Edit tour

Windows Analysis Report
sdss.exe

Overview

General Information

Sample name:	sdss.exe
Analysis ID:	1525387
MD5:	4459a7eb4a040e16e462aed9face5033
SHA1:	a6c388afbcfd0a2ae2810205be37c354b15feb86
SHA256:	dcc72f90c1d3aac382ba8965c68109986771562f49d4112c5be1a0e9b645f621
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Installs a global keyboard hook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

sdss.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\sdss.exe" MD5: 4459A7EB4A040E16E462AED9FACE5033)

RegSvcs.exe (PID: 7388 cmdline: "C:\Users\user\Desktop\sdss.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pgsu.co.id", "Username": "joko.wahyono@pgsu.co.id", "Password": "Vecls16@Vezs           "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.4146826420.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4146826420.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.4146826420.0000000002939000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.4145670932.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4145670932.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1705625500.0000000001790000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1705625500.0000000001790000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1705625500.0000000001790000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33549:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33665:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33741:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33867:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000001.00000002.4146826420.000000000290E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: sdss.exe PID: 7336	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: sdss.exe PID: 7336	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7388	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7388	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 107.178.108.41, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7388, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: RegSvcs.exe.7388.1.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pgsu.co.id", "Username": "joko.wahyono@pgsu.co.id", "Password": "Vecls16@Vezs "}

Multi AV Scanner detection for submitted file

Source: sdss.exe	ReversingLabs: Detection: 50%
Source: sdss.exe	Virustotal: Detection: 40%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: sdss.exe

Joe Sandbox ML: detected

Source: sdss.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: sdss.exe, 00000000.00000003.1704378714.0000000004470000.00000004.00001000.00020000.00000000.sdmp, sdss.exe, 00000000.00000003.1704536660.0000000004610000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: sdss.exe, 00000000.00000003.1704378714.0000000004470000.00000004.00001000.00020000.00000000.sdmp, sdss.exe, 00000000.00000003.1704536660.0000000004610000.00000004.00001000.00020000.00000000.sdmp

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 107.178.108.41:587

Source: Joe Sandbox View

IP Address: 107.178.108.41 107.178.108.41

Source: Joe Sandbox View

ASN Name: IOFLOODUS IOFLOODUS

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 107.178.108.41:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.pgsu.co.id

Source: RegSvcs.exe, 00000001.00000002.4146826420.000000000290E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.pgsu.co.id
Source: RegSvcs.exe, 00000001.00000002.4146826420.000000000290E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pgsu.co.id
Source: RegSvcs.exe, 00000001.00000002.4151166869.0000000005C11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.or
Source: RegSvcs.exe, 00000001.00000002.4146032385.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4151166869.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4146826420.000000000290E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4151166869.0000000005C11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: RegSvcs.exe, 00000001.00000002.4146032385.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4151166869.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4146826420.000000000290E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4151166869.0000000005C11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: RegSvcs.exe, 00000001.00000002.4151166869.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4146032385.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4146826420.000000000290E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4151166869.0000000005C11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000001.00000002.4151166869.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4146032385.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4146826420.000000000290E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4151166869.0000000005C11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: sdss.exe, 00000000.00000002.1705625500.0000000001790000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4145670932.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Source: sdss.exe, 00000000.00000003.1704378714.0000000004593000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs sdss.exe
Source: sdss.exe, 00000000.00000003.1703224936.000000000473D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs sdss.exe
Source: sdss.exe, 00000000.00000002.1705625500.0000000001790000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamef1a08a05-b195-4d04-8a01-a86b7545550f.exe4 vs sdss.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: unknown	Process created: C:\Users\user\Desktop\sdss.exe "C:\Users\user\Desktop\sdss.exe"
Source: C:\Users\user\Desktop\sdss.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\sdss.exe"
Source: C:\Users\user\Desktop\sdss.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\sdss.exe"	Jump to behavior

Source: C:\Users\user\Desktop\sdss.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sdss.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\sdss.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\sdss.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\sdss.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sdss.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\sdss.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\sdss.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sdss.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\sdss.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sdss.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199948	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1199078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198530	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 1198203	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8843			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 990			Jump to behavior

Source: sdss.exe, 00000000.00000002.1705411631.0000000000A8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: sdss.exe, 00000000.00000003.1682345899.0000000003DBC000.00000004.00000020.00020000.00000000.sdmp, jailless.0.dr	Binary or memory string: <8MWlHGFSu@RA8
Source: RegSvcs.exe, 00000001.00000002.4151166869.0000000005C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 00000001.00000002.4146826420.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4146826420.0000000002939000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4145670932.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1705625500.0000000001790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4146826420.000000000290E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sdss.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7388, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	212 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	121 Virtualization/Sandbox Evasion	11 Input Capture	1 Process Discovery	Remote Desktop Protocol	11 Input Capture	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	212 Process Injection	1 Credentials in Registry	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	124 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner	Label	Link
sdss.exe	50%	ReversingLabs	Win32.Trojan.AutoitInject
sdss.exe	40%	Virustotal		Browse
sdss.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
pgsu.co.id	0%	Virustotal		Browse
mail.pgsu.co.id	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https://account.dyn.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://pgsu.co.id	0%	Virustotal		Browse
http://r10.i.lencr.org/0	0%	Virustotal		Browse
http://mail.pgsu.co.id	0%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pgsu.co.id	107.178.108.41	true	true	0%, Virustotal, Browse	unknown
mail.pgsu.co.id	unknown	unknown	true	0%, Virustotal, Browse	unknown

Name	Source	Malicious	Antivirus Detection	Reputation
http://pgsu.co.id	RegSvcs.exe, 00000001.00000002.4146826420.000000000290E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://r10.o.lencr.org0#	RegSvcs.exe, 00000001.00000002.4146032385.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4151166869.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4146826420.000000000290E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4151166869.0000000005C11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://account.dyn.com/	sdss.exe, 00000000.00000002.1705625500.0000000001790000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4145670932.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.pgsu.co.id	RegSvcs.exe, 00000001.00000002.4146826420.000000000290E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://r10.i.lencr.or	RegSvcs.exe, 00000001.00000002.4151166869.0000000005C11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://x1.c.lencr.org/0	RegSvcs.exe, 00000001.00000002.4151166869.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4146032385.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4146826420.000000000290E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4151166869.0000000005C11000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	RegSvcs.exe, 00000001.00000002.4151166869.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4146032385.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4146826420.000000000290E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4151166869.0000000005C11000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r10.i.lencr.org/0	RegSvcs.exe, 00000001.00000002.4146032385.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4151166869.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4146826420.000000000290E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4151166869.0000000005C11000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525387
Start date and time:	2024-10-04 05:15:01 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sdss.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
107.178.108.41	veems.exe	Get hash	malicious	AgentTesla	Browse
	kas.exe	Get hash	malicious	AgentTesla	Browse
	27.exe	Get hash	malicious	AgentTesla	Browse
	dm.exe	Get hash	malicious	AgentTesla	Browse
	sd.exe	Get hash	malicious	AgentTesla	Browse
	sspt.exe	Get hash	malicious	AgentTesla	Browse
	sspt.exe	Get hash	malicious	AgentTesla	Browse
	sspt.exe	Get hash	malicious	AgentTesla	Browse
	psss1.exe	Get hash	malicious	AgentTesla	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
IOFLOODUS	veems.exe	Get hash	malicious	AgentTesla	Browse	107.178.108.41
	kas.exe	Get hash	malicious	AgentTesla	Browse	107.178.108.41
	Website_Redesign_Project.xls	Get hash	malicious	Unknown	Browse	148.163.100.180
	O9M84hUenb.elf	Get hash	malicious	Mirai, Okiru	Browse	107.178.118.181
	SecuriteInfo.com.Linux.Siggen.9999.6095.9527.elf	Get hash	malicious	Mirai	Browse	104.161.30.172
	27.exe	Get hash	malicious	AgentTesla	Browse	107.178.108.41
	file.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	107.189.171.131
	file.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	107.189.171.131
	dm.exe	Get hash	malicious	AgentTesla	Browse	107.178.108.41

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sdss.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\jailless

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
sdss.exe

Process:	C:\Users\user\Desktop\sdss.exe
File Type:	data
Category:	dropped
Size (bytes):	240128
Entropy (8bit):	6.7817501854922835
Encrypted:	false
SSDEEP:	6144:nvlmwi0jEEnV5lijNFazOynS+kwWRAnGM9mXvkUil:vLiO5gZcz9L9/r9zl
MD5:	D24BE234D544F2F02C5A976943263D86
SHA1:	182B1230D96B5A5F6E8604300699105FA6CD0468
SHA-256:	B0E7956CCA99629A43A2DEEE784F9771EB0AACB16E30EB34EE13ABD67674BBA9
SHA-512:	4E366E13A73164DC36853598455BB1288DA0A4D17611FCA3A66B91996B73393F6231F301BAD81F9C1A42D73AB0ACB51860D8D7E4B824FCD90EBF0F994F67BF77
Malicious:	false
Reputation:	low
Preview:	...FEUUBVA8K..08.NZPZX63r8MWD0FFUUBRA8KGA08KNZPZX6328MWD0FFU.BRA6T.O0.B.{.[...fP$$d@4)2'#?a[)/_Lk,?p(-X.[Vm..cf+:1'\|L5AcA08KNZP..63~9NWt.g UUBRA8KG.0:JE[[ZX.028EWD0FFUK.QA8kGA0.HNZP.X6.28MUD0BFUUBRA8OGA08KNZPZ\6308MWD0FDU..RA(KGQ08KNJPZH6328MWT0FFUUBRA8KG..;K.ZPZX.02~HWD0FFUUBRA8KGA08KNZ.YX:328MWD0FFUUBRA8KGA08KNZPZX6328MWD0FFUUBRA8KGA08KNZPZx63:8MWD0FFUUBRI.KG.08KNZPZX632.92<DFFUq.QA8kGA0.HNZRZX6328MWD0FFUUbRAXe52B[KNZ._X63.;MWB0FF.VBRA8KGA08KNZP.X6s.J(;+SFFYUBRA.HGA28KN.SZX6328MWD0FFU.BR.8KGA08KNZPZX6328M.G0FFUU.RA8IGD0..LZ.jY6028MVD0@FUUBRA8KGA08KNZPZX6328MWD0FFUUBRA8KGA08KNZPZX632%......k.?lKZL.g._.M..I..J.wB.Q.=R...L.....>H..Z.9....^.... .JW89....s.Q!T0eD.7,.Y....hc&.s.A/.B....h.X5..d..`e....NL....L..9?7vWCBT(y.Q ''<.P.9KGA0......ZJs.zG?XrG-....sSHn...$X63V8MW60FF4UBR.8KG.08K ZPZ&632FMWDvFFU.BRA.KGA.8KN7PZX.3283WD0.;ZZ..Q8.08KNZe...._.....q..t#.F.%y......3`.7%.3s....L.S..VbSMm..]Y077:JSG<{H....`:OCD2?OMVmT......q......3....=.L8KNZPZ.63.8MW.F.UUB.A.K..08K.P.X.3...W

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.271917343911407
TrID:	Win32 Executable (generic) a (10002005/4) 95.11% AutoIt3 compiled script executable (510682/80) 4.86% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sdss.exe
File size:	1'182'259 bytes
MD5:	4459a7eb4a040e16e462aed9face5033
SHA1:	a6c388afbcfd0a2ae2810205be37c354b15feb86
SHA256:	dcc72f90c1d3aac382ba8965c68109986771562f49d4112c5be1a0e9b645f621
SHA512:	225ffbea03ace2d7a0943864c84ab41600266741b104f0e3a304b96f13a99476a75111f07e0ac906165a2d24fac3ceba60dadfac5a2ecaf8f73c4182a7c586f8
SSDEEP:	24576:WfmMv6Ckr7Mny5QbMp1LpiEYKRh/+EeNwEh:W3v+7/5QbMp1LpiEn1+EIwEh
TLSH:	8C45D012B2C680F5D99238711936E3169BF575383236CC8797E02E66BEEF1405E2EF61
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

Entrypoint:	0x416310
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	aaaa8913c89c8aa4a5d93f06853894da

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8cd3c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x136e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x840	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x80017	0x80200	6c20c6bf686768b6f134f5bd508171bc	False	0.5602991615853659	data	6.634688230255595	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xd95c	0xda00	f979966509a93083729d23cdfd2a6f2d	False	0.36256450688073394	data	4.880040824124099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a518	0x6800	e5d77411f751d28c6eee48a743606795	False	0.1600060096153846	data	2.2017649896261107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x136e8	0x13800	c9173f7c8b271253d012f4d842cddf75	False	0.09770633012820513	data	3.2802381666465874	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab448	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab570	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab698	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab7c0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 30236 x 30236 px/m	English	Great Britain	0.06435584999408495
RT_MENU	0xbbfe8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xbc038	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xbc138	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xbc668	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xbccf8	0x43a	data	English	Great Britain	0.3733826247689464
RT_STRING	0xbd138	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xbd738	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xbdd98	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xbe120	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xbe278	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xbe290	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xbe2a8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xbe2c0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xbe2d8	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xbe478	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
GDI32.dll	DeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
OLEAUT32.dll	SafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 05:15:59.175029993 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:15:59.180811882 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:15:59.181075096 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:15:59.788866997 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:15:59.790612936 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:15:59.795687914 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:15:59.946120977 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:15:59.946576118 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:15:59.951823950 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:00.104113102 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:00.112251997 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:16:00.117455959 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:00.301810980 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:00.301856995 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:00.301894903 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:00.301932096 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:00.301955938 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:16:00.302103043 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:16:00.326875925 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:16:00.332565069 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:00.483603001 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:00.499381065 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:16:00.504657984 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:00.654834986 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:00.655977964 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:16:00.661120892 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:00.812479019 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:00.814584017 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:16:00.819518089 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:00.974277973 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:00.974616051 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:16:00.980365038 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:01.131561995 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:01.131983042 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:16:01.137469053 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:01.519829988 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:01.520463943 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:16:01.525496960 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:01.675937891 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:01.676574945 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:16:01.676671028 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:16:01.676671028 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:16:01.676671028 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:16:01.681615114 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:01.681648016 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:01.681734085 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:01.681761980 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:01.896121025 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:16:01.946158886 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:17:37.977390051 CEST	49730	587	192.168.2.4	107.178.108.41
Oct 4, 2024 05:17:37.982595921 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:17:38.133923054 CEST	587	49730	107.178.108.41	192.168.2.4
Oct 4, 2024 05:17:38.140494108 CEST	49730	587	192.168.2.4	107.178.108.41

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 05:15:57.959918976 CEST	59093	53	192.168.2.4	1.1.1.1
Oct 4, 2024 05:15:58.962186098 CEST	59093	53	192.168.2.4	1.1.1.1
Oct 4, 2024 05:15:59.159610033 CEST	53	59093	1.1.1.1	192.168.2.4
Oct 4, 2024 05:15:59.159660101 CEST	53	59093	1.1.1.1	192.168.2.4
Oct 4, 2024 05:16:16.172290087 CEST	53	61968	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	23:15:54
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\sdss.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\sdss.exe"
Imagebase:	0x400000
File size:	1'182'259 bytes
MD5 hash:	4459A7EB4A040E16E462AED9FACE5033
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1705625500.0000000001790000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1705625500.0000000001790000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1705625500.0000000001790000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true