguration 0x1a6cf:$a5: SmtpAccountConfiguration 0x1a696:$a8: set_BindingAccountConfiguration 0x1978f:$a11: get_securityProfile 0x19633:$a12: get_useSeparateFolderTree 0x1ad54:$a13: get_DnsResolver 0x19a3b:$a14: get_archivingScope 0x19867:$a15: get_providerName 0x1bc20:$a17: get_priority 0x1b2e3:$a18: get_advancedParameters 0x1a7d0:$a19: get_disabledByRestriction 0x1943b:$a20: get_LastAccessed 0x19ad5:$a21: get_avatarType 0x1b3fa:$a22: get_signaturePresets 0x1a0a1:$a23: get_enableLog 0x198e4:$a26: set_accountName 0x1b824:$a27: set_InternalServerPort 0x1920f:$a28: set_bindingConfigurationUID 0x1b3c0:$a29: set_IdnAddress 0x1bade:$a30: set_GuidMasterKey 0x1993f:$a31: set_username
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2efc4:$s1: get_kbok 0x2f8f8:$s2: get_CHoo 0x30553:$s3: set_passwordIsSet 0x2edc8:$s4: get_enableLog 0x33519:$s8: torbrowser 0x31ef5:$s10: logins 0x317c3:$s11: credential 0x2e1bc:$g1: get_Clipboard 0x2e1ca:$g2: get_Keyboard 0x2e1d7:$g3: get_Password 0x2f7a6:$g4: get_CtrlKeyDown 0x2f7b6:$g5: get_ShiftKeyDown 0x2f7c7:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2f509:$a3: MailAccountConfiguration 0x2f522:$a5: SmtpAccountConfiguration 0x2f4e9:$a8: set_BindingAccountConfiguration 0x2e457:$a11: get_securityProfile 0x2e2f8:$a12: get_useSeparateFolderTree 0x2fc4c:$a13: get_DnsResolver 0x2e707:$a14: get_archivingScope 0x2e52f:$a15: get_providerName 0x30c37:$a17: get_priority 0x3020b:$a18: get_advancedParameters 0x2f623:$a19: get_disabledByRestriction 0x2e0ce:$a20: get_LastAccessed 0x2e7a1:$a21: get_avatarType 0x30322:$a22: get_signaturePresets 0x2edc8:$a23: get_enableLog 0x2e5ac:$a26: set_accountName 0x3076d:$a27: set_InternalServerPort 0x2da3d:$a28: set_bindingConfigurationUID 0x302e8:$a29: set_IdnAddress 0x30aeb:$a30: set_GuidMasterKey 0x2e607:$a31: set_username
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x21d4:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.2d5072c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.2d5072c.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd37a:$v1: SbieDll.dll 0xd394:$v2: USER 0xd3a0:$v3: SANDBOX 0xd3b2:$v4: VIRUS 0xd402:$v4: VIRUS 0xd3c0:$v5: MALWARE 0xd3d2:$v6: SCHMIDTI 0xd3e6:$v7: CURRENTUSER
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30dc4:$s1: get_kbok 0x66fe4:$s1: get_kbok 0x9d004:$s1: get_kbok 0x316f8:$s2: get_CHoo 0x67918:$s2: get_CHoo 0x9d938:$s2: get_CHoo 0x32353:$s3: set_passwordIsSet 0x68573:$s3: set_passwordIsSet 0x9e593:$s3: set_passwordIsSet 0x30bc8:$s4: get_enableLog 0x66de8:$s4: get_enableLog 0x9ce08:$s4: get_enableLog 0x35319:$s8: torbrowser 0x6b539:$s8: torbrowser 0xa1559:$s8: torbrowser 0x33cf5:$s10: logins 0x69f15:$s10: logins 0x9ff35:$s10: logins 0x335c3:$s11: credential 0x697e3:$s11: credential 0x9f803:$s11: credential
