Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Analysis ID:	756011
MD5:	277a9cd8ef361888eb41a6b7d0d94e26
SHA1:	9b703e613307793cd9f0309eb458d5f12f8400dd
SHA256:	8cdfbe67b609226da852adf3db3098941cffda7cea7443b935e1eed5fdae0bf3
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe (PID: 4356 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe MD5: 277A9CD8EF361888EB41A6B7D0D94E26)

SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe (PID: 4596 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe MD5: 277A9CD8EF361888EB41A6B7D0D94E26)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail2.bpk-spb.ru", "Username": "grafkina.gg@sasta.ru", "Password": "SGZ3574344"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.340639694.0000000002871000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31cfe:$a13: get_DnsResolver 0x303f3:$a20: get_LastAccessed 0x3272c:$a27: set_InternalServerPort 0x32a61:$a30: set_GuidMasterKey 0x30505:$a33: get_Clipboard 0x30513:$a34: get_Keyboard 0x318f8:$a35: get_ShiftKeyDown 0x31909:$a36: get_AltKeyDown 0x30520:$a37: get_Password 0x31053:$a38: get_PasswordHash 0x32160:$a39: get_DefaultCredentials
00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x14f81e:$a13: get_DnsResolver 0x18603e:$a13: get_DnsResolver 0x1bc65e:$a13: get_DnsResolver 0x14df13:$a20: get_LastAccessed 0x184733:$a20: get_LastAccessed 0x1bad53:$a20: get_LastAccessed 0x15024c:$a27: set_InternalServerPort 0x186a6c:$a27: set_InternalServerPort 0x1bd08c:$a27: set_InternalServerPort 0x150581:$a30: set_GuidMasterKey 0x186da1:$a30: set_GuidMasterKey 0x1bd3c1:$a30: set_GuidMasterKey 0x14e025:$a33: get_Clipboard 0x184845:$a33: get_Clipboard 0x1bae65:$a33: get_Clipboard 0x14e033:$a34: get_Keyboard 0x184853:$a34: get_Keyboard 0x1bae73:$a34: get_Keyboard 0x14f418:$a35: get_ShiftKeyDown 0x185c38:$a35: get_ShiftKeyDown 0x1bc258:$a35: get_ShiftKeyDown
00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x8a6fa:$a13: get_DnsResolver 0x896cd:$a20: get_LastAccessed 0x8ad9c:$a27: set_InternalServerPort 0x8af83:$a30: set_GuidMasterKey 0x897b3:$a33: get_Clipboard 0x897c1:$a34: get_Keyboard 0x8a477:$a35: get_ShiftKeyDown 0x8a488:$a36: get_AltKeyDown 0x897ce:$a37: get_Password 0x89efd:$a38: get_PasswordHash 0x8a9ba:$a39: get_DefaultCredentials
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x55c8d:$a13: get_DnsResolver 0x545e2:$a20: get_LastAccessed 0x5666a:$a27: set_InternalServerPort 0x568d1:$a30: set_GuidMasterKey 0x546dd:$a33: get_Clipboard 0x546eb:$a34: get_Keyboard 0x55923:$a35: get_ShiftKeyDown 0x55934:$a36: get_AltKeyDown 0x546f8:$a37: get_Password 0x55187:$a38: get_PasswordHash 0x560c3:$a39: get_DefaultCredentials
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.28b0724.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.28b0724.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd16e:$v1: SbieDll.dll 0xd188:$v2: USER 0xd194:$v3: SANDBOX 0xd1a6:$v4: VIRUS 0xd1f6:$v4: VIRUS 0xd1b4:$v5: MALWARE 0xd1c6:$v6: SCHMIDTI 0xd1da:$v7: CURRENTUSER
1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a40:$s10: logins 0x344ba:$s11: credential 0x30705:$g1: get_Clipboard 0x30713:$g2: get_Keyboard 0x30720:$g3: get_Password 0x31ae8:$g4: get_CtrlKeyDown 0x31af8:$g5: get_ShiftKeyDown 0x31b09:$g6: get_AltKeyDown
1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31efe:$a13: get_DnsResolver 0x305f3:$a20: get_LastAccessed 0x3292c:$a27: set_InternalServerPort 0x32c61:$a30: set_GuidMasterKey 0x30705:$a33: get_Clipboard 0x30713:$a34: get_Keyboard 0x31af8:$a35: get_ShiftKeyDown 0x31b09:$a36: get_AltKeyDown 0x30720:$a37: get_Password 0x31253:$a38: get_PasswordHash 0x32360:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c40:$s10: logins 0x326ba:$s11: credential 0x2e905:$g1: get_Clipboard 0x2e913:$g2: get_Keyboard 0x2e920:$g3: get_Password 0x2fce8:$g4: get_CtrlKeyDown 0x2fcf8:$g5: get_ShiftKeyDown 0x2fd09:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.2892f54.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x300fe:$a13: get_DnsResolver 0x2e7f3:$a20: get_LastAccessed 0x30b2c:$a27: set_InternalServerPort 0x30e61:$a30: set_GuidMasterKey 0x2e905:$a33: get_Clipboard 0x2e913:$a34: get_Keyboard 0x2fcf8:$a35: get_ShiftKeyDown 0x2fd09:$a36: get_AltKeyDown 0x2e920:$a37: get_Password 0x2f453:$a38: get_PasswordHash 0x30560:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.2892f54.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2a93e:$v1: SbieDll.dll 0x2a958:$v2: USER 0x2a964:$v3: SANDBOX 0x2a976:$v4: VIRUS 0x2a9c6:$v4: VIRUS 0x2a984:$v5: MALWARE 0x2a996:$v6: SCHMIDTI 0x2a9aa:$v7: CURRENTUSER
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a40:$s10: logins 0x6b260:$s10: logins 0xa1880:$s10: logins 0x344ba:$s11: credential 0x6acda:$s11: credential 0xa12fa:$s11: credential 0x30705:$g1: get_Clipboard 0x66f25:$g1: get_Clipboard 0x9d545:$g1: get_Clipboard 0x30713:$g2: get_Keyboard 0x66f33:$g2: get_Keyboard 0x9d553:$g2: get_Keyboard 0x30720:$g3: get_Password 0x66f40:$g3: get_Password 0x9d560:$g3: get_Password 0x31ae8:$g4: get_CtrlKeyDown 0x68308:$g4: get_CtrlKeyDown 0x9e928:$g4: get_CtrlKeyDown 0x31af8:$g5: get_ShiftKeyDown 0x68318:$g5: get_ShiftKeyDown 0x9e938:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31efe:$a13: get_DnsResolver 0x6871e:$a13: get_DnsResolver 0x9ed3e:$a13: get_DnsResolver 0x305f3:$a20: get_LastAccessed 0x66e13:$a20: get_LastAccessed 0x9d433:$a20: get_LastAccessed 0x3292c:$a27: set_InternalServerPort 0x6914c:$a27: set_InternalServerPort 0x9f76c:$a27: set_InternalServerPort 0x32c61:$a30: set_GuidMasterKey 0x69481:$a30: set_GuidMasterKey 0x9faa1:$a30: set_GuidMasterKey 0x30705:$a33: get_Clipboard 0x66f25:$a33: get_Clipboard 0x9d545:$a33: get_Clipboard 0x30713:$a34: get_Keyboard 0x66f33:$a34: get_Keyboard 0x9d553:$a34: get_Keyboard 0x31af8:$a35: get_ShiftKeyDown 0x68318:$a35: get_ShiftKeyDown 0x9e938:$a35: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0xcba60:$s10: logins 0x102280:$s10: logins 0x1388a0:$s10: logins 0xcb4da:$s11: credential 0x101cfa:$s11: credential 0x13831a:$s11: credential 0xc7725:$g1: get_Clipboard 0xfdf45:$g1: get_Clipboard 0x134565:$g1: get_Clipboard 0xc7733:$g2: get_Keyboard 0xfdf53:$g2: get_Keyboard 0x134573:$g2: get_Keyboard 0xc7740:$g3: get_Password 0xfdf60:$g3: get_Password 0x134580:$g3: get_Password 0xc8b08:$g4: get_CtrlKeyDown 0xff328:$g4: get_CtrlKeyDown 0x135948:$g4: get_CtrlKeyDown 0xc8b18:$g5: get_ShiftKeyDown 0xff338:$g5: get_ShiftKeyDown 0x135958:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x3501f:$s1: file:/// 0x34f2f:$s2: {11111-22222-10009-11112} 0x34faf:$s3: {11111-22222-50001-00000} 0x341d9:$s4: get_Module 0x34554:$s5: Reverse 0xc7cee:$s5: Reverse 0xfe50e:$s5: Reverse 0x134b2e:$s5: Reverse 0x2f62d:$s6: BlockCopy 0xc9d34:$s6: BlockCopy 0x100554:$s6: BlockCopy 0x136b74:$s6: BlockCopy 0xc7fac:$s7: ReadByte 0xfe7cc:$s7: ReadByte 0x134dec:$s7: ReadByte 0x35031:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xc8f1e:$a13: get_DnsResolver 0xff73e:$a13: get_DnsResolver 0x135d5e:$a13: get_DnsResolver 0xc7613:$a20: get_LastAccessed 0xfde33:$a20: get_LastAccessed 0x134453:$a20: get_LastAccessed 0xc994c:$a27: set_InternalServerPort 0x10016c:$a27: set_InternalServerPort 0x13678c:$a27: set_InternalServerPort 0xc9c81:$a30: set_GuidMasterKey 0x1004a1:$a30: set_GuidMasterKey 0x136ac1:$a30: set_GuidMasterKey 0xc7725:$a33: get_Clipboard 0xfdf45:$a33: get_Clipboard 0x134565:$a33: get_Clipboard 0xc7733:$a34: get_Keyboard 0xfdf53:$a34: get_Keyboard 0x134573:$a34: get_Keyboard 0xc8b18:$a35: get_ShiftKeyDown 0xff338:$a35: get_ShiftKeyDown 0x135958:$a35: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x151850:$s10: logins 0x188070:$s10: logins 0x1be690:$s10: logins 0x1512ca:$s11: credential 0x187aea:$s11: credential 0x1be10a:$s11: credential 0x14d515:$g1: get_Clipboard 0x183d35:$g1: get_Clipboard 0x1ba355:$g1: get_Clipboard 0x14d523:$g2: get_Keyboard 0x183d43:$g2: get_Keyboard 0x1ba363:$g2: get_Keyboard 0x14d530:$g3: get_Password 0x183d50:$g3: get_Password 0x1ba370:$g3: get_Password 0x14e8f8:$g4: get_CtrlKeyDown 0x185118:$g4: get_CtrlKeyDown 0x1bb738:$g4: get_CtrlKeyDown 0x14e908:$g5: get_ShiftKeyDown 0x185128:$g5: get_ShiftKeyDown 0x1bb748:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xbae0f:$s1: file:/// 0xbad1f:$s2: {11111-22222-10009-11112} 0xbad9f:$s3: {11111-22222-50001-00000} 0xb9fc9:$s4: get_Module 0xba344:$s5: Reverse 0x14dade:$s5: Reverse 0x1842fe:$s5: Reverse 0x1ba91e:$s5: Reverse 0xb541d:$s6: BlockCopy 0x14fb24:$s6: BlockCopy 0x186344:$s6: BlockCopy 0x1bc964:$s6: BlockCopy 0x14dd9c:$s7: ReadByte 0x1845bc:$s7: ReadByte 0x1babdc:$s7: ReadByte 0xbae21:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x14ed0e:$a13: get_DnsResolver 0x18552e:$a13: get_DnsResolver 0x1bbb4e:$a13: get_DnsResolver 0x14d403:$a20: get_LastAccessed 0x183c23:$a20: get_LastAccessed 0x1ba243:$a20: get_LastAccessed 0x14f73c:$a27: set_InternalServerPort 0x185f5c:$a27: set_InternalServerPort 0x1bc57c:$a27: set_InternalServerPort 0x14fa71:$a30: set_GuidMasterKey 0x186291:$a30: set_GuidMasterKey 0x1bc8b1:$a30: set_GuidMasterKey 0x14d515:$a33: get_Clipboard 0x183d35:$a33: get_Clipboard 0x1ba355:$a33: get_Clipboard 0x14d523:$a34: get_Keyboard 0x183d43:$a34: get_Keyboard 0x1ba363:$a34: get_Keyboard 0x14e908:$a35: get_ShiftKeyDown 0x185128:$a35: get_ShiftKeyDown 0x1bb748:$a35: get_ShiftKeyDown
Click to see the 21 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	ReversingLabs: Detection: 34%
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Virustotal: Detection: 27%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Joe Sandbox ML: detected

Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail2.bpk-spb.ru", "Username": "grafkina.gg@sasta.ru", "Password": "SGZ3574344"}

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.5:49702 -> 78.140.195.54:587

Source: global traffic

TCP traffic: 192.168.2.5:49702 -> 78.140.195.54:587

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579642195.0000000006BBD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384190628.0000000006BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.385128719.0000000001504000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573185738.000000000150C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe