Edit tour

Windows Analysis Report
SHIPMENT DOCUMENTS.exe

Overview

General Information

Sample Name:	SHIPMENT DOCUMENTS.exe
Analysis ID:	756110
MD5:	12dc06d3034a17be7a70a4aa45edce8d
SHA1:	9b68ae25498a12f19360dc0dc023af61ca9bfa9d
SHA256:	91826efe412b5c829801d1c52fbb43225cf1f0fc4cba201453ad877341c64b90
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

SHIPMENT DOCUMENTS.exe (PID: 3192 cmdline: C:\Users\user\Desktop\SHIPMENT DOCUMENTS.exe MD5: 12DC06D3034A17BE7A70A4AA45EDCE8D)

schtasks.exe (PID: 5900 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cnWCiicEpxW" /XML "C:\Users\user\AppData\Local\Temp\tmp2A80.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

SHIPMENT DOCUMENTS.exe (PID: 3244 cmdline: {path} MD5: 12DC06D3034A17BE7A70A4AA45EDCE8D)

cnWCiicEpxW.exe (PID: 4444 cmdline: C:\Users\user\AppData\Roaming\cnWCiicEpxW.exe MD5: 12DC06D3034A17BE7A70A4AA45EDCE8D)

schtasks.exe (PID: 5740 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cnWCiicEpxW" /XML "C:\Users\user\AppData\Local\Temp\tmpC7C9.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cnWCiicEpxW.exe (PID: 3132 cmdline: {path} MD5: 12DC06D3034A17BE7A70A4AA45EDCE8D)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.southernboilers.org", "Username": "info@southernboilers.org", "Password": "Sksmoke2018#"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000014.00000000.301553016.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000000.301553016.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000014.00000000.301553016.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31ccf:$a13: get_DnsResolver 0x303d4:$a20: get_LastAccessed 0x326dc:$a27: set_InternalServerPort 0x32a11:$a30: set_GuidMasterKey 0x304e6:$a33: get_Clipboard 0x304f4:$a34: get_Keyboard 0x318ba:$a35: get_ShiftKeyDown 0x318cb:$a36: get_AltKeyDown 0x30501:$a37: get_Password 0x31015:$a38: get_PasswordHash 0x32110:$a39: get_DefaultCredentials
0000001B.00000002.528419495.0000000003164000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000002.525674867.0000000003111000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.522417697.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.309368123.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.309368123.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.309368123.0000000003DCC000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1bda07:$a13: get_DnsResolver 0x1bc10c:$a20: get_LastAccessed 0x1be414:$a27: set_InternalServerPort 0x1be749:$a30: set_GuidMasterKey 0x1bc21e:$a33: get_Clipboard 0x1bc22c:$a34: get_Keyboard 0x1bd5f2:$a35: get_ShiftKeyDown 0x1bd603:$a36: get_AltKeyDown 0x1bc239:$a37: get_Password 0x1bcd4d:$a38: get_PasswordHash 0x1bde48:$a39: get_DefaultCredentials
00000000.00000002.308207563.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.308207563.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.308207563.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xfa46f:$a13: get_DnsResolver 0xf8b74:$a20: get_LastAccessed 0xfae7c:$a27: set_InternalServerPort 0xfb1b1:$a30: set_GuidMasterKey 0xf8c86:$a33: get_Clipboard 0xf8c94:$a34: get_Keyboard 0xfa05a:$a35: get_ShiftKeyDown 0xfa06b:$a36: get_AltKeyDown 0xf8ca1:$a37: get_Password 0xf97b5:$a38: get_PasswordHash 0xfa8b0:$a39: get_DefaultCredentials
00000014.00000002.524431731.0000000002F44000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SHIPMENT DOCUMENTS.exe PID: 3192	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SHIPMENT DOCUMENTS.exe PID: 3192	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SHIPMENT DOCUMENTS.exe PID: 3192	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x29327:$a13: get_DnsResolver 0x1065aa:$a13: get_DnsResolver 0x280ee:$a20: get_LastAccessed 0x104f12:$a20: get_LastAccessed 0x29ab8:$a27: set_InternalServerPort 0x106f66:$a27: set_InternalServerPort 0x29c8c:$a30: set_GuidMasterKey 0x1071cd:$a30: set_GuidMasterKey 0x281db:$a33: get_Clipboard 0x10500d:$a33: get_Clipboard 0x281e9:$a34: get_Keyboard 0x10501b:$a34: get_Keyboard 0x29060:$a35: get_ShiftKeyDown 0x106231:$a35: get_ShiftKeyDown 0x29071:$a36: get_AltKeyDown 0x106242:$a36: get_AltKeyDown 0x281f6:$a37: get_Password 0x105028:$a37: get_Password 0x289c7:$a38: get_PasswordHash 0x105a95:$a38: get_PasswordHash 0x29643:$a39: get_DefaultCredentials
Process Memory Space: SHIPMENT DOCUMENTS.exe PID: 3244	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SHIPMENT DOCUMENTS.exe PID: 3244	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SHIPMENT DOCUMENTS.exe PID: 3244	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x54c40:$a13: get_DnsResolver 0x535a8:$a20: get_LastAccessed 0x555fc:$a27: set_InternalServerPort 0x55863:$a30: set_GuidMasterKey 0x536a3:$a33: get_Clipboard 0x536b1:$a34: get_Keyboard 0x548c7:$a35: get_ShiftKeyDown 0x548d8:$a36: get_AltKeyDown 0x536be:$a37: get_Password 0x5412b:$a38: get_PasswordHash 0x55055:$a39: get_DefaultCredentials
Process Memory Space: cnWCiicEpxW.exe PID: 3132	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: cnWCiicEpxW.exe PID: 3132	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
20.0.SHIPMENT DOCUMENTS.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
20.0.SHIPMENT DOCUMENTS.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
20.0.SHIPMENT DOCUMENTS.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x349c0:$s10: logins 0x34440:$s11: credential 0x306e6:$g1: get_Clipboard 0x306f4:$g2: get_Keyboard 0x30701:$g3: get_Password 0x31aaa:$g4: get_CtrlKeyDown 0x31aba:$g5: get_ShiftKeyDown 0x31acb:$g6: get_AltKeyDown
20.0.SHIPMENT DOCUMENTS.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31ecf:$a13: get_DnsResolver 0x305d4:$a20: get_LastAccessed 0x328dc:$a27: set_InternalServerPort 0x32c11:$a30: set_GuidMasterKey 0x306e6:$a33: get_Clipboard 0x306f4:$a34: get_Keyboard 0x31aba:$a35: get_ShiftKeyDown 0x31acb:$a36: get_AltKeyDown 0x30701:$a37: get_Password 0x31215:$a38: get_PasswordHash 0x32310:$a39: get_DefaultCredentials
0.2.SHIPMENT DOCUMENTS.exe.3d715a0.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SHIPMENT DOCUMENTS.exe.3d715a0.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SHIPMENT DOCUMENTS.exe.3d715a0.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32bc0:$s10: logins 0x32640:$s11: credential 0x2e8e6:$g1: get_Clipboard 0x2e8f4:$g2: get_Keyboard 0x2e901:$g3: get_Password 0x2fcaa:$g4: get_CtrlKeyDown 0x2fcba:$g5: get_ShiftKeyDown 0x2fccb:$g6: get_AltKeyDown
0.2.SHIPMENT DOCUMENTS.exe.3d715a0.1.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x300cf:$a13: get_DnsResolver 0x2e7d4:$a20: get_LastAccessed 0x30adc:$a27: set_InternalServerPort 0x30e11:$a30: set_GuidMasterKey 0x2e8e6:$a33: get_Clipboard 0x2e8f4:$a34: get_Keyboard 0x2fcba:$a35: get_ShiftKeyDown 0x2fccb:$a36: get_AltKeyDown 0x2e901:$a37: get_Password 0x2f415:$a38: get_PasswordHash 0x30510:$a39: get_DefaultCredentials
21.2.cnWCiicEpxW.exe.2c8ba40.0.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x29eb8:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x29efc:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x29f44:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2a1d0:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutuser $true 0x2a234:$s2: Set-MpPreference -DisableArchiveScanning $true 0x2a28c:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x2a2e4:$s4: Set-MpPreference -DisableScriptScanning $true 0x2a330:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x2a370:$s6: Set-MpPreference -MAPSReporting 0 0x2a3bc:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x2a414:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x2a464:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x2a4b4:$s10: Set-MpPreference -SevereThreatDefaultAction 6
0.2.SHIPMENT DOCUMENTS.exe.2dbba3c.0.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x29eb8:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x29efc:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x29f44:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2a1d0:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutuser $true 0x2a234:$s2: Set-MpPreference -DisableArchiveScanning $true 0x2a28c:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x2a2e4:$s4: Set-MpPreference -DisableScriptScanning $true 0x2a330:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x2a370:$s6: Set-MpPreference -MAPSReporting 0 0x2a3bc:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x2a414:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x2a464:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x2a4b4:$s10: Set-MpPreference -SevereThreatDefaultAction 6
0.2.SHIPMENT DOCUMENTS.exe.3d715a0.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SHIPMENT DOCUMENTS.exe.3d715a0.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SHIPMENT DOCUMENTS.exe.3d715a0.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x349c0:$s10: logins 0x34440:$s11: credential 0x306e6:$g1: get_Clipboard 0x306f4:$g2: get_Keyboard 0x30701:$g3: get_Password 0x31aaa:$g4: get_CtrlKeyDown 0x31aba:$g5: get_ShiftKeyDown 0x31acb:$g6: get_AltKeyDown
0.2.SHIPMENT DOCUMENTS.exe.3d715a0.1.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31ecf:$a13: get_DnsResolver 0x305d4:$a20: get_LastAccessed 0x328dc:$a27: set_InternalServerPort 0x32c11:$a30: set_GuidMasterKey 0x306e6:$a33: get_Clipboard 0x306f4:$a34: get_Keyboard 0x31aba:$a35: get_ShiftKeyDown 0x31acb:$a36: get_AltKeyDown 0x30701:$a37: get_Password 0x31215:$a38: get_PasswordHash 0x32310:$a39: get_DefaultCredentials
0.2.SHIPMENT DOCUMENTS.exe.3ea28e8.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SHIPMENT DOCUMENTS.exe.3ea28e8.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SHIPMENT DOCUMENTS.exe.3ea28e8.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0xe63cf:$s2: GetPrivateProfileString 0xe5c6b:$s3: get_OSFullName 0xe6465:$s4: get_PasswordHash 0x15c781:$s5: remove_Key 0xe7b48:$s6: FtpWebRequest 0xe9c10:$s7: logins
0.2.SHIPMENT DOCUMENTS.exe.3ea28e8.2.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0xe9c10:$s10: logins 0xe9690:$s11: credential 0xe5936:$g1: get_Clipboard 0xe5944:$g2: get_Keyboard 0xe5951:$g3: get_Password 0xe6cfa:$g4: get_CtrlKeyDown 0xe6d0a:$g5: get_ShiftKeyDown 0xe6d1b:$g6: get_AltKeyDown
0.2.SHIPMENT DOCUMENTS.exe.3ea28e8.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x160c07:$s1: file:/// 0x160b17:$s2: {11111-22222-10009-11112} 0x160b97:$s3: {11111-22222-50001-00000} 0x7ca34:$s4: get_Module 0x15fc32:$s4: get_Module 0xe5f0c:$s5: Reverse 0x160098:$s5: Reverse 0x7cafe:$s6: BlockCopy 0xe7f14:$s6: BlockCopy 0x7ca93:$s7: ReadByte 0xe619b:$s7: ReadByte 0x160c19:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SHIPMENT DOCUMENTS.exe.3ea28e8.2.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xe711f:$a13: get_DnsResolver 0xe5824:$a20: get_LastAccessed 0xe7b2c:$a27: set_InternalServerPort 0xe7e61:$a30: set_GuidMasterKey 0xe5936:$a33: get_Clipboard 0xe5944:$a34: get_Keyboard 0xe6d0a:$a35: get_ShiftKeyDown 0xe6d1b:$a36: get_AltKeyDown 0xe5951:$a37: get_Password 0xe6465:$a38: get_PasswordHash 0xe7560:$a39: get_DefaultCredentials
Click to see the 15 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cnWCiicEpxW" /XML "C:\Users\user\AppData\Local\Temp\tmp2A80.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cnWCiicEpxW" /XML "C:\Users\user\AppData\Local\Temp\tmp2A80.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\SHIPMENT DOCUMENTS.exe, ParentImage: C:\Users\user\Desktop\SHIPMENT DOCUMENTS.exe, ParentProcessId: 3192, ParentProcessName: SHIPMENT DOCUMENTS.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cnWCiicEpxW" /XML "C:\Users\user\AppData\Local\Temp\tmp2A80.tmp, ProcessId: 5900, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SHIPMENT DOCUMENTS.exe	Virustotal: Detection: 36%			Perma Link
Source: SHIPMENT DOCUMENTS.exe	ReversingLabs: Detection: 32%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\cnWCiicEpxW.exe

ReversingLabs: Detection: 32%

Machine Learning detection for sample

Source: SHIPMENT DOCUMENTS.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\cnWCiicEpxW.exe

Joe Sandbox ML: detected

Source: 20.0.SHIPMENT DOCUMENTS.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 20.0.SHIPMENT DOCUMENTS.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.southernboilers.org", "Username": "info@southernboilers.org", "Password": "Sksmoke2018#"}

Source: SHIPMENT DOCUMENTS.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 52.20.78.240:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.232.242.170:443 -> 192.168.2.6:49738 version: TLS 1.2

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
SHIPMENT DOCUMENTS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SHIPMENT DOCUMENTS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Windows Analysis Report
SHIPMENT DOCUMENTS.exe