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31309:$a3: MailAccountConfiguration 0x67529:$a3: MailAccountConfiguration 0x9d549:$a3: MailAccountConfiguration 0x31322:$a5: SmtpAccountConfiguration 0x67542:$a5: SmtpAccountConfiguration 0x9d562:$a5: SmtpAccountConfiguration 0x312e9:$a8: set_BindingAccountConfiguration 0x67509:$a8: set_BindingAccountConfiguration 0x9d529:$a8: set_BindingAccountConfiguration 0x30257:$a11: get_securityProfile 0x66477:$a11: get_securityProfile 0x9c497:$a11: get_securityProfile 0x300f8:$a12: get_useSeparateFolderTree 0x66318:$a12: get_useSeparateFolderTree 0x9c338:$a12: get_useSeparateFolderTree 0x31a4c:$a13: get_DnsResolver 0x67c6c:$a13: get_DnsResolver 0x9dc8c:$a13: get_DnsResolver 0x30507:$a14: get_archivingScope 0x66727:$a14: get_archivingScope 0x9c747:$a14: get_archivingScope
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x3fd4:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x3a1f4:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x70214:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.2d32f5c.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.2d32f5c.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2ab4a:$v1: SbieDll.dll 0x2ab64:$v2: USER 0x2ab70:$v3: SANDBOX 0x2ab82:$v4: VIRUS 0x2abd2:$v4: VIRUS 0x2ab90:$v5: MALWARE 0x2aba2:$v6: SCHMIDTI 0x2abb6:$v7: CURRENTUSER
1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30dc4:$s1: get_kbok 0x316f8:$s2: get_CHoo 0x32353:$s3: set_passwordIsSet 0x30bc8:$s4: get_enableLog 0x35319:$s8: torbrowser 0x33cf5:$s10: logins 0x335c3:$s11: credential 0x2ffbc:$g1: get_Clipboard 0x2ffca:$g2: get_Keyboard 0x2ffd7:$g3: get_Password 0x315a6:$g4: get_CtrlKeyDown 0x315b6:$g5: get_ShiftKeyDown 0x315c7:$g6: get_AltKeyDown
1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31309:$a3: MailAccountConfiguration 0x31322:$a5: SmtpAccountConfiguration 0x312e9:$a8: set_BindingAccountConfiguration 0x30257:$a11: get_securityProfile 0x300f8:$a12: get_useSeparateFolderTree 0x31a4c:$a13: get_DnsResolver 0x30507:$a14: get_archivingScope 0x3032f:$a15: get_providerName 0x32a37:$a17: get_priority 0x3200b:$a18: get_advancedParameters 0x31423:$a19: get_disabledByRestriction 0x2fece:$a20: get_LastAccessed 0x305a1:$a21: get_avatarType 0x32122:$a22: get_signaturePresets 0x30bc8:$a23: get_enableLog 0x303ac:$a26: set_accountName 0x3256d:$a27: set_InternalServerPort 0x2f83d:$a28: set_bindingConfigurationUID 0x320e8:$a29: set_IdnAddress 0x328eb:$a30: set_GuidMasterKey 0x30407:$a31: set_username
1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x3fd4:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0xc41e4:$s1: get_kbok 0xfa404:$s1: get_kbok 0x130424:$s1: get_kbok 0xc4b18:$s2: get_CHoo 0xfad38:$s2: get_CHoo 0x130d58:$s2: get_CHoo 0xc5773:$s3: set_passwordIsSet 0xfb993:$s3: set_passwordIsSet 0x1319b3:$s3: set_passwordIsSet 0xc3fe8:$s4: get_enableLog 0xfa208:$s4: get_enableLog 0x130228:$s4: get_enableLog 0xc8739:$s8: torbrowser 0xfe959:$s8: torbrowser 0x134979:$s8: torbrowser 0xc7115:$s10: logins 0xfd335:$s10: logins 0x133355:$s10: logins 0xc69e3:$s11: credential 0xfcc03:$s11: credential 0x132c23:$s11: credential
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x35337:$s1: file:/// 0x35247:$s2: {11111-22222-10009-11112} 0x352c7:$s3: {11111-22222-50001-00000} 0x344c9:$s4: get_Module 0x34844:$s5: Reverse 0xc3aaf:$s5: Reverse 0xf9ccf:$s5: Reverse 0x12fcef:$s5: Reverse 0x2fc50:$s6: BlockCopy 0xc5dba:$s6: BlockCopy 0xfbfda:$s6: BlockCopy 0x131ffa:$s6: BlockCopy 0xc3d50:$s7: ReadByte 0xf9f70:$s7: ReadByte 0x12ff90:$s7: ReadByte 0x35349:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xc4729:$a3: MailAccountConfiguration 0xfa949:$a3: MailAccountConfiguration 0x130969:$a3: MailAccountConfiguration 0xc4742:$a5: SmtpAccountConfiguration 0xfa962:$a5: SmtpAccountConfiguration 0x130982:$a5: SmtpAccountConfiguration 0xc4709:$a8: set_BindingAccountConfiguration 0xfa929:$a8: set_BindingAccountConfiguration 0x130949:$a8: set_BindingAccountConfiguration 0xc3677:$a11: get_securityProfile 0xf9897:$a11: get_securityProfile 0x12f8b7:$a11: get_securityProfile 0xc3518:$a12: get_useSeparateFolderTree 0xf9738:$a12: get_useSeparateFolderTree 0x12f758:$a12: get_useSeparateFolderTree 0xc4e6c:$a13: get_DnsResolver 0xfb08c:$a13: get_DnsResolver 0x1310ac:$a13: get_DnsResolver 0xc3927:$a14: get_archivingScope 0xf9b47:$a14: get_archivingScope 0x12fb67:$a14: get_archivingScope
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x973f4:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0xcd614:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x103634:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x1427bc:$s1: get_kbok 0x1789dc:$s1: get_kbok 0x1ae9fc:$s1: get_kbok 0x1430f0:$s2: get_CHoo 0x179310:$s2: get_CHoo 0x1af330:$s2: get_CHoo 0x143d4b:$s3: set_passwordIsSet 0x179f6b:$s3: set_passwordIsSet 0x1aff8b:$s3: set_passwordIsSet 0x1425c0:$s4: get_enableLog 0x1787e0:$s4: get_enableLog 0x1ae800:$s4: get_enableLog 0x146d11:$s8: torbrowser 0x17cf31:$s8: torbrowser 0x1b2f51:$s8: torbrowser 0x1456ed:$s10: logins 0x17b90d:$s10: logins 0x1b192d:$s10: logins 0x144fbb:$s11: credential 0x17b1db:$s11: credential 0x1b11fb:$s11: credential
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xb390f:$s1: file:/// 0xb381f:$s2: {11111-22222-10009-11112} 0xb389f:$s3: {11111-22222-50001-00000} 0xb2aa1:$s4: get_Module 0xb2e1c:$s5: Reverse 0x142087:$s5: Reverse 0x1782a7:$s5: Reverse 0x1ae2c7:$s5: Reverse 0xae228:$s6: BlockCopy 0x144392:$s6: BlockCopy 0x17a5b2:$s6: BlockCopy 0x1b05d2:$s6: BlockCopy 0x142328:$s7: ReadByte 0x178548:$s7: ReadByte 0x1ae568:$s7: ReadByte 0xb3921:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x142d01:$a3: MailAccountConfiguration 0x178f21:$a3: MailAccountConfiguration 0x1aef41:$a3: MailAccountConfiguration 0x142d1a:$a5: SmtpAccountConfiguration 0x178f3a:$a5: SmtpAccountConfiguration 0x1aef5a:$a5: SmtpAccountConfiguration 0x142ce1:$a8: set_BindingAccountConfiguration 0x178f01:$a8: set_BindingAccountConfiguration 0x1aef21:$a8: set_BindingAccountConfiguration 0x141c4f:$a11: get_securityProfile 0x177e6f:$a11: get_securityProfile 0x1ade8f:$a11: get_securityProfile 0x141af0:$a12: get_useSeparateFolderTree 0x177d10:$a12: get_useSeparateFolderTree 0x1add30:$a12: get_useSeparateFolderTree 0x143444:$a13: get_DnsResolver 0x179664:$a13: get_DnsResolver 0x1af684:$a13: get_DnsResolver 0x141eff:$a14: get_archivingScope 0x17811f:$a14: get_archivingScope 0x1ae13f:$a14: get_archivingScope
0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x1159cc:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x14bbec:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x181c0c:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
Click to see the 30 entries

Snort Signatures

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	192.168.2.5149.154.167.220497094432851779 11/29/22-13:52:27.896928
SID:	2851779
Source Port:	49709
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	ReversingLabs: Detection: 34%
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Virustotal: Detection: 27%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

Joe Sandbox ML: detected

Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5083863399:AAH9g72QTdN88jNOd6_tBrE8gEd-FpXnfHE/sendDocumentsendMessage?chat_id=document"}
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3096.1.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5083863399:AAH9g72QTdN88jNOd6_tBrE8gEd-FpXnfHE/sendMessage"}

Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49709 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPE

Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://UEYOBD.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.588988783.00000000030AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.592198535.0000000006B10000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.588649521.0000000003056000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dv3SXfHRU1tFUjfcDW.net
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.588915905.0000000003098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000003.325953219.00000000010EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com8
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.368884338.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.588915905.0000000003098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5083863399:AAH9g72QTdN88jNOd6_tBrE8gEd-FpXnfHE/
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.588915905.0000000003098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5083863399:AAH9g72QTdN88jNOd6_tBrE8gEd-FpXnfHE/sendDocument
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5083863399:AAH9g72QTdN88jNOd6_tBrE8gEd-FpXnfHE/sendDocumentdocument-----
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.588915905.0000000003098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org4
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: api.telegram.org

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.2d5072c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.2d32f5c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 5996, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 3096, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 3096, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bEEE02A64u002dA051u002d4832u002d8500u002dBCB6E03153A3u007d/u003277DE882u002dD82Fu002d4CFAu002d82FDu002d8DA69792B4E8.cs

Large array initialization: .cctor: array initializer size 12005

Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.2d5072c.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.407e780.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.2d32f5c.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3feb360.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.3f6cd88.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000000.357382208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 00000001.00000002.586418495.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 5996, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 3096, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe PID: 3096, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_00FDC164	0_2_00FDC164
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_00FDE5B0	0_2_00FDE5B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_00FDE5A1	0_2_00FDE5A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CD4948	0_2_02CD4948
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CD493B	0_2_02CD493B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_07610040	0_2_07610040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_07610006	0_2_07610006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_01081970	1_2_01081970
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_0108B9F0	1_2_0108B9F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_01085FDC	1_2_01085FDC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_0108EBE0	1_2_0108EBE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_01088E31	1_2_01088E31
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_01083EF8	1_2_01083EF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_02D247A0	1_2_02D247A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_02D23E58	1_2_02D23E58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_02D24710	1_2_02D24710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_02D24730	1_2_02D24730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_05F87538	1_2_05F87538
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_05F894F8	1_2_05F894F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_05F86920	1_2_05F86920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_05F86C68	1_2_05F86C68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_01080040	1_2_01080040

Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.366653419.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejMwFIuasQmBRssQfxHWfZPad.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000000.316326791.00000000006F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXanU.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.361380481.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.361380481.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.361380481.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejMwFIuasQmBRssQfxHWfZPad.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000002.370119547.00000000073D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000000.357615147.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejMwFIuasQmBRssQfxHWfZPad.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.585579631.00000000011CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Binary or memory string: OriginalFilenameXanU.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	ReversingLabs: Detection: 34%
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Virustotal: Detection: 27%

Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/0

Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000000.316326791.00000000006F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000000.316326791.00000000006F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000000.00000000.316326791.00000000006F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe, 00000001.00000002.588624388.0000000003051000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	String found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	String found in binary or memory: Username:-AddusertextBoxUsernameCash

Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_00FDF972 pushad ; iretd	0_2_00FDF979
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CD0365 push es; retf	0_2_02CD0366
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CDA319 push esi; iretd	0_2_02CDA31A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CDA31B push esi; iretd	0_2_02CDA322
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CDA0F9 push ebp; iretd	0_2_02CDA0FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CDA188 push esi; iretd	0_2_02CDA18A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CDA18B push esi; iretd	0_2_02CDA192
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CDADEF pushad ; iretd	0_2_02CDADF2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CD5478 push ecx; retf	0_2_02CD5486
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CDF401 push ecx; ret	0_2_02CDF415
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CDBAE3 push 691402CFh; iretd	0_2_02CDBAEA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CD3A40 push ds; iretd	0_2_02CD3A42
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CD3A21 push ds; iretd	0_2_02CD3A22
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CD9E89 push eax; iretd	0_2_02CD9E8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CD9E90 push eax; iretd	0_2_02CD9E92
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CD9EB8 push esp; iretd	0_2_02CD9EBA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 0_2_02CD9EBB push esp; iretd	0_2_02CD9EC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_0108DDF1 push FFFFFF83h; ret	1_2_0108DDF3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_0108D761 pushad ; iretd	1_2_0108D75D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_0108DEDF push FFFFFF83h; ret	1_2_0108DEE1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Code function: 1_2_0108D6E9 pushad ; iretd	1_2_0108D75D

Source: initial sample

Static PE information: section name: .text entropy: 7.661127653184342

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Process information set: NOOPENFILE

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe