Edit tour

Windows Analysis Report
shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Overview

General Information

Sample Name:	shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Analysis ID:	876162
MD5:	278d48d9ea2fe8350796279e5d08a72a
SHA1:	30a693e39b775de6afbd146722d07bba0e4f16bf
SHA256:	53823b0378b9a17181fef455b3625e7909e703d600b480ffccc9a1c6d4232c4a
Tags:	exe
Infos:

Detection

AgentTesla, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected zgRAT

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Binary contains a suspicious time stamp

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

shipmentReceipt(22kb).pdf__customInvoice12074408.exe (PID: 6492 cmdline: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe MD5: 278D48D9EA2FE8350796279E5D08A72A)

shipmentReceipt(22kb).pdf__customInvoice12074408.exe (PID: 6684 cmdline: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe MD5: 278D48D9EA2FE8350796279E5D08A72A)

shipmentReceipt(22kb).pdf__customInvoice12074408.exe (PID: 6672 cmdline: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe MD5: 278D48D9EA2FE8350796279E5D08A72A)

shipmentReceipt(22kb).pdf__customInvoice12074408.exe (PID: 6764 cmdline: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe MD5: 278D48D9EA2FE8350796279E5D08A72A)

kmk.exe (PID: 2400 cmdline: "C:\Users\user\AppData\Roaming\kmk\kmk.exe" MD5: 278D48D9EA2FE8350796279E5D08A72A)

kmk.exe (PID: 4588 cmdline: C:\Users\user\AppData\Roaming\kmk\kmk.exe MD5: 278D48D9EA2FE8350796279E5D08A72A)

kmk.exe (PID: 3276 cmdline: "C:\Users\user\AppData\Roaming\kmk\kmk.exe" MD5: 278D48D9EA2FE8350796279E5D08A72A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/ https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
zgRAT		No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendDocumentsendMessage?chat_id=document"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.799586620.0000000000430000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1696:$a11: get_securityProfile 0x1537:$a12: get_useSeparateFolderTree 0x1946:$a14: get_archivingScope 0x176e:$a15: get_providerName 0x12fd:$a20: get_LastAccessed 0x19e0:$a21: get_avatarType 0x17eb:$a26: set_accountName 0xc94:$a28: set_bindingConfigurationUID 0x1846:$a31: set_username 0x13e8:$a33: get_Clipboard 0x13f6:$a34: get_Keyboard 0x1403:$a37: get_Password
00000005.00000002.804401224.0000000003012000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.804401224.0000000003012000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x314ed:$a3: MailAccountConfiguration 0x31506:$a5: SmtpAccountConfiguration 0x314cd:$a8: set_BindingAccountConfiguration 0x3043e:$a11: get_securityProfile 0x302df:$a12: get_useSeparateFolderTree 0x31c30:$a13: get_DnsResolver 0x306ee:$a14: get_archivingScope 0x30516:$a15: get_providerName 0x32c1b:$a17: get_priority 0x321ef:$a18: get_advancedParameters 0x31607:$a19: get_disabledByRestriction 0x300a5:$a20: get_LastAccessed 0x30788:$a21: get_avatarType 0x32306:$a22: get_signaturePresets 0x30dac:$a23: get_enableLog 0x30593:$a26: set_accountName 0x32751:$a27: set_InternalServerPort 0x2fa3c:$a28: set_bindingConfigurationUID 0x322cc:$a29: set_IdnAddress 0x32acf:$a30: set_GuidMasterKey 0x305ee:$a31: set_username
00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x6aa45:$a3: MailAccountConfiguration 0xa0265:$a3: MailAccountConfiguration 0x6aa5e:$a5: SmtpAccountConfiguration 0xa027e:$a5: SmtpAccountConfiguration 0x6aa25:$a8: set_BindingAccountConfiguration 0xa0245:$a8: set_BindingAccountConfiguration 0x69996:$a11: get_securityProfile 0x9f1b6:$a11: get_securityProfile 0x69837:$a12: get_useSeparateFolderTree 0x9f057:$a12: get_useSeparateFolderTree 0x6b188:$a13: get_DnsResolver 0xa09a8:$a13: get_DnsResolver 0x69c46:$a14: get_archivingScope 0x9f466:$a14: get_archivingScope 0x69a6e:$a15: get_providerName 0x9f28e:$a15: get_providerName 0x6c173:$a17: get_priority 0xa1993:$a17: get_priority 0x6b747:$a18: get_advancedParameters 0xa0f67:$a18: get_advancedParameters 0x6ab5f:$a19: get_disabledByRestriction
00000007.00000002.799586439.0000000000432000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x745:$a3: MailAccountConfiguration 0x75e:$a5: SmtpAccountConfiguration 0x725:$a8: set_BindingAccountConfiguration 0xe88:$a13: get_DnsResolver 0x85f:$a19: get_disabledByRestriction 0x4:$a23: get_enableLog 0x66b:$a32: set_version 0x9f2:$a35: get_ShiftKeyDown 0xa03:$a36: get_AltKeyDown 0x55:$a38: get_PasswordHash
00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x6a8ad:$a3: MailAccountConfiguration 0xa00cd:$a3: MailAccountConfiguration 0x6a8c6:$a5: SmtpAccountConfiguration 0xa00e6:$a5: SmtpAccountConfiguration 0x6a88d:$a8: set_BindingAccountConfiguration 0xa00ad:$a8: set_BindingAccountConfiguration 0x697fe:$a11: get_securityProfile 0x9f01e:$a11: get_securityProfile 0x6969f:$a12: get_useSeparateFolderTree 0x9eebf:$a12: get_useSeparateFolderTree 0x6aff0:$a13: get_DnsResolver 0xa0810:$a13: get_DnsResolver 0x69aae:$a14: get_archivingScope 0x9f2ce:$a14: get_archivingScope 0x698d6:$a15: get_providerName 0x9f0f6:$a15: get_providerName 0x6bfdb:$a17: get_priority 0xa17fb:$a17: get_priority 0x6b5af:$a18: get_advancedParameters 0xa0dcf:$a18: get_advancedParameters 0x6a9c7:$a19: get_disabledByRestriction
00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x21b4:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x26bf:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x2c0b:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x22d5:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x20ac:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x25b7:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x2b03:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x21cd:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6492	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6492	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xba80d:$a3: MailAccountConfiguration 0xe8e95:$a3: MailAccountConfiguration 0xba826:$a5: SmtpAccountConfiguration 0xe8eae:$a5: SmtpAccountConfiguration 0xba7ed:$a8: set_BindingAccountConfiguration 0xe8e75:$a8: set_BindingAccountConfiguration 0xb98e9:$a11: get_securityProfile 0xe7f71:$a11: get_securityProfile 0xb978d:$a12: get_useSeparateFolderTree 0xe7e15:$a12: get_useSeparateFolderTree 0xbaeab:$a13: get_DnsResolver 0xe9533:$a13: get_DnsResolver 0xb9b95:$a14: get_archivingScope 0xe821d:$a14: get_archivingScope 0xb99c1:$a15: get_providerName 0xe8049:$a15: get_providerName 0xbbd77:$a17: get_priority 0xea3ff:$a17: get_priority 0xbb43a:$a18: get_advancedParameters 0xe9ac2:$a18: get_advancedParameters 0xba927:$a19: get_disabledByRestriction
Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x619f:$s3: set_passwordIsSet 0x7bd3:$g1: get_Clipboard 0x7be1:$g2: get_Keyboard 0x7bee:$g3: get_Password 0x18926:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x1aab1:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x18e31:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x1afbb:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x1937d:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x1b507:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x18a47:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera 0x1abd2:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6764	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x7e66:$a11: get_securityProfile 0x7d0a:$a12: get_useSeparateFolderTree 0x8112:$a14: get_archivingScope 0x7f3e:$a15: get_providerName 0x67af:$a17: get_priority 0x5e72:$a18: get_advancedParameters 0x7afc:$a20: get_LastAccessed 0x81ac:$a21: get_avatarType 0x5f89:$a22: get_signaturePresets 0x7fbb:$a26: set_accountName 0x63b3:$a27: set_InternalServerPort 0x78e9:$a28: set_bindingConfigurationUID 0x5f4f:$a29: set_IdnAddress 0x666d:$a30: set_GuidMasterKey 0x8016:$a31: set_username 0x7bd3:$a33: get_Clipboard 0x7be1:$a34: get_Keyboard 0x7bee:$a37: get_Password 0x5cee:$a39: get_DefaultCredentials
Process Memory Space: kmk.exe PID: 2400	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: kmk.exe PID: 2400	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31889:$a3: MailAccountConfiguration 0x318a2:$a5: SmtpAccountConfiguration 0x31869:$a8: set_BindingAccountConfiguration 0x30965:$a11: get_securityProfile 0x30809:$a12: get_useSeparateFolderTree 0x31f27:$a13: get_DnsResolver 0x30c11:$a14: get_archivingScope 0x30a3d:$a15: get_providerName 0x32df3:$a17: get_priority 0x324b6:$a18: get_advancedParameters 0x319a3:$a19: get_disabledByRestriction 0x305fb:$a20: get_LastAccessed 0x30cab:$a21: get_avatarType 0x325cd:$a22: get_signaturePresets 0x31274:$a23: get_enableLog 0x30aba:$a26: set_accountName 0x329f7:$a27: set_InternalServerPort 0x303e8:$a28: set_bindingConfigurationUID 0x32593:$a29: set_IdnAddress 0x32cb1:$a30: set_GuidMasterKey 0x30b15:$a31: set_username
Process Memory Space: kmk.exe PID: 4588	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: kmk.exe PID: 4588	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: kmk.exe PID: 4588	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: kmk.exe PID: 4588	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3bf8a:$s1: get_kbok 0x3c80a:$s2: get_CHoo 0x3be36:$s4: get_enableLog 0x3c6e4:$g4: get_CtrlKeyDown 0x3c6f4:$g5: get_ShiftKeyDown 0x3c705:$g6: get_AltKeyDown 0x196e1:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x1b86c:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x19bec:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x1bd76:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x1a138:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x1c2c2:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x19802:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera 0x1b98d:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Process Memory Space: kmk.exe PID: 4588	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3c44b:$a3: MailAccountConfiguration 0x3c464:$a5: SmtpAccountConfiguration 0x3c42b:$a8: set_BindingAccountConfiguration 0x3cae9:$a13: get_DnsResolver 0x3c565:$a19: get_disabledByRestriction 0x3be36:$a23: get_enableLog 0x3c371:$a32: set_version 0x3c6f4:$a35: get_ShiftKeyDown 0x3c705:$a36: get_AltKeyDown 0x3be60:$a38: get_PasswordHash
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2e600:$s1: get_kbok 0x2ef34:$s2: get_CHoo 0x2fb8f:$s3: set_passwordIsSet 0x2e404:$s4: get_enableLog 0x32b27:$s8: torbrowser 0x3150a:$s10: logins 0x30dd8:$s11: credential 0x2d7e8:$g1: get_Clipboard 0x2d7f6:$g2: get_Keyboard 0x2d803:$g3: get_Password 0x2ede2:$g4: get_CtrlKeyDown 0x2edf2:$g5: get_ShiftKeyDown 0x2ee03:$g6: get_AltKeyDown
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2eb45:$a3: MailAccountConfiguration 0x2eb5e:$a5: SmtpAccountConfiguration 0x2eb25:$a8: set_BindingAccountConfiguration 0x2da96:$a11: get_securityProfile 0x2d937:$a12: get_useSeparateFolderTree 0x2f288:$a13: get_DnsResolver 0x2dd46:$a14: get_archivingScope 0x2db6e:$a15: get_providerName 0x30273:$a17: get_priority 0x2f847:$a18: get_advancedParameters 0x2ec5f:$a19: get_disabledByRestriction 0x2d6fd:$a20: get_LastAccessed 0x2dde0:$a21: get_avatarType 0x2f95e:$a22: get_signaturePresets 0x2e404:$a23: get_enableLog 0x2dbeb:$a26: set_accountName 0x2fda9:$a27: set_InternalServerPort 0x2d094:$a28: set_bindingConfigurationUID 0x2f924:$a29: set_IdnAddress 0x30127:$a30: set_GuidMasterKey 0x2dc46:$a31: set_username
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2e600:$s1: get_kbok 0x2ef34:$s2: get_CHoo 0x2fb8f:$s3: set_passwordIsSet 0x2e404:$s4: get_enableLog 0x32b27:$s8: torbrowser 0x3150a:$s10: logins 0x30dd8:$s11: credential 0x2d7e8:$g1: get_Clipboard 0x2d7f6:$g2: get_Keyboard 0x2d803:$g3: get_Password 0x2ede2:$g4: get_CtrlKeyDown 0x2edf2:$g5: get_ShiftKeyDown 0x2ee03:$g6: get_AltKeyDown
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2eb45:$a3: MailAccountConfiguration 0x2eb5e:$a5: SmtpAccountConfiguration 0x2eb25:$a8: set_BindingAccountConfiguration 0x2da96:$a11: get_securityProfile 0x2d937:$a12: get_useSeparateFolderTree 0x2f288:$a13: get_DnsResolver 0x2dd46:$a14: get_archivingScope 0x2db6e:$a15: get_providerName 0x30273:$a17: get_priority 0x2f847:$a18: get_advancedParameters 0x2ec5f:$a19: get_disabledByRestriction 0x2d6fd:$a20: get_LastAccessed 0x2dde0:$a21: get_avatarType 0x2f95e:$a22: get_signaturePresets 0x2e404:$a23: get_enableLog 0x2dbeb:$a26: set_accountName 0x2fda9:$a27: set_InternalServerPort 0x2d094:$a28: set_bindingConfigurationUID 0x2f924:$a29: set_IdnAddress 0x30127:$a30: set_GuidMasterKey 0x2dc46:$a31: set_username
6.2.kmk.exe.3cbb920.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3cbb920.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3cbb920.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.kmk.exe.3cbb920.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30400:$s1: get_kbok 0x30d34:$s2: get_CHoo 0x3198f:$s3: set_passwordIsSet 0x30204:$s4: get_enableLog 0x34927:$s8: torbrowser 0x3330a:$s10: logins 0x32bd8:$s11: credential 0x2f5e8:$g1: get_Clipboard 0x2f5f6:$g2: get_Keyboard 0x2f603:$g3: get_Password 0x30be2:$g4: get_CtrlKeyDown 0x30bf2:$g5: get_ShiftKeyDown 0x30c03:$g6: get_AltKeyDown
6.2.kmk.exe.3cbb920.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30945:$a3: MailAccountConfiguration 0x3095e:$a5: SmtpAccountConfiguration 0x30925:$a8: set_BindingAccountConfiguration 0x2f896:$a11: get_securityProfile 0x2f737:$a12: get_useSeparateFolderTree 0x31088:$a13: get_DnsResolver 0x2fb46:$a14: get_archivingScope 0x2f96e:$a15: get_providerName 0x32073:$a17: get_priority 0x31647:$a18: get_advancedParameters 0x30a5f:$a19: get_disabledByRestriction 0x2f4fd:$a20: get_LastAccessed 0x2fbe0:$a21: get_avatarType 0x3175e:$a22: get_signaturePresets 0x30204:$a23: get_enableLog 0x2f9eb:$a26: set_accountName 0x31ba9:$a27: set_InternalServerPort 0x2ee94:$a28: set_bindingConfigurationUID 0x31724:$a29: set_IdnAddress 0x31f27:$a30: set_GuidMasterKey 0x2fa46:$a31: set_username
7.2.kmk.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30945:$a3: MailAccountConfiguration 0x3095e:$a5: SmtpAccountConfiguration 0x30925:$a8: set_BindingAccountConfiguration 0x31088:$a13: get_DnsResolver 0x30a5f:$a19: get_disabledByRestriction 0x30204:$a23: get_enableLog 0x3086b:$a32: set_version 0x30bf2:$a35: get_ShiftKeyDown 0x30c03:$a36: get_AltKeyDown 0x30255:$a38: get_PasswordHash
6.2.kmk.exe.3cbb920.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3cbb920.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3cbb920.7.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2e600:$s1: get_kbok 0x2ef34:$s2: get_CHoo 0x2fb8f:$s3: set_passwordIsSet 0x2e404:$s4: get_enableLog 0x32b27:$s8: torbrowser 0x3150a:$s10: logins 0x30dd8:$s11: credential 0x2d7e8:$g1: get_Clipboard 0x2d7f6:$g2: get_Keyboard 0x2d803:$g3: get_Password 0x2ede2:$g4: get_CtrlKeyDown 0x2edf2:$g5: get_ShiftKeyDown 0x2ee03:$g6: get_AltKeyDown
6.2.kmk.exe.3cbb920.7.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2eb45:$a3: MailAccountConfiguration 0x2eb5e:$a5: SmtpAccountConfiguration 0x2eb25:$a8: set_BindingAccountConfiguration 0x2da96:$a11: get_securityProfile 0x2d937:$a12: get_useSeparateFolderTree 0x2f288:$a13: get_DnsResolver 0x2dd46:$a14: get_archivingScope 0x2db6e:$a15: get_providerName 0x30273:$a17: get_priority 0x2f847:$a18: get_advancedParameters 0x2ec5f:$a19: get_disabledByRestriction 0x2d6fd:$a20: get_LastAccessed 0x2dde0:$a21: get_avatarType 0x2f95e:$a22: get_signaturePresets 0x2e404:$a23: get_enableLog 0x2dbeb:$a26: set_accountName 0x2fda9:$a27: set_InternalServerPort 0x2d094:$a28: set_bindingConfigurationUID 0x2f924:$a29: set_IdnAddress 0x30127:$a30: set_GuidMasterKey 0x2dc46:$a31: set_username
6.2.kmk.exe.3c86100.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3c86100.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3c86100.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2e600:$s1: get_kbok 0x2ef34:$s2: get_CHoo 0x2fb8f:$s3: set_passwordIsSet 0x2e404:$s4: get_enableLog 0x32b27:$s8: torbrowser 0x3150a:$s10: logins 0x30dd8:$s11: credential 0x2d7e8:$g1: get_Clipboard 0x2d7f6:$g2: get_Keyboard 0x2d803:$g3: get_Password 0x2ede2:$g4: get_CtrlKeyDown 0x2edf2:$g5: get_ShiftKeyDown 0x2ee03:$g6: get_AltKeyDown
6.2.kmk.exe.3c86100.6.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2eb45:$a3: MailAccountConfiguration 0x2eb5e:$a5: SmtpAccountConfiguration 0x2eb25:$a8: set_BindingAccountConfiguration 0x2da96:$a11: get_securityProfile 0x2d937:$a12: get_useSeparateFolderTree 0x2f288:$a13: get_DnsResolver 0x2dd46:$a14: get_archivingScope 0x2db6e:$a15: get_providerName 0x30273:$a17: get_priority 0x2f847:$a18: get_advancedParameters 0x2ec5f:$a19: get_disabledByRestriction 0x2d6fd:$a20: get_LastAccessed 0x2dde0:$a21: get_avatarType 0x2f95e:$a22: get_signaturePresets 0x2e404:$a23: get_enableLog 0x2dbeb:$a26: set_accountName 0x2fda9:$a27: set_InternalServerPort 0x2d094:$a28: set_bindingConfigurationUID 0x2f924:$a29: set_IdnAddress 0x30127:$a30: set_GuidMasterKey 0x2dc46:$a31: set_username
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x69e20:$s1: get_kbok 0x9f640:$s1: get_kbok 0x6a754:$s2: get_CHoo 0x9ff74:$s2: get_CHoo 0x6b3af:$s3: set_passwordIsSet 0xa0bcf:$s3: set_passwordIsSet 0x69c24:$s4: get_enableLog 0x9f444:$s4: get_enableLog 0x6e347:$s8: torbrowser 0xa3b67:$s8: torbrowser 0x6cd2a:$s10: logins 0xa254a:$s10: logins 0x6c5f8:$s11: credential 0xa1e18:$s11: credential 0x69008:$g1: get_Clipboard 0x9e828:$g1: get_Clipboard 0x69016:$g2: get_Keyboard 0x9e836:$g2: get_Keyboard 0x69023:$g3: get_Password 0x9e843:$g3: get_Password 0x6a602:$g4: get_CtrlKeyDown
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xe252b:$s1: file:/// 0xe2487:$s2: {11111-22222-10009-11112} 0xe24bb:$s3: {11111-22222-50001-00000} 0xe04b3:$s4: get_Module 0x696ee:$s5: Reverse 0x9ef0e:$s5: Reverse 0x6b9f6:$s6: BlockCopy 0xa1216:$s6: BlockCopy 0xe19ad:$s6: BlockCopy 0x6998f:$s7: ReadByte 0x9f1af:$s7: ReadByte 0xe198d:$s7: ReadByte 0xe253d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x6a365:$a3: MailAccountConfiguration 0x9fb85:$a3: MailAccountConfiguration 0x6a37e:$a5: SmtpAccountConfiguration 0x9fb9e:$a5: SmtpAccountConfiguration 0x6a345:$a8: set_BindingAccountConfiguration 0x9fb65:$a8: set_BindingAccountConfiguration 0x692b6:$a11: get_securityProfile 0x9ead6:$a11: get_securityProfile 0x69157:$a12: get_useSeparateFolderTree 0x9e977:$a12: get_useSeparateFolderTree 0x6aaa8:$a13: get_DnsResolver 0xa02c8:$a13: get_DnsResolver 0x69566:$a14: get_archivingScope 0x9ed86:$a14: get_archivingScope 0x6938e:$a15: get_providerName 0x9ebae:$a15: get_providerName 0x6ba93:$a17: get_priority 0xa12b3:$a17: get_priority 0x6b067:$a18: get_advancedParameters 0xa0887:$a18: get_advancedParameters 0x6a47f:$a19: get_disabledByRestriction
6.2.kmk.exe.3c86100.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3c86100.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3c86100.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.kmk.exe.3c86100.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30400:$s1: get_kbok 0x65c20:$s1: get_kbok 0x30d34:$s2: get_CHoo 0x66554:$s2: get_CHoo 0x3198f:$s3: set_passwordIsSet 0x671af:$s3: set_passwordIsSet 0x30204:$s4: get_enableLog 0x65a24:$s4: get_enableLog 0x34927:$s8: torbrowser 0x6a147:$s8: torbrowser 0x3330a:$s10: logins 0x68b2a:$s10: logins 0x32bd8:$s11: credential 0x683f8:$s11: credential 0x2f5e8:$g1: get_Clipboard 0x64e08:$g1: get_Clipboard 0x2f5f6:$g2: get_Keyboard 0x64e16:$g2: get_Keyboard 0x2f603:$g3: get_Password 0x64e23:$g3: get_Password 0x30be2:$g4: get_CtrlKeyDown
6.2.kmk.exe.3c86100.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30945:$a3: MailAccountConfiguration 0x66165:$a3: MailAccountConfiguration 0x3095e:$a5: SmtpAccountConfiguration 0x6617e:$a5: SmtpAccountConfiguration 0x30925:$a8: set_BindingAccountConfiguration 0x66145:$a8: set_BindingAccountConfiguration 0x2f896:$a11: get_securityProfile 0x650b6:$a11: get_securityProfile 0x2f737:$a12: get_useSeparateFolderTree 0x64f57:$a12: get_useSeparateFolderTree 0x31088:$a13: get_DnsResolver 0x668a8:$a13: get_DnsResolver 0x2fb46:$a14: get_archivingScope 0x65366:$a14: get_archivingScope 0x2f96e:$a15: get_providerName 0x6518e:$a15: get_providerName 0x32073:$a17: get_priority 0x67893:$a17: get_priority 0x31647:$a18: get_advancedParameters 0x66e67:$a18: get_advancedParameters 0x30a5f:$a19: get_disabledByRestriction
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30400:$s1: get_kbok 0x65c20:$s1: get_kbok 0x30d34:$s2: get_CHoo 0x66554:$s2: get_CHoo 0x3198f:$s3: set_passwordIsSet 0x671af:$s3: set_passwordIsSet 0x30204:$s4: get_enableLog 0x65a24:$s4: get_enableLog 0x34927:$s8: torbrowser 0x6a147:$s8: torbrowser 0x3330a:$s10: logins 0x68b2a:$s10: logins 0x32bd8:$s11: credential 0x683f8:$s11: credential 0x2f5e8:$g1: get_Clipboard 0x64e08:$g1: get_Clipboard 0x2f5f6:$g2: get_Keyboard 0x64e16:$g2: get_Keyboard 0x2f603:$g3: get_Password 0x64e23:$g3: get_Password 0x30be2:$g4: get_CtrlKeyDown
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xa8b0b:$s1: file:/// 0xa8a67:$s2: {11111-22222-10009-11112} 0xa8a9b:$s3: {11111-22222-50001-00000} 0xa6a93:$s4: get_Module 0x2fcce:$s5: Reverse 0x654ee:$s5: Reverse 0x31fd6:$s6: BlockCopy 0x677f6:$s6: BlockCopy 0xa7f8d:$s6: BlockCopy 0x2ff6f:$s7: ReadByte 0x6578f:$s7: ReadByte 0xa7f6d:$s7: ReadByte 0xa8b1d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30945:$a3: MailAccountConfiguration 0x66165:$a3: MailAccountConfiguration 0x3095e:$a5: SmtpAccountConfiguration 0x6617e:$a5: SmtpAccountConfiguration 0x30925:$a8: set_BindingAccountConfiguration 0x66145:$a8: set_BindingAccountConfiguration 0x2f896:$a11: get_securityProfile 0x650b6:$a11: get_securityProfile 0x2f737:$a12: get_useSeparateFolderTree 0x64f57:$a12: get_useSeparateFolderTree 0x31088:$a13: get_DnsResolver 0x668a8:$a13: get_DnsResolver 0x2fb46:$a14: get_archivingScope 0x65366:$a14: get_archivingScope 0x2f96e:$a15: get_providerName 0x6518e:$a15: get_providerName 0x32073:$a17: get_priority 0x67893:$a17: get_priority 0x31647:$a18: get_advancedParameters 0x66e67:$a18: get_advancedParameters 0x30a5f:$a19: get_disabledByRestriction
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30400:$s1: get_kbok 0x30d34:$s2: get_CHoo 0x3198f:$s3: set_passwordIsSet 0x30204:$s4: get_enableLog 0x34927:$s8: torbrowser 0x3330a:$s10: logins 0x32bd8:$s11: credential 0x2f5e8:$g1: get_Clipboard 0x2f5f6:$g2: get_Keyboard 0x2f603:$g3: get_Password 0x30be2:$g4: get_CtrlKeyDown 0x30bf2:$g5: get_ShiftKeyDown 0x30c03:$g6: get_AltKeyDown
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x732eb:$s1: file:/// 0x73247:$s2: {11111-22222-10009-11112} 0x7327b:$s3: {11111-22222-50001-00000} 0x71273:$s4: get_Module 0x2fcce:$s5: Reverse 0x31fd6:$s6: BlockCopy 0x7276d:$s6: BlockCopy 0x2ff6f:$s7: ReadByte 0x7274d:$s7: ReadByte 0x732fd:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30945:$a3: MailAccountConfiguration 0x3095e:$a5: SmtpAccountConfiguration 0x30925:$a8: set_BindingAccountConfiguration 0x2f896:$a11: get_securityProfile 0x2f737:$a12: get_useSeparateFolderTree 0x31088:$a13: get_DnsResolver 0x2fb46:$a14: get_archivingScope 0x2f96e:$a15: get_providerName 0x32073:$a17: get_priority 0x31647:$a18: get_advancedParameters 0x30a5f:$a19: get_disabledByRestriction 0x2f4fd:$a20: get_LastAccessed 0x2fbe0:$a21: get_avatarType 0x3175e:$a22: get_signaturePresets 0x30204:$a23: get_enableLog 0x2f9eb:$a26: set_accountName 0x31ba9:$a27: set_InternalServerPort 0x2ee94:$a28: set_bindingConfigurationUID 0x31724:$a29: set_IdnAddress 0x31f27:$a30: set_GuidMasterKey 0x2fa46:$a31: set_username
6.2.kmk.exe.3c4c6e0.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3c4c6e0.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.2.kmk.exe.3c4c6e0.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.kmk.exe.3c4c6e0.5.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x69e20:$s1: get_kbok 0x9f640:$s1: get_kbok 0x6a754:$s2: get_CHoo 0x9ff74:$s2: get_CHoo 0x6b3af:$s3: set_passwordIsSet 0xa0bcf:$s3: set_passwordIsSet 0x69c24:$s4: get_enableLog 0x9f444:$s4: get_enableLog 0x6e347:$s8: torbrowser 0xa3b67:$s8: torbrowser 0x6cd2a:$s10: logins 0xa254a:$s10: logins 0x6c5f8:$s11: credential 0xa1e18:$s11: credential 0x69008:$g1: get_Clipboard 0x9e828:$g1: get_Clipboard 0x69016:$g2: get_Keyboard 0x9e836:$g2: get_Keyboard 0x69023:$g3: get_Password 0x9e843:$g3: get_Password 0x6a602:$g4: get_CtrlKeyDown
6.2.kmk.exe.3c4c6e0.5.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x6a365:$a3: MailAccountConfiguration 0x9fb85:$a3: MailAccountConfiguration 0x6a37e:$a5: SmtpAccountConfiguration 0x9fb9e:$a5: SmtpAccountConfiguration 0x6a345:$a8: set_BindingAccountConfiguration 0x9fb65:$a8: set_BindingAccountConfiguration 0x692b6:$a11: get_securityProfile 0x9ead6:$a11: get_securityProfile 0x69157:$a12: get_useSeparateFolderTree 0x9e977:$a12: get_useSeparateFolderTree 0x6aaa8:$a13: get_DnsResolver 0xa02c8:$a13: get_DnsResolver 0x69566:$a14: get_archivingScope 0x9ed86:$a14: get_archivingScope 0x6938e:$a15: get_providerName 0x9ebae:$a15: get_providerName 0x6ba93:$a17: get_priority 0xa12b3:$a17: get_priority 0x6b067:$a18: get_advancedParameters 0xa0887:$a18: get_advancedParameters 0x6a47f:$a19: get_disabledByRestriction
Click to see the 48 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendDocumentsendMessage?chat_id=document"}
Source: kmk.exe.4588.7.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendMessage"}

