DYNAMIC ANALYSIS REPORT #6816650
Classifications: Spyware
MALICIOUS Threat Names: Agent Tesla v3 Mal/Generic-S Trojan.GenericKD.37357258
Verdict Reason: -
Sample Type Windows Exe (x86-32)
File Name 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe
ID #2588924
MD5 31e1f96a97f41b0d8e2595424359b968
SHA1 1c15f9447b5cf9c8246dfbe07ccf793301f45dc5
SHA256 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a
File Size 702.00 KB
Report Created 2021-08-07 05:50 (UTC+2)
Target Environment win7_64_sp1_en_mso2016 | exe
X-Ray Vision for Malware - www.vmray.com 1 / 17 DYNAMIC ANALYSIS REPORT #6816650
OVERVIEW
VMRay Threat Identifiers (18 rules, 33 matches)
Score Category Operation Count Classification
5/5 YARA Malicious content matched by YARA rules 1 Spyware
• Rule "AgentTesla_StringDecryption_v3" from ruleset "Malware" has matched on a memory dump for (process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe.
5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware
• Tries to read sensitive data of: Postbox, BlackHawk, Opera Mail, FTP Navigator, Comodo IceDragon, Ipswitch WS_FTP, Mozilla Thunderbird, k-Meleon, Opera, IncrediMail, WinSCP.
4/5 Reputation Known malicious file 1 -
• Reputation analysis labels the sample itself as "Mal/Generic-S".
4/5 Antivirus Malicious content was detected by heuristic scan 1 -
• Built-in AV detected the sample itself as "Trojan.GenericKD.37357258".
2/5 Data Collection Reads sensitive browser data 4 -
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of web browser "Opera" by file.
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of web browser "BlackHawk" by file.
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of web browser "Comodo IceDragon" by file.
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of web browser "k-Meleon" by file.
2/5 Data Collection Reads sensitive ftp data 2 -
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of ftp application "FTP Navigator" by file.
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of ftp application "Ipswitch WS_FTP" by file.
2/5 Data Collection Reads sensitive mail data 4 -
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of mail application "Opera Mail" by file.
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of mail application "Postbox" by file.
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of mail application "IncrediMail" by registry.
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of mail application "Mozilla Thunderbird" by file.
2/5 Data Collection Reads sensitive application data 1 -
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of application "WinSCP" by registry.
2/5 Injection Writes into the memory of a process started from a created or modified executable 1 -
• (Process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe modifies memory of (process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe.
2/5 Injection Modifies control flow of a process started from a created or modified executable 1 -
• (Process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe alters context of (process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe.
1/5 Mutex Creates mutex 1 -
• (Process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe creates mutex with name "AOaflTiLYojLiB".
1/5 Hide Tracks Creates process with hidden window 1 -
X-Ray Vision for Malware - www.vmray.com 2 / 17 DYNAMIC ANALYSIS REPORT #6816650
Score Category Operation Count Classification
• (Process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe starts (process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe with a hidden window.
1/5 Obfuscation Reads from memory of another process 1 -
• (Process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe reads from (process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe.
1/5 Obfuscation Creates a page with write and execute permissions 1 -
• (Process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
1/5 Privilege Escalation Enables process privilege 1 -
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe enables process privilege "SeDebugPrivilege".
1/5 Discovery Possibly does reconnaissance 9 -
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "blackHawk" by file.
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "FTP Navigator" by file.
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "Opera Mail" by file.
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "WinSCP" by registry.
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "Comodo IceDragon" by file.
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "Postbox" by file.
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "WS_FTP" by file.
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "Qualcomm Eudora" by registry.
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "k-Meleon" by file.
1/5 Obfuscation Resolves API functions dynamically 1 -
• (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe resolves 42 API functions by name.
1/5 Execution Executes itself 1 -
• (Process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe executes a copy of the sample at C: \Users\kEecfMwgj\Desktop\8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe.
X-Ray Vision for Malware - www.vmray.com 3 / 17 DYNAMIC ANALYSIS REPORT #6816650
Mitre ATT&CK Matrix
Privilege Defense Credential Lateral Command Initial Access Execution Persistence Discovery Collection Exfiltration Impact Escalation Evasion Access Movement and Control
#T1081 #T1083 File #T1119 #T1143 Hidden Credentials in and Directory Automated Window Files Discovery Collection #T1045 #T1214 #T1005 Data #T1012 Query Software Credentials in from Local Registry Packing Registry System
X-Ray Vision for Malware - www.vmray.com 4 / 17 DYNAMIC ANALYSIS REPORT #6816650
Sample Information
ID #2588924
MD5 31e1f96a97f41b0d8e2595424359b968
SHA1 1c15f9447b5cf9c8246dfbe07ccf793301f45dc5
SHA256 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a
SSDeep 12288:vrBmb0Abs1YXPqKGT57NIVJgnahQtSFWGUorEl0T87LRBmzchQf3t2NjFG:A0l1ulGl7NIVUahQcTOuyyzcSMNjs
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744
File Name 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe
File Size 702.00 KB
Sample Type Windows Exe (x86-32)
Has Macros
Analysis Information
Creation Time 2021-08-07 05:50 (UTC+2)
Analysis Duration 00:04:00
Termination Reason Timeout
Number of Monitored Processes 2
Execution Successful False
Reputation Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 1
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 1
X-Ray Vision for Malware - www.vmray.com 5 / 17 DYNAMIC ANALYSIS REPORT #6816650
X-Ray Vision for Malware - www.vmray.com 6 / 17 DYNAMIC ANALYSIS REPORT #6816650
NETWORK
General
0 bytes total sent
0 bytes total received
0 ports
0 contacted IP addresses
0 URLs extracted
0 files downloaded
0 malicious hosts detected
DNS
0 DNS requests for 0 domains
0 nameservers contacted
0 total requests returned errors
HTTP/S
0 URLs contacted, 0 servers
0 sessions, 0 bytes sent, 0 bytes received
X-Ray Vision for Malware - www.vmray.com 7 / 17 DYNAMIC ANALYSIS REPORT #6816650
BEHAVIOR
Process Graph
Modify Memory #1 Modify Control Flow #2 Sample Start 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe Child Process
X-Ray Vision for Malware - www.vmray.com 8 / 17 DYNAMIC ANALYSIS REPORT #6816650
Process #1: 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe
ID 1
File Name c:\users\keecfmwgj\desktop\8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe
Command Line "C:\Users\kEecfMwgj\Desktop\8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe"
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 39524, Reason: Analysis Target
Unmonitor End Time End Time: 151442, Reason: Terminated
Monitor duration 111.92s
Return Code 0
PID 3740
Parent PID 876
Bitness 32 Bit
Dropped Files (1)
File Name File Size SHA256 YARA Match
3d4ceb30de7084217f4d0a81e74b1d703b1a39c0a6bdd4f98d56aef2a65ff - 108.45 KB c6a
Host Behavior
Type Count
Registry 4
Process 1
File 20
Module 33
Window 6
Mutex 2
- 3
- 7
X-Ray Vision for Malware - www.vmray.com 9 / 17 DYNAMIC ANALYSIS REPORT #6816650
Process #2: 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe
ID 2
File Name c:\users\keecfmwgj\desktop\8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe
Command Line "C:\Users\kEecfMwgj\Desktop\8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe"
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 149105, Reason: Child Process
Unmonitor End Time End Time: 279817, Reason: Terminated by Timeout
Monitor duration 130.71s
Return Code Unknown
PID 3848
Parent PID 3740
Bitness 32 Bit
Injection Information (6)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
#1: c: \users\keecfmwgj\desktop\8 Modify Memory d5eb16aeba67696418ab7e2 0xea0 0x400000(4194304) 0x200 1 9e862f80c1e13eae1ab6b6ac 38d8e8d9fbe6d33a.exe
#1: c: \users\keecfmwgj\desktop\8 Modify Memory d5eb16aeba67696418ab7e2 0xea0 0x402000(4202496) 0x35600 1 9e862f80c1e13eae1ab6b6ac 38d8e8d9fbe6d33a.exe
#1: c: \users\keecfmwgj\desktop\8 Modify Memory d5eb16aeba67696418ab7e2 0xea0 0x438000(4423680) 0x400 1 9e862f80c1e13eae1ab6b6ac 38d8e8d9fbe6d33a.exe
#1: c: \users\keecfmwgj\desktop\8 Modify Memory d5eb16aeba67696418ab7e2 0xea0 0x43a000(4431872) 0x200 1 9e862f80c1e13eae1ab6b6ac 38d8e8d9fbe6d33a.exe
#1: c: \users\keecfmwgj\desktop\8 Modify Memory d5eb16aeba67696418ab7e2 0xea0 0x7efde008(2130567176) 0x4 1 9e862f80c1e13eae1ab6b6ac 38d8e8d9fbe6d33a.exe
#1: c: \users\keecfmwgj\desktop\8 Modify Control Flow d5eb16aeba67696418ab7e2 0xea0 / 0xf0c - 1 9e862f80c1e13eae1ab6b6ac 38d8e8d9fbe6d33a.exe
Host Behavior
Type Count
Registry 58
File 81
Module 59
Window 3
System 7
User 2
- 24
COM 33
X-Ray Vision for Malware - www.vmray.com 10 / 17 DYNAMIC ANALYSIS REPORT #6816650
Type Count
Environment 7
X-Ray Vision for Malware - www.vmray.com 11 / 17 DYNAMIC ANALYSIS REPORT #6816650
ARTIFACTS
File
SHA256 File Names Category File Size MIME Type Operations Verdict
C: 8d5eb16aeba67696418ab7e application/ \Users\kEecfMwgj\Desktop\8d5eb16a 29e862f80c1e13eae1ab6b6a Sample File 702.00 KB vnd.microsoft.portable- Access MALICIOUS eba67696418ab7e29e862f80c1e13eae c38d8e8d9fbe6d33a executable 1ab6b6ac38d8e8d9fbe6d33a.exe
3d4ceb30de7084217f4d0a81 c: e74b1d703b1a39c0a6bdd4f9 \users\keecfmwgj\appdata\local\gdipfo Dropped File 108.45 KB application/octet-stream - CLEAN 8d56aef2a65ffc6a ntcachev1.dat
Filename
File Name Category Operations Verdict
C: \Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.co Accessed File Read, Access CLEAN nfig
C: \Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.con Accessed File Access CLEAN fig
C: \Users\kEecfMwgj\Desktop\8d5eb16aeba67696418ab7e29e862f80c1e Accessed File Access CLEAN 13eae1ab6b6ac38d8e8d9fbe6d33a.exe.config
C: \Users\kEecfMwgj\Desktop\8d5eb16aeba67696418ab7e29e862f80c1e Sample File Access CLEAN 13eae1ab6b6ac38d8e8d9fbe6d33a.exe
C:\Users\kEecfMwgj\AppData\Local\liebao\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Amigo\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\7Star\7Star\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Torch\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Sputnik\Sputnik\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Iridium\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\QIP Surf\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Comodo\Dragon\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\CocCoc\Browser\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\360Chrome\Chrome\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\BraveSoftware\Brave- Accessed File Access CLEAN Browser\User Data
C:\Users\kEecfMwgj\AppData\Local\Fenrir Accessed File Access CLEAN Inc\Sleipnir5\setting\modules\ChromiumViewer
C:\Users\kEecfMwgj\AppData\Local\Chromium\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\CatalinaGroup\Citrio\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Vivaldi\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Kometa\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Orbitum\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\MapleStudio\ChromePlus\User Accessed File Access CLEAN Data
C:\Users\kEecfMwgj\AppData\Local\Coowon\Coowon\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\uCozMedia\Uran\User Data Accessed File Access CLEAN
X-Ray Vision for Malware - www.vmray.com 12 / 17 DYNAMIC ANALYSIS REPORT #6816650
File Name Category Operations Verdict
C:\Users\kEecfMwgj\AppData\Local\Chedot\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Opera Software\Opera Stable Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Elements Browser\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Epic Privacy Browser\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Yandex\YandexBrowser\User Accessed File Access CLEAN Data
C:\Users\kEecfMwgj\AppData\Local\CentBrowser\User Data Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\eM Client Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\NETGATE Accessed File Access CLEAN Technologies\BlackHawk\profiles.ini
C:\FTP Navigator\Ftplist.txt Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Local\Google\Chrome\User Data\ Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Opera Mail\Opera Accessed File Access CLEAN Mail\wand.dat
C:\Users\kEecfMwgj\AppData\Local\falkon\profiles\profiles.ini Accessed File Access CLEAN
C: Accessed File Access CLEAN \Users\kEecfMwgj\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\kEecfMwgj\AppData\Roaming\Postbox\profiles.ini Accessed File Access CLEAN
C: \Users\kEecfMwgj\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp Accessed File Access CLEAN .ini
C:\Users\kEecfMwgj\Desktop\Folder.lst Accessed File Access CLEAN
C:\Users\kEecfMwgj\AppData\Roaming\Thunderbird\profiles.ini Accessed File Access CLEAN
C: \Users\kEecfMwgj\AppData\Roaming\Trillian\users\global\accounts.d Accessed File Access CLEAN at
C:\Users\kEecfMwgj\AppData\Roaming\K-Meleon\profiles.ini Accessed File Access CLEAN
C:\Program Files\Private Internet Access\data Accessed File Access CLEAN
C:\Private Internet Access\data Accessed File Access CLEAN
Mutex
Name Operations Parent Process Name Verdict
8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 AOaflTiLYojLiB access CLEAN d8e8d9fbe6d33a.exe
Registry
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 access CLEAN AppContext d8e8d9fbe6d33a.exe
8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 HKEY_LOCAL_MACHINE access CLEAN d8e8d9fbe6d33a.exe
8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework access CLEAN d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Dbg 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN JITDebugLaunchSetting d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Dbg 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN ManagedDebugger d8e8d9fbe6d33a.exe
8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 HKEY_PERFORMANCE_DATA access CLEAN d8e8d9fbe6d33a.exe
X-Ray Vision for Malware - www.vmray.com 13 / 17 DYNAMIC ANALYSIS REPORT #6816650
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 access CLEAN NT\CurrentVersion d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN NT\CurrentVersion\InstallationType d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 access CLEAN v4.0.30319 d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN v4.0.30319\HWRPortReuseOnSocketBind d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 v4.0.30319\System.Net.ServicePointManager.UseHttpPipeliningAndB access CLEAN d8e8d9fbe6d33a.exe ufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN v4.0.30319\UseHttpPipeliningAndBufferPooling d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 v4.0.30319\System.Net.ServicePointManager.UseSafeSynchronousC access CLEAN d8e8d9fbe6d33a.exe lose
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN v4.0.30319\UseSafeSynchronousClose d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 v4.0.30319\System.Net.ServicePointManager.UseStrictRfcInterimRe access CLEAN d8e8d9fbe6d33a.exe sponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN v4.0.30319\UseStrictRfcInterimResponseHandling d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 access CLEAN v4.0.30319\System.Uri.AllowDangerousUnicodeDecompositions d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN v4.0.30319\AllowDangerousUnicodeDecompositions d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 access CLEAN v4.0.30319\System.Uri.UseStrictIPv6AddressParsing d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN v4.0.30319\UseStrictIPv6AddressParsing d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 access CLEAN v4.0.30319\System.Uri.AllowAllUriEncodingExpansion d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN v4.0.30319\AllowAllUriEncodingExpansion d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN v4.0.30319\SchUseStrongCrypto d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 access CLEAN v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN v4.0.30319\SchSendAuxRecord d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN v4.0.30319\SystemDefaultTlsVersions d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 access CLEAN v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN v4.0.30319\RequireCertificateEKUs d8e8d9fbe6d33a.exe
8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting access CLEAN d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Defa 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN ult Impersonation Level d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Defa 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN ult Namespace d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN v4.0.30319\WMIDisableCOMSecurity d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 access CLEAN NT\CurrentVersion\Time Zones\W. Europe Standard Time d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN NT\CurrentVersion\Time Zones\W. Europe Standard Time\TZI d8e8d9fbe6d33a.exe
X-Ray Vision for Malware - www.vmray.com 14 / 17 DYNAMIC ANALYSIS REPORT #6816650
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic access CLEAN d8e8d9fbe6d33a.exe DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 NT\CurrentVersion\Time Zones\W. Europe Standard read, access CLEAN d8e8d9fbe6d33a.exe Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Std d8e8d9fbe6d33a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 read, access CLEAN NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Dlt d8e8d9fbe6d33a.exe
HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 access CLEAN 2\Sessions d8e8d9fbe6d33a.exe
8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 HKEY_CURRENT_USER\Software\IncrediMail\Identities access CLEAN d8e8d9fbe6d33a.exe
8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 HKEY_CURRENT_USER\Software\RimArts\B2\Settings access CLEAN d8e8d9fbe6d33a.exe
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLi 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38 access CLEAN ne d8e8d9fbe6d33a.exe
Process
Process Name Commandline Verdict
"C: 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe \Users\kEecfMwgj\Desktop\8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d3 MALICIOUS 6d33a.exe 3a.exe"
"C: 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe \Users\kEecfMwgj\Desktop\8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d3 MALICIOUS 6d33a.exe 3a.exe"
X-Ray Vision for Malware - www.vmray.com 15 / 17 DYNAMIC ANALYSIS REPORT #6816650
YARA / AV
YARA (1)
Ruleset Name Rule Name Rule Description File Type File Name Classification Verdict
AgentTesla_StringDecryptio Malware Agent Tesla v3 string decryption Memory Dump - Spyware 5/5 n_v3
Antivirus (1)
File Type Threat Name File Name Verdict
C: Sample File Trojan.GenericKD.37357258 \Users\kEecfMwgj\Desktop\8d5eb16aeba67696418ab7e29e862f80c1e MALICIOUS 13eae1ab6b6ac38d8e8d9fbe6d33a.exe
X-Ray Vision for Malware - www.vmray.com 16 / 17 DYNAMIC ANALYSIS REPORT #6816650
ENVIRONMENT
Virtual Machine Information
Name win7_64_sp1_en_mso2016
Description win7_64_sp1_en_mso2016
Architecture x86 64-bit
Operating System Windows 7
Kernel Version 6.1.7601.18741 (2e37f962-d699-492c-aaf3-f9f4e9770b1d)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Information
Analyzer Version 4.2.2
Dynamic Engine Version 4.2.2 / 07/23/2021 03:44
Static Engine Version 4.2.2.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)
Built-in AV Database Update Release 2021-08-07 00:10:58+00:00 Date
AV Exceptions Version 4.2.2.54 / 2021-07-23 03:00:10
VTI Ruleset Version 4.2.2.31 / 2021-07-19 18:52:40
YARA Built-in Ruleset Version 4.2.2.32
Link Detonation Heuristics Version -
Signature Trust Store Version 4.2.2.54 / 2021-07-23 03:00:10
Analysis Report Layout Version 10
Software Information
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 8.0.7601.17514
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 17 / 17