Automated Malware Analysis Report for BL COPY

ID: 409479 Sample Name: BL COPY- pdf.exe Cookbook: default.jbs Time: 09:09:25 Date: 10/05/2021 Version: 32.0.0 Black Diamond Table of Contents

Table of Contents 2 Analysis Report BL COPY-pdf.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Threatname: Agenttesla 4 Yara Overview 4 Memory Dumps 4 Unpacked PEs 4 Sigma Overview 5 Signature Overview 5 AV Detection: 5 System Summary: 5 Anti Debugging: 5 Stealing of Sensitive Information: 5 Remote Access Functionality: 5 Mitre Att&ck Matrix 6 Behavior Graph 6 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 8 Domains 8 URLs 8 Domains and IPs 8 Contacted Domains 8 Contacted IPs 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 10 General 10 File Icon 10 Static PE Info 10 General 10 Entrypoint Preview 10 Data Directories 12 Sections 12 Resources 12 Imports 13 Version Infos 13 Network Behavior 13 Code Manipulations 13

Copyright Joe Security LLC 2021 Page 2 of 16 Statistics 13 Behavior 13 System Behavior 13 Analysis Process: BL COPY-pdf.exe PID: 4012 Parent PID: 5720 14 General 14 File Activities 14 File Created 14 File Written 14 File Read 15 Analysis Process: cmd.exe PID: 4220 Parent PID: 4012 15 General 15 File Activities 16 Analysis Process: conhost.exe PID: 3292 Parent PID: 4220 16 General 16 Analysis Process: timeout.exe PID: 5748 Parent PID: 4220 16 General 16 File Activities 16 Disassembly 16 Code Analysis 16

Overview

General Information Detection Signatures Classification

Sample BL COPY-pdf.exe Name: FFoouunndd maalllwwaarrree ccoonnfffiiigguurrraatttiiioonn

Analysis ID: 409479 MFouuullltttniii dAA VmV SaSlcwcaaannrnene ecrrr o ddneeftittgeeucctrttiaiiootnino fnffoorrr ssuubbm… MD5: c197c051a27543… YMYaaurrrlatai dAdeeVttte eScccttteaednd n AAeggre ednnetttTtTeeecsstlillaoan for subm SHA1: Ransomware 39d7ea1f2311ac8… Yara detected AgentTesla ..Y.NNaEEraTT dsseootuuerrrcctee dcc ooAddgeee cncotoTnnetttaasiilinanss vveerrryy lllaarrrgg… Miner Spreading SHA256: a0e9aa9f5686594… C.CNooEnnTttaa siinnossu frfucunenc ccttioioodnneaa lcliitotyyn ttooa ihnhisidd eve e aar y tth hlrareeraga mmaallliiiccciiioouusss CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo hhiiiddee aa ttthhrrreeaa… malicious

Tags: exe Evader Phishing sssuusssppiiiccciiioouusss HCHiioiddneetsas ittnthhsrrre efauadndscs t fifforrroonmal i dtdyee btbouu ghggigdeerrr ssa threa suspicious Infos: cccllleeaann

clean MHiaadccehhsiii nntheer LeLeaeadarsrrnn fiiirnnoggm dd edetetteebccutttiigioognne ffrfoosrrr ssaampp… Most interesting Screenshot: Exploiter Banker BMBiiinanacahrrryyin cceoo Lnnetttaaiiinrnnssi n aag s sduuesstppeiiicctiiioiouunss f tottiiimr seea smsttt…p

Spyware Trojan / Bot AgentTesla CBCoionnnatttraayiiin ncsso cncataappianabsb iiilalliiitt tiisieeusss ttptooi c ddioeeuttteescc ttti mvviiirerrttt uusaat… Adware

Score: 80 CCoonntttaaiiinnss ffcfuuannpccatttibiiooinlnitaaiellliiitsttyy t tottoo d cceaatlelllll cnnta avtttiiivrvteeu afff… Range: 0 - 100 CCoonntttaaiiinnss llflouonngcg t sisollleneeaeplpistsy ( ((t>>o== c 3a3 l ml niiinan)t))ive f Whitelisted: false CCrroreenaattatteeinss s aa l oppnrrrogoc cseelsesses piiinns ss(u>us=sp p3ee nmnddiened)d moo… Confidence: 100% DCDereettteaectcettteesd da p ppoortttoeecnnetttiisiaaslll cicnrrry yspputttoso p fffueunncdcttetiiiodon nmo

EDEnenataebbcllleteessd dd peeobbtuueggn tppiarrriiliv vciiillrleeyggpeetoss function Startup MEnaaayyb sslellleesee dppe (((beeuvvgaa sspiiivrvieve i llloeoogopepss))) tttoo hhiiinnddeerrr … QMuaueyerr risiieeless e ttthphe e( e vvvooalllusumivee liiionnofffooprrrsm) aatotttiii oohnnin (((dnneaarm …

System is w10x64 SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem… BL COPY-pdf.exe (PID: 4012 cmdline: 'C:\Users\user\Desktop\BL COPY-pdf.exe' MD5: C197C051A27543708050B0B8F30F4D02) SSaampplllee ffefiiillxleee iicissu ddtiiioiffffffnee rrrseetnonttpt ttsthh awannh ioloerrri iigpgiirinnoaacllel … cmd.exe (PID: 4220 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForcTSTerrarViiieme1ss p M tttloeoD llflo5oilae:a dE di s Am d7iiisi7sfsf7seiiiDnrnegEgn EDDt ALtLhL7Las8sn2 Eor8igBi4nDal7 C7C33BBF8A4496) timeout.exe (PID: 5748 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659) Tries to load missing DLLs cleanup

Malware Configuration

Threatname: Agenttesla

{ "Exfil Mode": "SMTP", "SMTP Email": "[email protected]", "SMTP Server": "mail.soonlogistics.com", "SMTP Password": "admin6640!" }

Yara Overview

Memory Dumps

Source Rule Description Author Strings 00000000.00000002.282514016.0000000007DD JoeSecurity_AgentTesla_1 Yara detected Joe Security 2000.00000004.00000001.sdmp AgentTesla Process Memory Space: BL COPY-pdf.exe PID: 4012 JoeSecurity_AgentTesla_1 Yara detected Joe Security AgentTesla

Unpacked PEs

Source Rule Description Author Strings

Copyright Joe Security LLC 2021 Page 4 of 16 Source Rule Description Author Strings 0.2.BL COPY-pdf.exe.7dd20e0.6.unpack JoeSecurity_AgentTesla_1 Yara detected Joe Security AgentTesla 0.2.BL COPY-pdf.exe.7e17700.5.raw.unpack JoeSecurity_AgentTesla_1 Yara detected Joe Security AgentTesla 0.2.BL COPY-pdf.exe.7e17700.5.unpack JoeSecurity_AgentTesla_1 Yara detected Joe Security AgentTesla 0.2.BL COPY-pdf.exe.7dd20e0.6.raw.unpack JoeSecurity_AgentTesla_1 Yara detected Joe Security AgentTesla

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection • Compliance • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Stealing of Sensitive Information • Remote Access Functionality

Click to jump to signature section

AV Detection:

Found malware configuration

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

System Summary:

.NET source code contains very large strings

Anti Debugging:

Contains functionality to hide a thread from the debugger

Hides threads from debuggers

Stealing of Sensitive Information:

Yara detected AgentTesla

Remote Access Functionality:

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Windows DLL Side- Process Masquerading 1 OS Security Software Remote Archive Exfiltration Encrypted Eavesdrop on Accounts Management Loading 1 Injection 1 1 Credential Discovery 2 1 Services Collected Over Other Channel 1 Insecure Instrumentation Dumping Data 1 Network Network Medium Communication Default Scheduled Boot or DLL Side- Disable or Modify LSASS Process Discovery 1 Remote Data from Exfiltration Junk Data Exploit SS7 to Accounts Task/Job Logon Loading 1 Tools 1 Memory Desktop Removable Over Redirect Phone Initialization Protocol Media Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script Logon Script Virtualization/Sandbox Security Virtualization/Sandbox SMB/Windows Data from Automated Steganography Exploit SS7 to Accounts (Windows) (Windows) Evasion 1 3 1 Account Evasion 1 3 1 Admin Shares Network Exfiltration Track Device Manager Shared Location Drive Local At (Windows) Logon Script Logon Script Process NTDS File and Directory Distributed Input Scheduled Protocol SIM Card Accounts (Mac) (Mac) Injection 1 1 Discovery 1 Component Capture Transfer Impersonation Swap Object Model Cloud Cron Network Network Timestomp 1 LSA System Information SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Script Secrets Discovery 1 2 Transfer Channels Device Size Limits Communication

Replication Launchd Rc.common Rc.common DLL Side-Loading 1 Cached System Owner/User VNC GUI Input Exfiltration Multiband Jamming or Through Domain Discovery Capture Over C2 Communication Denial of Removable Credentials Channel Service Media

Behavior Graph

Hide Legend Behavior Graph Legend: ID: 409479 Process Sample: BL COPY-pdf.exe Startdate: 10/05/2021 Signature Architecture: WINDOWS Created File Score: 80 DNS/IP Info Is Dropped Multi AV Scanner detection Found malware configuration Yara detected AgentTesla 3 other signatures started for submitted file Is Windows Process Number of created Registry Values

Number of created Files BL COPY-pdf.exe Visual Basic

Delphi 4 Java

dropped .Net C# or VB.NET

C, C++ or other language C:\Users\user\AppData\...\BL COPY-pdf.exe.log, ASCII Is malicious

sIntatreterdn e t

Hides threads from debuggers

cmd.exe

started started

conhost.exe timeout.exe

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link BL COPY-pdf.exe 26% ReversingLabs ByteCode- MSIL.Trojan.AgentTesla BL COPY-pdf.exe 100% Joe Sandbox ML

Dropped Files

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 409479 Start date: 10.05.2021 Start time: 09:09:25 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 14s Hypervisor based Inspection enabled: false Report type: light Sample file name: BL COPY-pdf.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 27 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal80.troj.evad.winEXE@6/1@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe

Copyright Joe Security LLC 2021 Page 8 of 16 Warnings: Show All Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BL COPY-pdf.exe.log

Process: C:\Users\user\Desktop\BL COPY-pdf.exe File Type: ASCII text, with CRLF line terminators Category: dropped Size (bytes): 1039 Entropy (8bit): 5.365622957937216 Encrypted: false SSDEEP: 24:MLU84qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7GE4Ks:Mgv2HKXwYHKhQnoPtHoxHhAHKzvGHKs MD5: 8661DEF1A785B33817416A73C5B2C3DD SHA1: 3341588F1C06BFFDDCCCF2EDE4F62D6D5F7AACA9 SHA-256: BF8FD626E9B119BF1F5045CAB9B6A2A773FB44ADCCB303B807CF650CE50758DD SHA-512: 035155C37E203345617D0679BC0F544E492BA0FBCC8CD42DA91FA721011BAE29095DE36F5D54CC08FF31B70DBD0FEB3DA82DDC9DD36F2D37B7EFE822DA5FBA CC Malicious: true Reputation: moderate, very likely benign file Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\Syste m.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System .Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a 3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59 c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutra Copyright Joe Security LLC 2021 Page 9 of 16 Static File Info

General File type: PE32 executable (GUI) Intel 80386 Mono/.Net assemb ly, for MS Windows Entropy (8bit): 2.5724965580422827 TrID: Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: BL COPY-pdf.exe File size: 2919936 MD5: c197c051a27543708050b0b8f30f4d02 SHA1: 39d7ea1f2311ac8968f03f3693a557f532acd084 SHA256: a0e9aa9f568659436c4cff3d544a8d4d195ca9a6b30e8a7 cdd5aeeeaa8e7d90f SHA512: eb432530e5bf974e28f31fc8f983f891f2319f237364364ec 7e24cb8172e9c25eae2bab5ac67e5e56a924a968a4f699 b7ea4ff815da140d9f924e6abf9aaf66a SSDEEP: 12288:f5vnsjbojWePGAaBzXRKviETxx2lGxzSlsWSKec MpUgMnZ2BAabpjEsxzlEcILg0: File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... PE..L..... i...... "...0...,...... ~.,...... ,...@...... -...... @......

File Icon

Icon Hash: 00828e8e8686b000

Static PE Info

General Entrypoint: 0x6ca37e Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0xDF69AC0D [Sun Oct 10 11:01:33 2088 UTC] TLS Callbacks: CLR (.Net) Version: v4.0.30319 OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction jmp dword ptr [00402000h] add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al

Copyright Joe Security LLC 2021 Page 10 of 16 Instruction add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al

Copyright Joe Security LLC 2021 Page 11 of 16 Instruction add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x2ca324 0x57 .text IMAGE_DIRECTORY_ENTRY_RESOURCE 0x2cc000 0x5a8 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x2ce000 0xc .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x2000 0x8 .text IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x2008 0x48 .text IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x2000 0x2c8384 0x2c8400 unknown unknown unknown unknown IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rsrc 0x2cc000 0x5a8 0x600 False 0.417317708333 data 4.07665575551 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0x2ce000 0xc 0x200 False 0.044921875 data 0.101910425663 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABLE , IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_VERSION 0x2cc0a0 0x31c data

Copyright Joe Security LLC 2021 Page 12 of 16 Name RVA Size Type Language Country RT_MANIFEST 0x2cc3bc 0x1ea XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL Import mscoree.dll _CorExeMain

Version Infos

Description Data Translation 0x0000 0x04b0 LegalCopyright Copyright 2021 Assembly Version 1.0.0.0 InternalName vaporware.exe FileVersion 1.0.0.0 CompanyName LegalTrademarks Comments ProductName vaporware ProductVersion 1.0.0.0 FileDescription vaporware OriginalFilename vaporware.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• BL COPY-pdf.exe • cmd.exe • conhost.exe • timeout.exe

Click to jump to process

System Behavior

General

Start time: 09:10:39 Start date: 10/05/2021 Path: C:\Users\user\Desktop\BL COPY-pdf.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\BL COPY-pdf.exe' Imagebase: 0xd00000 File size: 2919936 bytes MD5 hash: C197C051A27543708050B0B8F30F4D02 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Yara matches: Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.282514016.0000000007DD2000.00000004.00000001.sdmp, Author: Joe Security Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user read data or list device directory file | object name collision 1 6DF0CF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list device directory file | object name collision 1 6DF0CF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BL COPY- read attributes | device synchronous io success or wait 1 6E21C78D CreateFileW pdf.exe.log synchronize | non alert | non generic write directory file

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Copyright Joe Security LLC 2021 Page 14 of 16 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Mi unknown 1039 31 2c 22 66 75 73 69 1,"fusion","GAC",0..1,"Win success or wait 1 6E21C907 WriteFile crosoft\CLR_v4.0_32\UsageLogs\BL COPY-pdf.exe.log 6f 6e 22 2c 22 47 41 RT", 43 22 2c 30 0d 0a 31 "NotApp",1..2,"Microsoft.Vi 2c 22 57 69 6e 52 54 sualBasic, 22 2c 22 4e 6f 74 41 Version=10.0.0.0, Cult 70 70 22 2c 31 0d 0a ure=neutral, 32 2c 22 4d 69 63 72 PublicKeyToken=b0 6f 73 6f 66 74 2e 56 3f5f7f11d50a3a",0..3,"Syst 69 73 75 61 6c 42 61 em, Version=4.0.0.0, 73 69 63 2c 20 56 65 Culture=neutral, 72 73 69 6f 6e 3d 31 PublicKeyToken=b77a5c5 30 2e 30 2e 30 2e 30 6193 2c 20 43 75 6c 74 75 4e089","C:\Windows\asse 72 65 3d 6e 65 75 74 mbly\NativeImages_v4.0 72 61 6c 2c 20 50 75 62 6c 69 63 4b 65 79 54 6f 6b 65 6e 3d 62 30 33 66 35 66 37 66 31 31 64 35 30 61 33 61 22 2c 30 0d 0a 33 2c 22 53 79 73 74 65 6d 2c 20 56 65 72 73 69 6f 6e 3d 34 2e 30 2e 30 2e 30 2c 20 43 75 6c 74 75 72 65 3d 6e 65 75 74 72 61 6c 2c 20 50 75 62 6c 69 63 4b 65 79 54 6f 6b 65 6e 3d 62 37 37 61 35 63 35 36 31 39 33 34 65 30 38 39 22 2c 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 61 73 73 65 6d 62 6c 79 5c 4e 61 74 69 76 65 49 6d 61 67 65 73 5f 76 34 2e 30

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6DEE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6DEE5705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152 unknown 176 success or wait 1 6DE403DE ReadFile fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6DEECA54 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f unknown 900 success or wait 1 6DE403DE ReadFile 1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7e unknown 620 success or wait 1 6DE403DE ReadFile efa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Config unknown 864 success or wait 1 6DE403DE ReadFile uration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b2 unknown 748 success or wait 1 6DE403DE ReadFile 19d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6DEE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6DEE5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6CD51B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6CD51B4F ReadFile

Analysis Process: cmd.exe PID: 4220 Parent PID: 4012

General

Start time: 09:10:46 Start date: 10/05/2021 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\cmd.exe' /c timeout 1 Imagebase: 0xbd0000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Copyright Joe Security LLC 2021 Page 15 of 16 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: conhost.exe PID: 3292 Parent PID: 4220

General

Start time: 09:10:46 Start date: 10/05/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff6b2800000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: timeout.exe PID: 5748 Parent PID: 4220

General

Start time: 09:10:47 Start date: 10/05/2021 Path: C:\Windows\SysWOW64\timeout.exe Wow64 process (32bit): true Commandline: timeout 1 Imagebase: 0xcb0000 File size: 26112 bytes MD5 hash: 121A4EDAE60A7AF6F5DFA82F7BB95659 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Disassembly

Code Analysis