Multi AV Scanner detection for submitted file

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe	ReversingLabs: Detection: 16%
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Virustotal: Detection: 27%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe

Avira: detection malicious, Label: HEUR/AGEN.1309734

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe

ReversingLabs: Detection: 16%

Machine Learning detection for sample

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe

Joe Sandbox ML: detected

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mOdw.pdb source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, kmk.exe.5.dr
Source:	Binary string: mOdw.pdbSHA256 source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, kmk.exe.5.dr

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Code function: 4x nop then jmp 07FD925Bh

0_2_07FD86A0

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.kmk.exe.3cbb920.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.kmk.exe.3c86100.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.kmk.exe.3c4c6e0.5.raw.unpack, type: UNPACKEDPE

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://UZQtUP.com
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.538649666.00000000064EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.wikiphD
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539693492.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comams/R
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539693492.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comdol
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539693492.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comes
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539693492.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comg
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.547482112.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.547482112.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdia
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.553540335.00000000064E4000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.547482112.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.553420022.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.commTTF
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.547482112.00000000064E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.commpKF
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn(
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539230782.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/uG
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnN
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnr-t
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnsk
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/.Kp
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//r$
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/CK
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Sue
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/fK(
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/%Ki
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/oK?
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/on
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/yKM
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.799586439.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendDocumentdocument-----
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.799586439.0000000000436000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Jump to behavior

Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.565506875.00000000015DB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kmk\kmk.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.2.kmk.exe.3cbb920.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.2.kmk.exe.3cbb920.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 7.2.kmk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.2.kmk.exe.3cbb920.7.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.2.kmk.exe.3cbb920.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source:

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Windows Analysis Report
shipmentReceipt(22kb).pdf__customInvoice12074408.exe