Edit tour

Windows Analysis Report
231210-01-AgentTesla-2eba02.exe

Overview

General Information

Sample name:	231210-01-AgentTesla-2eba02.exe
Analysis ID:	1480036
MD5:	7911215edc491695bf598dbff6f1d0c1
SHA1:	2eba02407a65333a3675b0bafda8ddd3f2f7fc99
SHA256:	bc419893a2948f85aa53af290eca67dc626ab1467b72a45419385d0fe709fd58
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

231210-01-AgentTesla-2eba02.exe (PID: 2692 cmdline: "C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe" MD5: 7911215EDC491695BF598DBFF6F1D0C1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
231210-01-AgentTesla-2eba02.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
231210-01-AgentTesla-2eba02.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
231210-01-AgentTesla-2eba02.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x335cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3363f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x336c9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3375b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x337c5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33837:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x338cd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3395d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.2494896359.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.1238101496.00000000009B2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.1238101496.00000000009B2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2494896359.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2494896359.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 231210-01-AgentTesla-2eba02.exe PID: 2692	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 231210-01-AgentTesla-2eba02.exe PID: 2692	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.231210-01-AgentTesla-2eba02.exe.9b0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.231210-01-AgentTesla-2eba02.exe.9b0000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.231210-01-AgentTesla-2eba02.exe.9b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x335cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3363f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x336c9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3375b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x337c5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33837:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x338cd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3395d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 50.87.139.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe, Initiated: true, ProcessId: 2692, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49699

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 231210-01-AgentTesla-2eba02.exe

Avira: detected

Found malware configuration

Source: 231210-01-AgentTesla-2eba02.exe

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}

Multi AV Scanner detection for submitted file

Source: 231210-01-AgentTesla-2eba02.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 231210-01-AgentTesla-2eba02.exe

Joe Sandbox ML: detected

Source: 231210-01-AgentTesla-2eba02.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 231210-01-AgentTesla-2eba02.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.7:49699 -> 50.87.139.143:587

Source: Joe Sandbox View

IP Address: 50.87.139.143 50.87.139.143

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: global traffic

TCP traffic: 192.168.2.7:49699 -> 50.87.139.143:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.elec-qatar.com

Source: 231210-01-AgentTesla-2eba02.exe, 00000001.00000002.2494896359.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.elec-qatar.com
Source: 231210-01-AgentTesla-2eba02.exe	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 231210-01-AgentTesla-2eba02.exe, TOgp3h.cs

.Net Code: qmjRo

System Summary

Malicious sample detected (through community Yara rule)

Source: 231210-01-AgentTesla-2eba02.exe, type: SAMPLE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.0.231210-01-AgentTesla-2eba02.exe.9b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Code function: 1_2_02C49378	1_2_02C49378
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Code function: 1_2_02C44A98	1_2_02C44A98
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Code function: 1_2_02C43E80	1_2_02C43E80
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Code function: 1_2_02C4CFC8	1_2_02C4CFC8
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Code function: 1_2_02C49C00	1_2_02C49C00
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Code function: 1_2_02C441C8	1_2_02C441C8
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Code function: 1_2_05FBDD58	1_2_05FBDD58
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Code function: 1_2_05FBBD40	1_2_05FBBD40
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Code function: 1_2_05FB3F80	1_2_05FB3F80
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Code function: 1_2_05FB5720	1_2_05FB5720
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Code function: 1_2_05FB0040	1_2_05FB0040
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Code function: 1_2_05FB8BE0	1_2_05FB8BE0
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Code function: 1_2_05FB9B28	1_2_05FB9B28
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Code function: 1_2_05FB2B10	1_2_05FB2B10
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Code function: 1_2_05FB5028	1_2_05FB5028
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Code function: 1_2_05FB3278	1_2_05FB3278
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Code function: 1_2_02C49BF8	1_2_02C49BF8

Source: 231210-01-AgentTesla-2eba02.exe, 00000001.00000000.1238173889.00000000009EE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename068524b8-d918-4107-9401-212dd26aaaa3.exe4 vs 231210-01-AgentTesla-2eba02.exe
Source: 231210-01-AgentTesla-2eba02.exe, 00000001.00000002.2490949004.0000000000D89000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 231210-01-AgentTesla-2eba02.exe
Source: 231210-01-AgentTesla-2eba02.exe, 00000001.00000002.2491592427.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 231210-01-AgentTesla-2eba02.exe
Source: 231210-01-AgentTesla-2eba02.exe	Binary or memory string: OriginalFilename068524b8-d918-4107-9401-212dd26aaaa3.exe4 vs 231210-01-AgentTesla-2eba02.exe

Source: 231210-01-AgentTesla-2eba02.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 231210-01-AgentTesla-2eba02.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.0.231210-01-AgentTesla-2eba02.exe.9b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 231210-01-AgentTesla-2eba02.exe, jCzkkFGbiW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 231210-01-AgentTesla-2eba02.exe, ZFYrnBYEI.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 231210-01-AgentTesla-2eba02.exe, TAIf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 231210-01-AgentTesla-2eba02.exe, fMld7.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 231210-01-AgentTesla-2eba02.exe, jT3EMCHnL02.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 231210-01-AgentTesla-2eba02.exe, LyqEkh9QZ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 231210-01-AgentTesla-2eba02.exe, tF0n0U.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 231210-01-AgentTesla-2eba02.exe, tF0n0U.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 231210-01-AgentTesla-2eba02.exe

Binary string: ID: 0x{0:X}qSize of the SerializedPropertyStore is less than 8 ({0})/StoreSize: {0} (0x{0X})3\Device\LanmanRedirector\[Failed to retrieve system handle information.

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe

Mutant created: NULL

Source: 231210-01-AgentTesla-2eba02.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 231210-01-AgentTesla-2eba02.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 231210-01-AgentTesla-2eba02.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 231210-01-AgentTesla-2eba02.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 231210-01-AgentTesla-2eba02.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Memory allocated: 1320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Memory allocated: 4C70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Window / User API: threadDelayed 1560			Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Window / User API: threadDelayed 4111			Jump to behavior

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2232	Thread sleep count: 1560 > 30	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2232	Thread sleep count: 4111 > 30	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -99653s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -99282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -99157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -99046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -98922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -98813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -98593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -98482s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -98360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -98247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -98103s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -97641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -97516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -97407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -97282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -97157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -97047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -96922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -96813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -96703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -96594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -96469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe TID: 2940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 99653	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 99282	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 99157	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 99046	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 98922	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 98703	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 98593	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 98482	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 98247	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 98103	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 97641	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 97407	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 97282	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 97157	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 97047	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 96922	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 96813	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 96703	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 96594	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 96469	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 231210-01-AgentTesla-2eba02.exe, 00000001.00000002.2491592427.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\Q6

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Queries volume information: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 231210-01-AgentTesla-2eba02.exe, type: SAMPLE
Source: Yara match	File source: 1.0.231210-01-AgentTesla-2eba02.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2494896359.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1238101496.00000000009B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2494896359.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 231210-01-AgentTesla-2eba02.exe PID: 2692, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 231210-01-AgentTesla-2eba02.exe, type: SAMPLE
Source: Yara match	File source: 1.0.231210-01-AgentTesla-2eba02.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1238101496.00000000009B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2494896359.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 231210-01-AgentTesla-2eba02.exe PID: 2692, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 231210-01-AgentTesla-2eba02.exe, type: SAMPLE
Source: Yara match	File source: 1.0.231210-01-AgentTesla-2eba02.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2494896359.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1238101496.00000000009B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2494896359.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 231210-01-AgentTesla-2eba02.exe PID: 2692, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	141 Virtualization/Sandbox Evasion	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	2 Data from Local System	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
231210-01-AgentTesla-2eba02.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
231210-01-AgentTesla-2eba02.exe	100%	Avira	TR/Spy.Gen8
231210-01-AgentTesla-2eba02.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://account.dyn.com/	0%	URL Reputation	safe
http://mail.elec-qatar.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.elec-qatar.com	50.87.139.143	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mail.elec-qatar.com	231210-01-AgentTesla-2eba02.exe, 00000001.00000002.2494896359.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	231210-01-AgentTesla-2eba02.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.87.139.143	mail.elec-qatar.com	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1480036
Start date and time:	2024-07-24 14:23:53 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	231210-01-AgentTesla-2eba02.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 60 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 231210-01-AgentTesla-2eba02.exe

Simulations

Behavior and APIs

Time	Type	Description
08:24:47	API Interceptor	28x Sleep call for process: 231210-01-AgentTesla-2eba02.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
50.87.139.143	SecuriteInfo.com.Heur.18737.25106.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe	Get hash	malicious	AgentTesla	Browse
	NEW ORDER 98540-0.exe	Get hash	malicious	AgentTesla	Browse
	Documents of shipment 3-2024.exe	Get hash	malicious	AgentTesla	Browse
	SHIPPING DOC.exe	Get hash	malicious	AgentTesla	Browse
	Order 19A20060.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Proforma Invoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SHIPPING DOC.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	New order.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.elec-qatar.com	SecuriteInfo.com.Heur.18737.25106.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	NEW ORDER 98540-0.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	Documents of shipment 3-2024.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	SHIPPING DOC.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	Order 19A20060.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	Proforma Invoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	SHIPPING DOC.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	New order.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	http://www.agrimarkeurope.com/feed-commodities.	Get hash	malicious	Unknown	Browse	173.254.30.100
	https://lailaf50897.clickfunnels.com/auto-webinar-registration1721805327948	Get hash	malicious	HTMLPhisher	Browse	192.185.165.78
	Order Requirement FOB Middle East.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	192.185.113.233
	95cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	108.179.234.136
	List & Sample_Doc3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	108.167.181.251
	Shipping Documents_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	108.179.234.136
	Apixaban - August 2024.XLS.exe	Get hash	malicious	Snake Keylogger	Browse	108.167.181.251
	Collexus Knowledge Base Access.docx	Get hash	malicious	Unknown	Browse	192.254.232.202
	https://www.turkiyecumhuriyetiziraatbankasi.com/en/product-and-service-fees.html	Get hash	malicious	Unknown	Browse	162.240.37.219
	http://nia.sga.mybluehost.me/	Get hash	malicious	Unknown	Browse	162.241.226.133

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.999622243728955
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	231210-01-AgentTesla-2eba02.exe
File size:	240'640 bytes
MD5:	7911215edc491695bf598dbff6f1d0c1
SHA1:	2eba02407a65333a3675b0bafda8ddd3f2f7fc99
SHA256:	bc419893a2948f85aa53af290eca67dc626ab1467b72a45419385d0fe709fd58
SHA512:	e0c8c566925d0fd15b105270ca2c6599597502df6876378e6f676cc4e0ee2d05c36ba73210412c7eaf7bb051051087867e7c6921ff88533b0e2a9a8a263426c6
SSDEEP:	6144:UR1ZlxGUdnFTKh6BbiYHXvf4Ax+C0c+g:UR1ZlxGUdnFKobf/jMX
TLSH:	03340E037E48EB15E5A83E3782EF6C2413B2B0C71633C60B6F49AFA518516925D7E72D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9.re................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x43c02e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6572F139 [Fri Dec 8 10:34:33 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3bfdc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3e000	0x546	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x40000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3a034	0x3a200	ba208a6c8a5cdda35434135b7f470a84	False	0.35699344758064516	data	5.0110603590563825	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3e000	0x546	0x600	7d4472e9b45d3736c5771007112b4bb2	False	0.4010416666666667	data	4.004180396667646	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x40000	0xc	0x200	a515ae9255f4d4a0501cea1d147738db	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3e0a0	0x2bc	data			0.44
RT_MANIFEST	0x3e35c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 14:24:48.100517035 CEST	49699	587	192.168.2.7	50.87.139.143
Jul 24, 2024 14:24:48.105468035 CEST	587	49699	50.87.139.143	192.168.2.7
Jul 24, 2024 14:24:48.105545044 CEST	49699	587	192.168.2.7	50.87.139.143
Jul 24, 2024 14:24:48.783190012 CEST	587	49699	50.87.139.143	192.168.2.7
Jul 24, 2024 14:24:48.783513069 CEST	49699	587	192.168.2.7	50.87.139.143
Jul 24, 2024 14:24:48.788532019 CEST	587	49699	50.87.139.143	192.168.2.7
Jul 24, 2024 14:24:49.376509905 CEST	587	49699	50.87.139.143	192.168.2.7
Jul 24, 2024 14:24:49.377480030 CEST	49699	587	192.168.2.7	50.87.139.143
Jul 24, 2024 14:24:49.377626896 CEST	587	49699	50.87.139.143	192.168.2.7
Jul 24, 2024 14:24:49.377785921 CEST	49699	587	192.168.2.7	50.87.139.143
Jul 24, 2024 14:24:49.378107071 CEST	587	49699	50.87.139.143	192.168.2.7
Jul 24, 2024 14:24:49.378156900 CEST	49699	587	192.168.2.7	50.87.139.143
Jul 24, 2024 14:24:49.384408951 CEST	587	49699	50.87.139.143	192.168.2.7
Jul 24, 2024 14:24:49.543003082 CEST	587	49699	50.87.139.143	192.168.2.7
Jul 24, 2024 14:24:49.544053078 CEST	49699	587	192.168.2.7	50.87.139.143
Jul 24, 2024 14:24:49.549535036 CEST	587	49699	50.87.139.143	192.168.2.7
Jul 24, 2024 14:24:51.377089977 CEST	587	49699	50.87.139.143	192.168.2.7
Jul 24, 2024 14:24:51.377768993 CEST	49699	587	192.168.2.7	50.87.139.143
Jul 24, 2024 14:24:51.382622004 CEST	587	49699	50.87.139.143	192.168.2.7
Jul 24, 2024 14:24:51.536485910 CEST	587	49699	50.87.139.143	192.168.2.7
Jul 24, 2024 14:24:51.537803888 CEST	587	49699	50.87.139.143	192.168.2.7
Jul 24, 2024 14:24:51.537874937 CEST	49699	587	192.168.2.7	50.87.139.143
Jul 24, 2024 14:24:51.545109034 CEST	49699	587	192.168.2.7	50.87.139.143
Jul 24, 2024 14:24:51.550004005 CEST	587	49699	50.87.139.143	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 14:24:48.042783976 CEST	61897	53	192.168.2.7	1.1.1.1
Jul 24, 2024 14:24:48.089612961 CEST	53	61897	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 24, 2024 14:24:48.042783976 CEST	192.168.2.7	1.1.1.1	0x24d2	Standard query (0)	mail.elec-qatar.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 24, 2024 14:24:48.089612961 CEST	1.1.1.1	192.168.2.7	0x24d2	No error (0)	mail.elec-qatar.com		50.87.139.143	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 24, 2024 14:24:48.783190012 CEST	587	49699	50.87.139.143	192.168.2.7	220-box2248.bluehost.com ESMTP Exim 4.96.2 #2 Wed, 24 Jul 2024 06:24:48 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 24, 2024 14:24:48.783513069 CEST	49699	587	192.168.2.7	50.87.139.143	EHLO 849224
Jul 24, 2024 14:24:49.376509905 CEST	587	49699	50.87.139.143	192.168.2.7	250-box2248.bluehost.com Hello 849224 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 24, 2024 14:24:49.377480030 CEST	49699	587	192.168.2.7	50.87.139.143	AUTH login bW9oYW1tZWQuYWJyYXJAZWxlYy1xYXRhci5jb20=
Jul 24, 2024 14:24:49.377626896 CEST	587	49699	50.87.139.143	192.168.2.7	250-box2248.bluehost.com Hello 849224 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 24, 2024 14:24:49.378107071 CEST	587	49699	50.87.139.143	192.168.2.7	250-box2248.bluehost.com Hello 849224 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 24, 2024 14:24:49.543003082 CEST	587	49699	50.87.139.143	192.168.2.7	334 UGFzc3dvcmQ6
Jul 24, 2024 14:24:51.377089977 CEST	587	49699	50.87.139.143	192.168.2.7	535 Incorrect authentication data
Jul 24, 2024 14:24:51.377768993 CEST	49699	587	192.168.2.7	50.87.139.143	MAIL FROM:<mohammed.abrar@elec-qatar.com>
Jul 24, 2024 14:24:51.536485910 CEST	587	49699	50.87.139.143	192.168.2.7	550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

Target ID:	1
Start time:	08:24:45
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\231210-01-AgentTesla-2eba02.exe"
Imagebase:	0x9b0000
File size:	240'640 bytes
MD5 hash:	7911215EDC491695BF598DBFF6F1D0C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2494896359.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.1238101496.00000000009B2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.1238101496.00000000009B2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2494896359.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2494896359.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	4

Executed Functions

Function 05FB0040 Relevance: 8.4, Strings: 6, Instructions: 939COMMON

Download Yara Rule

Strings

$q, xrefs: 05FB0CFB
$q, xrefs: 05FB0CEF
$q, xrefs: 05FB0CA2
$q, xrefs: 05FB0CAE
$q, xrefs: 05FB0CD7
$q, xrefs: 05FB0CCB

Memory Dump Source

Source File: 00000001.00000002.2497380955.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: 368155356a58fee4b63b12b30e81a912fd3d7141ebeffb78c5cd23ac1eb2a8a8
Instruction ID: 14ebc2fe40f074b07fc9e24b896615411c44322b5cc90f708e240206096dbe7c
Opcode Fuzzy Hash: 368155356a58fee4b63b12b30e81a912fd3d7141ebeffb78c5cd23ac1eb2a8a8
Instruction Fuzzy Hash: 4E825C34E00715CFDB14EB65C854AAEB7B6FF89300F5486A9E409AB254EF74ED85CB80

Function 05FB8BE0 Relevance: 8.3, Strings: 6, Instructions: 766COMMON

Download Yara Rule

Strings

$q, xrefs: 05FB951B
$q, xrefs: 05FB958F
$q, xrefs: 05FB955B
$q, xrefs: 05FB954F
$q, xrefs: 05FB9583
$q, xrefs: 05FB9527

Memory Dump Source

Source File: 00000001.00000002.2497380955.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: 02e349a685494f0d5d3b48d4fba77ade4c6f5a5f320f83abcca39c04eea8044b
Instruction ID: ffd88de8df628e1a4c62fcb69b86fda5fa3717f3a49391e69ec94b6f7cd4c049
Opcode Fuzzy Hash: 02e349a685494f0d5d3b48d4fba77ade4c6f5a5f320f83abcca39c04eea8044b
Instruction Fuzzy Hash: 1C527070E00209CFEF24DB6AD590BEDB7B6FB89310F248526E505DB385DAB9DC418B91

Function 05FB5720 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 05FB5A69
$q, xrefs: 05FB5A5D

Memory Dump Source

Source File: 00000001.00000002.2497380955.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 8715a52c748ac1348728f7c8f79b409247a61076d48b70eebcbe6f39b3316111
Instruction ID: 58f95dbc21e6450c22ca6fc41befcfa0c7bd6b9b2eab3240be99e1bd052d5a33
Opcode Fuzzy Hash: 8715a52c748ac1348728f7c8f79b409247a61076d48b70eebcbe6f39b3316111
Instruction Fuzzy Hash: 3F024D34B00215DFEB14DB69D494BAEBBE2FB84310F248529D815DB394EA79EC46CB80

Function 05FBDD58 Relevance: 2.8, Strings: 2, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 05FBDE46
Xq, xrefs: 05FBDE5F

Memory Dump Source

Source File: 00000001.00000002.2497380955.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: Xq$$q
API String ID: 0-855381642
Opcode ID: e25d0bdc04c30b7e01166a5aab3a0b4a2477886d127646152053ea3963000bf6
Instruction ID: 5ea77b3856a1c3c5a81694cd2784ec495aa7c32ca37bb863b76c2111095188b4
Opcode Fuzzy Hash: e25d0bdc04c30b7e01166a5aab3a0b4a2477886d127646152053ea3963000bf6
Instruction Fuzzy Hash: 8CB17135F042189BEB18EB7998546BE7BA7BFC8300B15892DE547D7388DE399C028791

Function 02C49C00 Relevance: 2.8, Instructions: 2787COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3c38a27ae4b872bbc0a302c40dcd0650030e42f45ddd105cf5891e184c0b923
Instruction ID: 494087533d3fd3b0b110421a54c0e0843312cddd6202b0f72b04c87d0ce69078
Opcode Fuzzy Hash: a3c38a27ae4b872bbc0a302c40dcd0650030e42f45ddd105cf5891e184c0b923
Instruction Fuzzy Hash: CC63D831C10B1A8ADB11EF68C990699F7B1FF99300F15D79AE45877221EB70AAD4CF81

Function 02C49BF8 Relevance: 2.6, Instructions: 2576COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3a3a7b0a46d2a58d8a77e11cfbb28c5ce785f7e542c4a8cb9ce3c5b6bce6c2
Instruction ID: 0c44fdd8df6daa5eedfbce719560af93fef34e03e0894663e58f037374c1ef58
Opcode Fuzzy Hash: 0a3a3a7b0a46d2a58d8a77e11cfbb28c5ce785f7e542c4a8cb9ce3c5b6bce6c2
Instruction Fuzzy Hash: F053E831C10B1A8ADB11EF68C990699F7B1FF99300F15D79AE45877221EB70AAD4CF81

Function 02C4CFC8 Relevance: 2.3, Instructions: 2309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0caefbeaaf93105c9bb87969c6c0f3ae4e21aeebdf57d47ed4ec090a8a035e
Instruction ID: 959b9168f6324eee3c5f8c049ee63b24dc8a32f40a1d52fdbc34588ff31ff635
Opcode Fuzzy Hash: fa0caefbeaaf93105c9bb87969c6c0f3ae4e21aeebdf57d47ed4ec090a8a035e
Instruction Fuzzy Hash: DC332F31D107198EDB11EF68C8806AEF7B1FF99300F15D79AE459A7211EB70AAC5CB81

Function 05FB2B10 Relevance: 1.8, Strings: 1, Instructions: 596
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 05FB31D1

Memory Dump Source

Source File: 00000001.00000002.2497380955.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 044909f0fd43fd9d8d6b191534bc408067edfc5b6bf03e42f08b279c947b7ac5
Instruction ID: 8227b93c0f5289bcf7362604adf50eeae75a7fd3766152fbb5303ddf73a39f17
Opcode Fuzzy Hash: 044909f0fd43fd9d8d6b191534bc408067edfc5b6bf03e42f08b279c947b7ac5
Instruction Fuzzy Hash: E9227E75E002159FEF24DBA9C490BEEBBB2FF85310F248569D805AB394DA79DC41CB90

Function 05FBBD40 Relevance: 1.8, Strings: 1, Instructions: 571
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 05FBBFA0

Memory Dump Source

Source File: 00000001.00000002.2497380955.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 2b35bb5dc6f3a2b143e2f45cee1ece36687313ab5934bd97588536433b1ef009
Instruction ID: a7c98cbd029327bea698a9328909aab3aab98a9802674002691a8bd8a9d05f5a
Opcode Fuzzy Hash: 2b35bb5dc6f3a2b143e2f45cee1ece36687313ab5934bd97588536433b1ef009
Instruction Fuzzy Hash: DA22AF30B00205CFEB24DB69D494BAEB7A2FF89310F248569E406DB365DB79EC45CB91

Function 02C43E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vmm, xrefs: 02C440CB

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: \Vmm
API String ID: 0-738080011
Opcode ID: b438915d8da211330b2e4da50480126bfe2a2bcd20b08b120e6f5f2bb7c2e0c5
Instruction ID: 62668cdda545ef9abbb98efbcb47466a87e7a657be284adb7255eaa6cdfa1a7c
Opcode Fuzzy Hash: b438915d8da211330b2e4da50480126bfe2a2bcd20b08b120e6f5f2bb7c2e0c5
Instruction Fuzzy Hash: F5916C70E00349CFEF24CFA9D88579EBBF2AF88314F248129E415A7294DB759946CF81

Function 05FB3F80 Relevance: .8, Instructions: 812COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2497380955.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78275c394352d9a2c3c16881dbaa616ba0995d7a0d396398a16e1c55696bd512
Instruction ID: d52202edaa1496afd4396eb7b3f1f310691437889df5a3c42ab4a8ed1ac9352e
Opcode Fuzzy Hash: 78275c394352d9a2c3c16881dbaa616ba0995d7a0d396398a16e1c55696bd512
Instruction Fuzzy Hash: 15623734A00204DBEF14DB69D698BADBBB3FB84310F148569E816DB395DB79EC46CB40

Function 05FB9B28 Relevance: .6, Instructions: 628COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2497380955.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79740c349d41deec6d1a05349bdecfc3e53e97a13b33bbd454414ca3d9c1790a
Instruction ID: 3abf2f2ca8658aba651df9950fe933f883ecc4780581f29e00c976f38fbefb8a
Opcode Fuzzy Hash: 79740c349d41deec6d1a05349bdecfc3e53e97a13b33bbd454414ca3d9c1790a
Instruction Fuzzy Hash: 4B328034B00204DFEB24EB69D990BEDBBB2FB88311F108525E545DB359DB79EC428B91

Function 02C49378 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0e078825c2afad4aa60493b7727a95a866b49a9821255d0eeecb6bfeab00a0
Instruction ID: 772b653482354bfc07f3cbb8dcfcc1049e2633857c33730863b84c6e562318b2
Opcode Fuzzy Hash: ee0e078825c2afad4aa60493b7727a95a866b49a9821255d0eeecb6bfeab00a0
Instruction Fuzzy Hash: 79325B75A002148FDB14DF68D584BAEBBB2EF88310F248569E809DB394DB35ED45CB91

Function 02C44A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47eaf81afcb0f8b0465ce5553019fc2063ebfea94b697b1fe75a682740f04bd8
Instruction ID: bef2821c4dee682cc73cba7a43fb15ec488a7acac0dff39fd58271ff5ea1cc1e
Opcode Fuzzy Hash: 47eaf81afcb0f8b0465ce5553019fc2063ebfea94b697b1fe75a682740f04bd8
Instruction Fuzzy Hash: A5B14F70E007098FDB28CFA9D88579EBBF2AF88314F248529D815E7294EF749945CF91

Function 02C44804 Relevance: 2.7, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vmm, xrefs: 02C449D2
\Vmm, xrefs: 02C4487F

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: \Vmm$\Vmm
API String ID: 0-2178289407
Opcode ID: 1846cd5ba5be1f27b4d839866fd02739eec2b0354d89d8378d47d2dbb23fcbd8
Instruction ID: 537372f34d4cc0e833fd7f836bc841766a70978aa842d255949c111d657197b8
Opcode Fuzzy Hash: 1846cd5ba5be1f27b4d839866fd02739eec2b0354d89d8378d47d2dbb23fcbd8
Instruction Fuzzy Hash: DB816A70D00249DFDF28CFA9D880B9EBBF2BF88314F24852AE415A7294DB749981CF51

Function 02C44810 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vmm, xrefs: 02C449D2
\Vmm, xrefs: 02C4487F

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: \Vmm$\Vmm
API String ID: 0-2178289407
Opcode ID: 1c1717db678bdbbe908c55a0e22247ffede9ae1956868fb4f62676130c6d6b01
Instruction ID: 4fe00abe859567a782d61bcc664cc15e55d54565030f34a0400bd1fa9776b037
Opcode Fuzzy Hash: 1c1717db678bdbbe908c55a0e22247ffede9ae1956868fb4f62676130c6d6b01
Instruction Fuzzy Hash: 88715A70E002499FDB28DFA9C88079EBBF2BF88314F248129E415AB294DB749841DF95

Function 02C46ED8 Relevance: 2.6, Strings: 2, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRq, xrefs: 02C46F93
LRq, xrefs: 02C46F0E

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: LRq$LRq
API String ID: 0-3710822783
Opcode ID: cb00da734908aab8c9135a0d8efd8ad0d7e0b3ea0f4f16539967e4d0d9ed8c48
Instruction ID: 6621975142695f59891192bbdffcbb4f8bdca256d60ba2e133239df4b3b5e51a
Opcode Fuzzy Hash: cb00da734908aab8c9135a0d8efd8ad0d7e0b3ea0f4f16539967e4d0d9ed8c48
Instruction Fuzzy Hash: EB41D230A002189FDB15DB68C4507AEBBB6EF86300F20856AE801EB394EF75AD45CB91

Function 05FBE1F0 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2497380955.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591e94433ace00b3852c3c93f339370b203363278f0faf8627298a250941b415
Instruction ID: b0ba4a9eb68a4dd2459bf610ee26ce4e7e17d7bbe1f20350e1a1b2424b4ddb08
Opcode Fuzzy Hash: 591e94433ace00b3852c3c93f339370b203363278f0faf8627298a250941b415
Instruction Fuzzy Hash: 78412132E043598FEB14DFAAC8007DEBBB5AF89210F04856AD904E7240DB789845CBE0

Function 05FBD5EC Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05FBE242), ref: 05FBE32F

Memory Dump Source

Source File: 00000001.00000002.2497380955.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b7a22c57609dac76d7e965a20c2a81193964128bf85ba193ce1eead79d9d0b2e
Instruction ID: b3d7826bac72ac9ea3daa0883bd4a67f97ddd58ce91c22a0a1bda9e1b9510a35
Opcode Fuzzy Hash: b7a22c57609dac76d7e965a20c2a81193964128bf85ba193ce1eead79d9d0b2e
Instruction Fuzzy Hash: E41117B1C006599BDB10DF9AC444BDEFBF4EF48320F14816AE918B7240D778A945CFA1

Function 05FBE2C0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05FBE242), ref: 05FBE32F

Memory Dump Source

Source File: 00000001.00000002.2497380955.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: d6640a3668c08b2752849c9ece706060b258bb2e51c2768c7bd40c0c91973d16
Instruction ID: 0cdf0039694e8752326402fd77e711313ff2580fc8961629ce672ba2fb4b506a
Opcode Fuzzy Hash: d6640a3668c08b2752849c9ece706060b258bb2e51c2768c7bd40c0c91973d16
Instruction Fuzzy Hash: 7F1114B1C002599FDB10DF9AC445BDEFBF4AF48320F14822AE918A7240D778A945CFA5

Function 02C43E76 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

\Vmm, xrefs: 02C440CB

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: \Vmm
API String ID: 0-738080011
Opcode ID: 65ea194c7dd2013503ddd6d292f37d6ec7216ec27402c8a6dd1a66e468a49c1c
Instruction ID: 1d972138b2c65fddbe391a9eb4c974d6c661572b50708d7512762d78f7cc3ab7
Opcode Fuzzy Hash: 65ea194c7dd2013503ddd6d292f37d6ec7216ec27402c8a6dd1a66e468a49c1c
Instruction Fuzzy Hash: DA916A70E00249CFEF24CFA9D9857DEBBF2AF88314F248129E815A7294DB759945CF81

Function 02C4F4F5 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

PHq, xrefs: 02C4F643

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: edb8f126aa3f89d94375483cb3a22ac2537728ef6c1808e08d20ca24fe8bfe2e
Instruction ID: 0d49518f54e19b0e42531de5c917919147ddaaa108245afa851264a44b2bdc01
Opcode Fuzzy Hash: edb8f126aa3f89d94375483cb3a22ac2537728ef6c1808e08d20ca24fe8bfe2e
Instruction Fuzzy Hash: A531CB30B002059FDB29AF3495A07AF7BA2AF88210F24566DE406DB798DF35DD46CB90

Function 02C4F508 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHq, xrefs: 02C4F643

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 49e2cf1cb2eb5c83a272983e22249031a034620360d44b1a5ba75809bec583eb
Instruction ID: 4e94bb1c0db44a3922f25ea144d226d02958ca88a21912b648fd67680c120f35
Opcode Fuzzy Hash: 49e2cf1cb2eb5c83a272983e22249031a034620360d44b1a5ba75809bec583eb
Instruction Fuzzy Hash: 0F31AB30B002059BDB29AF3595647AF7BA2AFC8210F24456DE406DB388EF35ED02CB90

Function 02C46F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LRq, xrefs: 02C46F93

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 460b56c216177e4a34ffee1fa1439f2f476346f8483957f90641ee680424d440
Instruction ID: ff61a8cd16dd530ad065b5d62426750d170424300ee49ec81119506a193f625e
Opcode Fuzzy Hash: 460b56c216177e4a34ffee1fa1439f2f476346f8483957f90641ee680424d440
Instruction Fuzzy Hash: FD315C30E11209DBEB14CFA9C48479EF7B5EF85310F208529E801EB240EF71AE45CB90

Function 02C46BA0 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

LRq, xrefs: 02C46BD7

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: efd5d40f2e61cd3dbf07de4ed4b833ea9b30306bbc437897cf36e245e0d1d20b
Instruction ID: b6f177383fd6cfdb7439cd25ee3d813377d8ad70437676df83a9d98158d191d3
Opcode Fuzzy Hash: efd5d40f2e61cd3dbf07de4ed4b833ea9b30306bbc437897cf36e245e0d1d20b
Instruction Fuzzy Hash: 2A01F5327042105FC705ABB8D5517EE7BA6EF86311F64456AD006CB794DF3989418B91

Function 02C47908 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304f10d0f63cc97c004a96b3a15cfbf6cdf9f11d845181d69afcf60713fadd08
Instruction ID: 56baee1647b791efec6966708c2cb62fec867fa747163801960d0c4c191ca602
Opcode Fuzzy Hash: 304f10d0f63cc97c004a96b3a15cfbf6cdf9f11d845181d69afcf60713fadd08
Instruction Fuzzy Hash: EE126C34710202DFDB25AB28E5A936D76A3FBC5241F606A29E805CF344DF71FC4A8B81

Function 02C47918 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c63e6e5a7fe339597d4f9927b36d43cc5ac444bbb40c340ade9686e74ff074a
Instruction ID: 48e3ffff5626d0700473abc402a4375344cf56a4f271319b6d1b14088b28d6de
Opcode Fuzzy Hash: 8c63e6e5a7fe339597d4f9927b36d43cc5ac444bbb40c340ade9686e74ff074a
Instruction Fuzzy Hash: 6E126B34710202DFDB25AB28E4A876D76A3FBC5241F606A29E905CF344DF71FC4A8B81

Function 02C44A8E Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a7f383e4eb0ca4258eab301eeea5b4f9e396f9a9cb06c60d5a6753e0301c5c
Instruction ID: 4b3a021cd0fc9618d7b45e064c9c8477eced908dcc98d699b8e79d04125d7eb8
Opcode Fuzzy Hash: c8a7f383e4eb0ca4258eab301eeea5b4f9e396f9a9cb06c60d5a6753e0301c5c
Instruction Fuzzy Hash: A6A15E70E00609CFDB28CFA9D8857DEBBF2AF88314F248529D815E7294EB749945CF91

Function 02C49364 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ebda2d163711f394c005c9b07a7750b3e1d87e18703af07e52a3a19207ffe6
Instruction ID: 4c56b52bd48b4cdb798f340c54e46ceb2fa8d5c914df2aad6d02884d752ed1d9
Opcode Fuzzy Hash: c8ebda2d163711f394c005c9b07a7750b3e1d87e18703af07e52a3a19207ffe6
Instruction Fuzzy Hash: 8D914D35A002149FCB15DFA8D584BAEBBB2EF88310F248565E806DB394DF35ED46CB50

Function 02C46CDE Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b94d713dd0df179191c3f36887b78739178d065de0cf02850440cea710996ff
Instruction ID: 1db4b06e1116f466cd3d13cad290b170fc22bb8af5b23105f007ac02e086feef
Opcode Fuzzy Hash: 5b94d713dd0df179191c3f36887b78739178d065de0cf02850440cea710996ff
Instruction Fuzzy Hash: 0F5134B0D002588FDB18DFAAC885B9EBBF5BF49304F24812AE815BB355DB749944CF90

Function 02C46CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05c37044713871ec7e58339147bed7edf05f5bfea80c7d6991070086928cf4d
Instruction ID: f99bf6f11420b1710dd8b268ef8010fa3b6c7667cf096d48f43d5bbffd815e65
Opcode Fuzzy Hash: b05c37044713871ec7e58339147bed7edf05f5bfea80c7d6991070086928cf4d
Instruction Fuzzy Hash: D4512470D002588FDB18DFAAC884B9EBBF5BF49314F258129E815BB355DB74A844CF94

Function 02C41128 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0083052538cea9be457cb867313460eec6a72b6ab69c6a21b71b15743abada17
Instruction ID: 8f4055a77ee2a53f344a7deb0bcc9f0b8dcbf8b2d69a7ea3fc2bee8ab0fb17e4
Opcode Fuzzy Hash: 0083052538cea9be457cb867313460eec6a72b6ab69c6a21b71b15743abada17
Instruction Fuzzy Hash: 42512D355012968FD726FF28F890BA83F75F7923057048969D854CB27EDA716D09CF82

Function 02C41138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f761626ea47c8550c78528afed7141b93e040c1d0bf66f6175d13697168cd211
Instruction ID: 6074ac5c18e19932ea6aea306c4fc98f13c998e54bea5c5ab136294fa26cea47
Opcode Fuzzy Hash: f761626ea47c8550c78528afed7141b93e040c1d0bf66f6175d13697168cd211
Instruction Fuzzy Hash: 4651EC345012A68FD726FF28F890BA83F65F7913057148969D854CF27EDA706D09CF81

Function 02C4F3B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f42c5d9627656a075741d4f23b24ccd1be257c97fc70bc4546793af80c90d794
Instruction ID: cd66ed2cea08825f5a1b44c9ad2b67134ff95e77b237e94dd1d750e4187894f0
Opcode Fuzzy Hash: f42c5d9627656a075741d4f23b24ccd1be257c97fc70bc4546793af80c90d794
Instruction Fuzzy Hash: 0C315E35E106059FDB19CF64D49479EB7B2BF89300F509919E806EB754DF70AD468B40

Function 02C426DC Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77a23cf0191231231a90b959cd703343c17ad6da8cd3f649dc201aeeb325d0a
Instruction ID: 1a47c6b110ff04d834ac25781cb842cb943cb542bece7db0ace6cb8ff37400b2
Opcode Fuzzy Hash: e77a23cf0191231231a90b959cd703343c17ad6da8cd3f649dc201aeeb325d0a
Instruction Fuzzy Hash: EA41FEB1D003499FEB14DFA9C881ADEBBB5FF48314F148029E819AB250DB75A946CF91

Function 02C45098 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b34b4976ff121f1055ac887cab83ca822694df248d4d30349a56df7ac998d815
Instruction ID: 5d326461f2eb9308b41b77ae04a4492b810a40497485783e68a799878366e97b
Opcode Fuzzy Hash: b34b4976ff121f1055ac887cab83ca822694df248d4d30349a56df7ac998d815
Instruction Fuzzy Hash: 42315830A002148FDB29EB78D9547AE77B6EF89388F900468D806EB394DF76DD41CB91

Function 02C4F3C8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b90f55cfad3739cf67a16b6372a4e64a2eec3110122980e65cc5cee28aee725
Instruction ID: f85495d6427f36513c35ef80aacd8c9da2995cdcf7f9aa49603cff6c59ded55e
Opcode Fuzzy Hash: 1b90f55cfad3739cf67a16b6372a4e64a2eec3110122980e65cc5cee28aee725
Instruction Fuzzy Hash: 9B315830E106099FDB19CF64D4946AEBBB2BF89300F509929E806EB744DF70AD468B40

Function 02C426E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1026eed9d556fdc3883c7961f10c595d6f0386f6d1e2f25edf9715ee5a0868d
Instruction ID: 6f7daa95923ba0a5c16c804041acd1f6c89c29197452e3e31cd1d01477a9f4c3
Opcode Fuzzy Hash: c1026eed9d556fdc3883c7961f10c595d6f0386f6d1e2f25edf9715ee5a0868d
Instruction Fuzzy Hash: 4241EEB1D0034D9FEB14DFA9C481A9EBBB5FF48314F108029E819AB250DB75A946CF91

Function 02C450A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7b2ac516804c3d092eb85943623af0216c7c89cdb3ddadbad2813ea6621f79
Instruction ID: e8e7807696416e846095c1a45fc1def57c1dce92ca0c90e2821a8b4c14950e54
Opcode Fuzzy Hash: 8b7b2ac516804c3d092eb85943623af0216c7c89cdb3ddadbad2813ea6621f79
Instruction Fuzzy Hash: 5D316834A002148FDB28EB74D9547AE77B6AF89344F500468D806EB398DF76DD41CB91

Function 02C49250 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3ffee8325a8373b9ef40d6a746ff4b385723484af7c708cc89a307b5940a55
Instruction ID: 09290a9dc565cc3c2a0b829e9072990a93d84f6470745a21e4cf1a5bfe5ab5e5
Opcode Fuzzy Hash: 5c3ffee8325a8373b9ef40d6a746ff4b385723484af7c708cc89a307b5940a55
Instruction Fuzzy Hash: 42314F31E002199BDB19DFA5D49079FB7B2EF89304F548629E805EB244DB70AD86CB90

Function 02C49260 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920a189e19f448d5ecdadcbc250a30db16aef1a8a337585b63329cecce08c1c2
Instruction ID: 837e3c9660176c934dfafc240a30ca51706aaadd126fa4868abf2b9c11ed6ff0
Opcode Fuzzy Hash: 920a189e19f448d5ecdadcbc250a30db16aef1a8a337585b63329cecce08c1c2
Instruction Fuzzy Hash: 94214D34E1021A9BDB19DFA5D49079FF7B2FF89304F508629E805EB244DB70AD86CB90

Function 02C416A0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3448958cbaee8bc96b6bcbe164d4f2babd6f0369c2529579710f346b9c7764ec
Instruction ID: 64bfb837710ab6c9816a69497b96b4723778627054cafb88d3333c73245a3050
Opcode Fuzzy Hash: 3448958cbaee8bc96b6bcbe164d4f2babd6f0369c2529579710f346b9c7764ec
Instruction Fuzzy Hash: DC21A738A102504FEF61F768E884B5B3B65E780355F144A25D44ACF25DDF64EE86CBC1

Function 02C44F88 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a450835566cdf68f121fa4b4aa8775061601a362433b9765041ed0b3a39213
Instruction ID: 7e68e585220d75077fce4fabf42e561fcb1f1606195fd436d7b239a002925812
Opcode Fuzzy Hash: 68a450835566cdf68f121fa4b4aa8775061601a362433b9765041ed0b3a39213
Instruction Fuzzy Hash: 85210A347002048FDB64DB79D558BAE7BF5EB89244F500468E84AEB3A4DF36AD01CB91

Function 02C41878 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86cfdb45d840ae43844e71526aff86b9e05a561029f648bdc4bda602806aaec
Instruction ID: 371e9ef866835cb6771f7ff60ecff15ce9448a958084fa2beaab1b12c16a1f9a
Opcode Fuzzy Hash: d86cfdb45d840ae43844e71526aff86b9e05a561029f648bdc4bda602806aaec
Instruction Fuzzy Hash: 2D215C31B002048FEB24EB65D5547AE77F6EF89204F540468D549FB294DFB69E80CBA1

Function 02C49150 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b000405febd3ea1837870b03f83fcdd4bd95aeec449355b52944bd6018325f
Instruction ID: 7afcbd6c86d33df764ef86f122093535d54ae004e545badb78ca7126e02ce021
Opcode Fuzzy Hash: 05b000405febd3ea1837870b03f83fcdd4bd95aeec449355b52944bd6018325f
Instruction Fuzzy Hash: 52216035E042298BDB19CFA4D85469FBBB2AF89300F10865AEC16FB340DF709946CB50

Function 010CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2493541773.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10cd000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3394455c1ae9c11e8df168a416e5d829a4b54e7375a649b314932524be92bd1
Instruction ID: 8d48568643378f1f2aa5d975246740b185661190dadcaabf8eafc3cbe78b8dd0
Opcode Fuzzy Hash: a3394455c1ae9c11e8df168a416e5d829a4b54e7375a649b314932524be92bd1
Instruction Fuzzy Hash: 4121F1716042009FDB15DF58D984B1ABBA1EB84614F30C5BDE88A0B246C336D407CBA2

Function 02C41380 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a95c879ff87ed9919de07ccf45464bb177da191e6325d8cbdc7204f1429567
Instruction ID: a0e8bb764c6088395c406e860b96248b06f9458c754f449a7dcab344e80f10b1
Opcode Fuzzy Hash: 99a95c879ff87ed9919de07ccf45464bb177da191e6325d8cbdc7204f1429567
Instruction Fuzzy Hash: B221E4346102006FEF316674D5993AE3A60F782315F980829F88EDB2C0DFA9DAC4C742

Function 02C49160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ece67a439560c7c91fb376635448bb9fc2e877f1c63c44518e7a0cc65e38e9
Instruction ID: 236a71c419b07ac95b013d4135fc86d673167db95b44d21ec9a15b14d88554f3
Opcode Fuzzy Hash: 45ece67a439560c7c91fb376635448bb9fc2e877f1c63c44518e7a0cc65e38e9
Instruction Fuzzy Hash: 65215030E002199BDB19CFA5D854A9FB7B2AF89300F10866AEC16FB350EF71AD45CB50

Function 02C41888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac0a7ce7b822f9ca41a33bc98a622a53b98a3bf2a719a53d81e2bdb0a7f4650
Instruction ID: 5de8d6888cd8e53d3bfd0f581b630d188965d7e5a790442243f057ad44d5b3ed
Opcode Fuzzy Hash: 5ac0a7ce7b822f9ca41a33bc98a622a53b98a3bf2a719a53d81e2bdb0a7f4650
Instruction Fuzzy Hash: CC213930B002048FEB64EB65D5147AE77F6AF89205F140469D54AEB294DFB69D80CBA1

Function 02C416B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45f9a7e041f7827fdf3b8d008e382b50dc80c906da3e74ff0b0f56639688d239
Instruction ID: e372cdc92cf8e3e23e71d240bcd626c3b194f1f84dfa8efb1266233e6f3937c9
Opcode Fuzzy Hash: 45f9a7e041f7827fdf3b8d008e382b50dc80c906da3e74ff0b0f56639688d239
Instruction Fuzzy Hash: 7F21A538A102104FEF61FB64E884B5A3B65EB80345F144A25D44ACF25DDF64ED86CBD1

Function 02C44F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0e1ec598223e09c663df04ec0d027b71f8388d0a8923644eb4b74d24c0fe83
Instruction ID: e39b1c9f0b58a50e910f2e9ffa298ce8a2f9d958ec7eaf61a6428f65cf1e8c1b
Opcode Fuzzy Hash: 3f0e1ec598223e09c663df04ec0d027b71f8388d0a8923644eb4b74d24c0fe83
Instruction Fuzzy Hash: 8021E9347002048FDB64DB79D558BAE7BF5EB89344F104468E80AEB3A4DF76AD00CB91

Function 02C417C0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333b2e9a7f867d0299db908071c6ddb28013e1e2d42a0f9c56db7df07868e533
Instruction ID: d733e1a8f0ddd587ff5f9ed26a13c9c56cbfc6574aa357661a2864e300e944a9
Opcode Fuzzy Hash: 333b2e9a7f867d0299db908071c6ddb28013e1e2d42a0f9c56db7df07868e533
Instruction Fuzzy Hash: 1A11E3B6B003109FDF119BB99884B9F7FE9EB88650F140424E94ADB344EF34C982C791

Function 010CD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2493541773.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10cd000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d2787f0fe2ad0f5071bc3e2faeb528cec67b392b24816480e7a67ecb2e4a7e
Instruction ID: 63911d7b387a0b0ba165f019fea17a80416beab802ee67f5f6049cf9d1ae7228
Opcode Fuzzy Hash: 74d2787f0fe2ad0f5071bc3e2faeb528cec67b392b24816480e7a67ecb2e4a7e
Instruction Fuzzy Hash: DD2183755083809FCB02CF58D994715BFB1EB46314F24C5EAD8898B2A7C33A9806CBA2

Function 02C40848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab4ed43d960b6fd9da89cc673bc64eb6cea64819e3aeee32494f83aedbfbf6d
Instruction ID: f9d90aff77294eea4a963e9877ba4834c95aff741917ce6203b85f0d502cb196
Opcode Fuzzy Hash: cab4ed43d960b6fd9da89cc673bc64eb6cea64819e3aeee32494f83aedbfbf6d
Instruction Fuzzy Hash: 8B117034B402098BEF6CAA79D64476B37A5FFC5224F204939E606CF241EF61DD868BC1

Function 02C40838 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9929270bc1f31755c055b6ed1fdceb463332d632c5fb63bb44c20852977cee
Instruction ID: 8afe133278142b13b6365dd202d3e7215f4044acc5b9066df414e5bfaa20dd60
Opcode Fuzzy Hash: 4f9929270bc1f31755c055b6ed1fdceb463332d632c5fb63bb44c20852977cee
Instruction Fuzzy Hash: 2311E530B802059BEF2D6AB5D6443AB3751EFC1324F144939DA42DF281DF65CE828BC1

Function 02C480F1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b81e80239486a9be18fd9abdb6340cb68c6e8b6d2d63bcc1cbde1efd6f44b76
Instruction ID: f1496baa5021bb86ad0e7c9fcf8e0f875b473c462b349a5512306c8de3ca544e
Opcode Fuzzy Hash: 0b81e80239486a9be18fd9abdb6340cb68c6e8b6d2d63bcc1cbde1efd6f44b76
Instruction Fuzzy Hash: 5A118E34A102099FDB51EB68E89079EBBB5EB84201F5046A9D904DF258EF31BE098B81

Function 02C4148A Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63a78e32820496ea5df0fa21a02fafb3e328ac9945292905fb31f161fc953809
Instruction ID: c540e85fba64cb7e7695dadb5d138e8e41b2da1c9dd1e0bd43758577e5343bf9
Opcode Fuzzy Hash: 63a78e32820496ea5df0fa21a02fafb3e328ac9945292905fb31f161fc953809
Instruction Fuzzy Hash: 1511A331E002159FCB16EFB884402DF7BF5EF89224F59057AD949E7341EB79CA828B91

Function 02C41498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20852458fb6bbc20d2988490c4f0c7fe1a1956aec3a12f3ed5ba6243c2052a6a
Instruction ID: 2e015b87caeb1b9429dd73068517875b4625bb28db93535076cbd08f9bbd7896
Opcode Fuzzy Hash: 20852458fb6bbc20d2988490c4f0c7fe1a1956aec3a12f3ed5ba6243c2052a6a
Instruction Fuzzy Hash: C3014431E002159FDF25EFB9845029F7BF5EB88350F14057AD949E7301EB76C9818B91

Function 02C47090 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d2aefcbbeadfa1f26b4d63fe18e07b1996e298b99001cb09b416617aeae210
Instruction ID: ec087287a8a4b4d4c1c7125bddd96f384eca939685352f08f2d1aa4289abdef5
Opcode Fuzzy Hash: c6d2aefcbbeadfa1f26b4d63fe18e07b1996e298b99001cb09b416617aeae210
Instruction Fuzzy Hash: ADF0C439B00208CFD714DB78D598BAD7BB2EF89315F5144A8E9069B3A4DF31AD42CB40

Function 02C48100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48b3b75bef8cb7e2e2d554f55a6d34c8e61808a32fdebd512143c18b6f4ebf0b
Instruction ID: 103979b37f068bdd6d45ab727910e6fb3a5bd48ef7f4bad31d317c4245d9c608
Opcode Fuzzy Hash: 48b3b75bef8cb7e2e2d554f55a6d34c8e61808a32fdebd512143c18b6f4ebf0b
Instruction Fuzzy Hash: 4DF03138910259EFDB45FFA4E99079DBBB5EF40300F6086A8C505DF258EA317E099B82

Non-executed Functions

Function 05FB5028 Relevance: 13.0, Strings: 10, Instructions: 477COMMON

Download Yara Rule

Strings

$q, xrefs: 05FB55AB
$q, xrefs: 05FB513F
$q, xrefs: 05FB550D
$q, xrefs: 05FB5501
$q, xrefs: 05FB5133
$q, xrefs: 05FB5170
$q, xrefs: 05FB55C1
$q, xrefs: 05FB55B5
$q, xrefs: 05FB559F
$q, xrefs: 05FB5164

Memory Dump Source

Source File: 00000001.00000002.2497380955.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-1298971921
Opcode ID: 1e873c310488c56726f193f9dd5ce77466a77223da30803d212497f3b9ab4358
Instruction ID: 1f7f5420964beb449f68af3c14379ea93f40d111166b2fdec3246e454c73a8d5
Opcode Fuzzy Hash: 1e873c310488c56726f193f9dd5ce77466a77223da30803d212497f3b9ab4358
Instruction Fuzzy Hash: DC123E30F00219CFEB24DB66D894BAEB7B3BF89301F248569D4069B254EB799D45CF81

Function 05FB3278 Relevance: 2.9, Strings: 2, Instructions: 408COMMON

Download Yara Rule

Strings

XPq, xrefs: 05FB33AD
\Oq, xrefs: 05FB33DD

Memory Dump Source

Source File: 00000001.00000002.2497380955.0000000005FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5fb0000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: XPq$\Oq
API String ID: 0-3725437444
Opcode ID: 5959e2de9b1d9677ed695ec509ad8f9db05e23bc0b8198f50c1e4332b96b4c24
Instruction ID: 47d42d0f4f8a9a798bef955dfaa5bdd81fe4566f5e35a619fe8e96e9b75b5382
Opcode Fuzzy Hash: 5959e2de9b1d9677ed695ec509ad8f9db05e23bc0b8198f50c1e4332b96b4c24
Instruction Fuzzy Hash: 15D1E331B50115CFEF14DB6DD890AEEBBA2FB88310F25886AD446DB391CAB9DC05C790

Function 02C441C8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\Vmm, xrefs: 02C4447F

Memory Dump Source

Source File: 00000001.00000002.2494804396.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c40000_231210-01-AgentTesla-2eba02.jbxd

Similarity

API ID:
String ID: \Vmm
API String ID: 0-738080011
Opcode ID: b7772a6a75a47f30cc82d16e8aa3ecc206b9f6dfce02795da23c353aad9281ef
Instruction ID: 39cae330f6c421f0b2f7fb26e0061848981be512c451a46bd171bede0bcb3506
Opcode Fuzzy Hash: b7772a6a75a47f30cc82d16e8aa3ecc206b9f6dfce02795da23c353aad9281ef
Instruction Fuzzy Hash: EEB13E70E002198FDF28CFA9D88579EBBF2BF88714F248129E815A7294DF749945CF41

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 231210-01-AgentTesla-2eba02.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Statistics

Windows Analysis Report
231210-01-AgentTesla-2eba02.exe

Function 05FB5720 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Function 05FBDD58 Relevance: 2.8, Strings: 2, Instructions: 329
COMMON

Function 05FB2B10 Relevance: 1.8, Strings: 1, Instructions: 596
COMMON

Function 05FBBD40 Relevance: 1.8, Strings: 1, Instructions: 571
COMMON

Function 02C44804 Relevance: 2.7, Strings: 2, Instructions: 201
COMMON

Function 02C44810 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Function 02C46ED8 Relevance: 2.6, Strings: 2, Instructions: 144
COMMON

Function 05FBE1F0 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON