top title background image
flash

RFQ_99705546,99805546_Mark Cansick.exe

Status: finished
Submission Time: 2021-09-28 10:28:39 +02:00
Malicious
Trojan
Spyware
Evader
AgentTesla

Comments

Tags

  • AgentTesla
  • exe

Details

  • Analysis ID:
    492068
  • API (Web) ID:
    859641
  • Analysis Started:
    2021-09-28 10:28:41 +02:00
  • Analysis Finished:
    2021-09-28 10:42:13 +02:00
  • MD5:
    724bce9be00d521c9ae6075d50434b11
  • SHA1:
    a95a26499d30f48ca0b23e17b7273b1e6b92f8ac
  • SHA256:
    94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious
Score: 16/67

IPs

IP Country Detection
208.91.198.143
United States

Domains

Name IP Detection
smtp.regalbelloit.com
0.0.0.0
us2.smtp.mailhostbox.com
208.91.198.143

URLs

Name Detection
http://127.0.0.1:HTTP/1.1
http://DynDns.comDynDNS
http://POrzfIODYEW.org
Click to see the 10 hidden entries
http://POrzfIODYEW.o
http://PFjgsH.com
http://us2.smtp.mailhostbox.com
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
http://schemas.microsoft.
https://api.ipify.org%GETMozilla/5.0
http://smtp.regalbelloit.com
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
https://api.ipify.org%$

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ_99705546,99805546_Mark Cansick.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\tmp1646.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\sucEaYWuNda.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
Click to see the 6 hidden entries
C:\Users\user\AppData\Roaming\sucEaYWuNda.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcf5x51b.wqi.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzii5gj3.las.psm1
very short file (no magic)
#
C:\Users\user\AppData\Roaming\oxafn20f.vrf\Chrome\Default\Cookies
SQLite 3.x database, last written using SQLite version 3032001
#
C:\Users\user\Documents\20210928\PowerShell_transcript.226533.4aAYYda1.20210928102945.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#