DYNAMIC ANALYSIS REPORT #2113970
Classifications: Injector Spyware Keylogger
MALICIOUS Threat Names: Agent Tesla v3 IL:Trojan.MSILZilla.1773
Verdict Reason: -
Sample Type Windows Exe (x86-32)
File Name mn.exe
ID #839089
MD5 4fbbb9db49ac6bfeddeaf2ac8a43ae38
SHA1 4780eb9b403787e75759363f8e5ba65b72b588e1
SHA256 2d61556b631b4920af773904a0ae5011f0103be9effb7c7292e4ebe3e39f1ad5
File Size 304.69 KB
Report Created 2021-08-09 22:57 (UTC+2)
Target Environment win10_64_th2_en_mso2016 | exe
X-Ray Vision for Malware - www.vmray.com 1 / 19 DYNAMIC ANALYSIS REPORT #2113970
OVERVIEW
VMRay Threat Identifiers (26 rules, 76 matches)
Score Category Operation Count Classification
5/5 YARA Malicious content matched by YARA rules 2 Spyware
• Rule "AgentTesla_StringDecryption_v3" from ruleset "Malware" has matched on a memory dump for (process #1) mn.exe.
• Rule "AgentTesla_StringDecryption_v3" from ruleset "Malware" has matched on a memory dump for (process #2) msbuild.exe.
5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware
• Tries to read sensitive data of: Flock, Pocomail, WinSCP, FileZilla, OpenVPN, CoreFTP, Opera Mail, Postbox, Ipswitch WS_FTP, The B...... on, Comodo IceDragon, Opera, Internet Explorer, TigerVNC, SeaMonkey, FTP Navigator, Internet Explorer / Edge, Mozilla Thunderbird.
4/5 System Modification Modifies network configuration 1 -
• (Process #2) msbuild.exe modifies the host.conf file, probably to redirect network traffic.
4/5 Reputation Known malicious file 1 -
• The sample itself is a known malicious file.
4/5 Antivirus Malicious content was detected by heuristic scan 1 -
• Built-in AV detected a memory dump of (process #1) mn.exe as "IL:Trojan.MSILZilla.1773".
4/5 Injection Writes into the memory of another process 1 Injector
• (Process #1) mn.exe modifies memory of (process #2) msbuild.exe.
4/5 Injection Modifies control flow of another process 1 -
• (Process #1) mn.exe alters context of (process #2) msbuild.exe.
3/5 Input Capture Monitors keyboard input 1 Keylogger
• (Process #2) msbuild.exe installs system wide "WH_KEYBOARD_LL" hook(s) to monitor keystrokes.
2/5 Data Collection Reads sensitive browser data 9 -
• (Process #2) msbuild.exe tries to read sensitive data of web browser "Opera" by file.
• (Process #2) msbuild.exe tries to read sensitive data of web browser "Mozilla Firefox" by file.
• (Process #2) msbuild.exe tries to read sensitive data of web browser "k-Meleon" by file.
• (Process #2) msbuild.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file.
• (Process #2) msbuild.exe tries to read sensitive data of web browser "BlackHawk" by file.
• (Process #2) msbuild.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.
• (Process #2) msbuild.exe tries to read sensitive data of web browser "Flock" by file.
• (Process #2) msbuild.exe tries to read sensitive data of web browser "Comodo IceDragon" by file.
• (Process #2) msbuild.exe tries to read sensitive data of web browser "Cyberfox" by file.
2/5 Data Collection Reads sensitive ftp data 5 -
• (Process #2) msbuild.exe tries to read sensitive data of ftp application "Ipswitch WS_FTP" by file.
• (Process #2) msbuild.exe tries to read sensitive data of ftp application "FTP Navigator" by file.
• (Process #2) msbuild.exe tries to read sensitive data of ftp application "CoreFTP" by file.
• (Process #2) msbuild.exe tries to read sensitive data of ftp application "CoreFTP" by registry.
• (Process #2) msbuild.exe tries to read sensitive data of ftp application "FileZilla" by file.
X-Ray Vision for Malware - www.vmray.com 2 / 19 DYNAMIC ANALYSIS REPORT #2113970
Score Category Operation Count Classification
2/5 Data Collection Reads sensitive application data 6 -
• (Process #2) msbuild.exe tries to read sensitive data of application "SeaMonkey" by file.
• (Process #2) msbuild.exe tries to read sensitive data of application "WinSCP" by registry.
• (Process #2) msbuild.exe tries to read sensitive data of application "OpenVPN" by registry.
• (Process #2) msbuild.exe tries to read sensitive data of application "TightVNC" by registry.
• (Process #2) msbuild.exe tries to read sensitive data of application "TigerVNC" by registry.
• (Process #2) msbuild.exe tries to read sensitive data of application "Internet Download Manager" by registry.
2/5 Data Collection Reads sensitive mail data 7 -
• (Process #2) msbuild.exe tries to read sensitive data of mail application "IncrediMail" by registry.
• (Process #2) msbuild.exe tries to read sensitive data of mail application "Mozilla Thunderbird" by file.
• (Process #2) msbuild.exe tries to read sensitive data of mail application "Opera Mail" by file.
• (Process #2) msbuild.exe tries to read sensitive data of mail application "Pocomail" by file.
• (Process #2) msbuild.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.
• (Process #2) msbuild.exe tries to read sensitive data of mail application "The Bat!" by file.
• (Process #2) msbuild.exe tries to read sensitive data of mail application "Postbox" by file.
2/5 Discovery Queries OS version via WMI 1 -
• (Process #2) msbuild.exe queries OS version via WMI.
2/5 Discovery Executes WMI query 2 -
• (Process #2) msbuild.exe executes WMI query: select * from Win32_OperatingSystem.
• (Process #2) msbuild.exe executes WMI query: SELECT * FROM Win32_Processor.
2/5 Discovery Collects hardware properties 1 -
• (Process #2) msbuild.exe queries hardware properties via WMI.
2/5 Discovery Reads network adapter information 1 -
• (Process #2) msbuild.exe reads the network adapters' addresses by API.
2/5 Anti Analysis Makes direct system call to possibly evade hooking based sandboxes 5 -
• (Process #1) mn.exe makes a direct system call to "NtUnmapViewOfSection".
• (Process #1) mn.exe makes a direct system call to "NtCreateSection".
• (Process #1) mn.exe makes a direct system call to "NtMapViewOfSection".
• (Process #1) mn.exe makes a direct system call to "NtWriteVirtualMemory".
• (Process #1) mn.exe makes a direct system call to "NtResumeThread".
1/5 Hide Tracks Creates process with hidden window 1 -
• (Process #1) mn.exe starts (process #2) msbuild.exe with a hidden window.
1/5 Obfuscation Reads from memory of another process 1 -
• (Process #1) mn.exe reads from (process #2) msbuild.exe.
1/5 Privilege Escalation Enables process privilege 1 -
• (Process #2) msbuild.exe enables process privilege "SeDebugPrivilege".
1/5 System Modification Modifies operating system directory 1 -
X-Ray Vision for Malware - www.vmray.com 3 / 19 DYNAMIC ANALYSIS REPORT #2113970
Score Category Operation Count Classification
• (Process #2) msbuild.exe creates file "tag">C:\Windows\system32\drivers\etc\hosts" in the OS directory.
1/5 Discovery Possibly does reconnaissance 22 -
• (Process #2) msbuild.exe tries to gather information about application "Qualcomm Eudora" by registry.
• (Process #2) msbuild.exe tries to gather information about application "WS_FTP" by file.
• (Process #2) msbuild.exe tries to gather information about application "Mozilla Firefox" by file.
• (Process #2) msbuild.exe tries to gather information about application "k-Meleon" by file.
• (Process #2) msbuild.exe tries to gather information about application "FTP Navigator" by file.
• (Process #2) msbuild.exe tries to gather information about application "SeaMonkey" by file.
• (Process #2) msbuild.exe tries to gather information about application "blackHawk" by file.
• (Process #2) msbuild.exe tries to gather information about application "Opera Mail" by file.
• (Process #2) msbuild.exe tries to gather information about application "Pocomail" by file.
• (Process #2) msbuild.exe tries to gather information about application "WinSCP" by registry.
• (Process #2) msbuild.exe tries to gather information about application "Foxmail" by registry.
• (Process #2) msbuild.exe tries to gather information about application "Flock" by file.
• (Process #2) msbuild.exe tries to gather information about application "Comodo IceDragon" by file.
• (Process #2) msbuild.exe tries to gather information about application "RealVNC" by registry.
• (Process #2) msbuild.exe tries to gather information about application "TightVNC" by registry.
• (Process #2) msbuild.exe tries to gather information about application "TigerVNC" by registry.
• (Process #2) msbuild.exe tries to gather information about application "CoreFTP" by file.
• (Process #2) msbuild.exe tries to gather information about application "The Bat!" by file.
• (Process #2) msbuild.exe tries to gather information about application "Cyberfox" by file.
• (Process #2) msbuild.exe tries to gather information about application "FileZilla" by file.
• (Process #2) msbuild.exe tries to gather information about application "icecat" by file.
• (Process #2) msbuild.exe tries to gather information about application "Postbox" by file.
1/5 Network Connection Performs DNS request 1 -
• (Process #2) msbuild.exe resolves host name "mail.scottbyscott.com" to IP "50.87.146.199".
1/5 Network Connection Connects to remote host 1 -
• (Process #2) msbuild.exe opens an outgoing TCP connection to host "50.87.146.199:587".
1/5 Network Connection Tries to connect using an uncommon port 1 -
• (Process #2) msbuild.exe tries to connect to TCP port 587 at 50.87.146.199.
1/5 Obfuscation Resolves API functions dynamically 1 -
• (Process #2) msbuild.exe resolves 51 API functions by name.
X-Ray Vision for Malware - www.vmray.com 4 / 19 DYNAMIC ANALYSIS REPORT #2113970
Mitre ATT&CK Matrix
Privilege Defense Credential Lateral Command Initial Access Execution Persistence Discovery Collection Exfiltration Impact Escalation Evasion Access Movement and Control
#T1047 #T1081 #T1083 File #T1119 #T1090 Windows #T1179 #T1179 #T1143 Hidden Credentials in and Directory Automated Connection Management Hooking Hooking Window Files Discovery Collection Proxy Instrumentation #T1045 #T1214 #T1005 Data #T1065 #T1012 Query Software Credentials in from Local Uncommonly Registry Packing Registry System Used Port #T1082 #T1003 System #T1056 Input Credential Information Capture Dumping Discovery #T1016 System #T1056 Input Network Capture Configuration Discovery
#T1179 Hooking
X-Ray Vision for Malware - www.vmray.com 5 / 19 DYNAMIC ANALYSIS REPORT #2113970
Sample Information
ID #839089
MD5 4fbbb9db49ac6bfeddeaf2ac8a43ae38
SHA1 4780eb9b403787e75759363f8e5ba65b72b588e1
SHA256 2d61556b631b4920af773904a0ae5011f0103be9effb7c7292e4ebe3e39f1ad5
SSDeep 6144:M88JIphs5XmsvJhFaFuKRnHHmQ/70Bb0crcTxWFs63BpUlIOSf3HggC:x8JbJmsvnF8Rm264cKxAxBeKA
ImpHash 8c9e2729b91e6cd98523a27cc78ab06c
File Name mn.exe
File Size 304.69 KB
Sample Type Windows Exe (x86-32)
Has Macros
Analysis Information
Creation Time 2021-08-09 22:57 (UTC+2)
Analysis Duration 00:04:00
Termination Reason Timeout
Number of Monitored Processes 2
Execution Successful False
Reputation Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 1
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 2
X-Ray Vision for Malware - www.vmray.com 6 / 19 DYNAMIC ANALYSIS REPORT #2113970
X-Ray Vision for Malware - www.vmray.com 7 / 19 DYNAMIC ANALYSIS REPORT #2113970
NETWORK
General
839 bytes total sent
6.61 KB total received
1 ports 587
2 contacted IP addresses
0 URLs extracted
0 files downloaded
0 malicious hosts detected
DNS
2 DNS requests for 1 domains
1 nameservers contacted
0 total requests returned errors
HTTP/S
0 URLs contacted, 0 servers
0 sessions, 0 bytes sent, 0 bytes received
DNS Requests
Type Hostname Response Code Resolved IPs CNames Verdict
A mail.scottbyscott.com, scottbyscott.com NoError 50.87.146.199 scottbyscott.com NA
- mail.scottbyscott.com - 50.87.146.199 NA
X-Ray Vision for Malware - www.vmray.com 8 / 19 DYNAMIC ANALYSIS REPORT #2113970
BEHAVIOR
Process Graph
Modify Memory #1 Modify Control Flow #2 Sample Start mn.exe Child Process msbuild.exe
X-Ray Vision for Malware - www.vmray.com 9 / 19 DYNAMIC ANALYSIS REPORT #2113970
Process #1: mn.exe
ID 1
File Name c:\users\rdhj0cnfevzx\desktop\mn.exe
Command Line "C:\Users\RDhJ0CNFevzX\Desktop\mn.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 52360, Reason: Analysis Target
Unmonitor End Time End Time: 74954, Reason: Terminated
Monitor duration 22.59s
Return Code 0
PID 1240
Parent PID 1652
Bitness 32 Bit
Host Behavior
Type Count
Module 20
File 27
Environment 1
Process 1
- 3
- 2
X-Ray Vision for Malware - www.vmray.com 10 / 19 DYNAMIC ANALYSIS REPORT #2113970
Process #2: msbuild.exe
ID 2
File Name c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
Command Line "C:\Users\RDhJ0CNFevzX\Desktop\mn.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 72322, Reason: Child Process
Unmonitor End Time End Time: 293093, Reason: Terminated by Timeout
Monitor duration 220.77s
Return Code Unknown
PID 4860
Parent PID 1240
Bitness 32 Bit
Injection Information (3)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
#1: c: Modify Memory \users\rdhj0cnfevzx\desktop 0x390 0x400000(4194304) 0x3c000 1 \mn.exe
#1: c: Modify Memory \users\rdhj0cnfevzx\desktop 0x390 0x24d008(2412552) 0x4 1 \mn.exe
#1: c: Modify Control Flow \users\rdhj0cnfevzx\desktop 0x390 / 0x1328 0x771c8fe0(1998360544) - 1 \mn.exe
Host Behavior
Type Count
Module 65
Window 6
System 45
Registry 96
User 4
- 21
File 141
COM 43
Environment 30
- 2
Mutex 2
Network Behavior
Type Count
DNS 2
TCP 1
X-Ray Vision for Malware - www.vmray.com 11 / 19 DYNAMIC ANALYSIS REPORT #2113970
ARTIFACTS
File
SHA256 File Names Category File Size MIME Type Operations Verdict
2d61556b631b4920af773904 C: application/ a0ae5011f0103be9effb7c729 \Users\RDhJ0CNFevzX\Desktop\mn. Sample File 304.69 KB vnd.microsoft.portable- Access, Read MALICIOUS 2e4ebe3e39f1ad5 exe executable
9b13a3ea948a1071a81787a C: ac1930b89e30df22ce13f8ff7 Modified File 835 bytes text/plain Access, Create, Write CLEAN \Windows\system32\drivers\etc\hosts 51f31b5d83e79ffb
Filename
File Name Category Operations Verdict
C:\Users\RDhJ0CNFevzX\Desktop\mn.exe Sample File Access, Read CLEAN
C:\Windows\SYSTEM32\ntdll.dll Accessed File Access, Read CLEAN
C: \Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.co Accessed File Access, Read CLEAN nfig
C: Accessed File Access, Read CLEAN \Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe.Config
C: \Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.con Accessed File Access CLEAN fig
C:\Windows\system32\drivers\etc\hosts Modified File Access, Create, Write CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\liebao\User Data Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\Sputnik\Sputnik\User Data Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\BraveSoftware\Brave- Accessed File Access CLEAN Browser\User Data
C:\Users\RDhJ0CNFevzX\AppData\Local\uCozMedia\Uran\User Accessed File Access CLEAN Data
C:\Users\RDhJ0CNFevzX\AppData\Local\CentBrowser\User Data Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Local\Yandex\YandexBrowser\User Accessed File Access CLEAN Data
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Opera Software\Opera Accessed File Access CLEAN Stable
C:\Users\RDhJ0CNFevzX\AppData\Local\Vivaldi\User Data Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\CocCoc\Browser\User Accessed File Access CLEAN Data
C:\Users\RDhJ0CNFevzX\AppData\Local\CatalinaGroup\Citrio\User Accessed File Access CLEAN Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Torch\User Data Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\Fenrir Accessed File Access CLEAN Inc\Sleipnir5\setting\modules\ChromiumViewer
C:\Users\RDhJ0CNFevzX\AppData\Local\Amigo\User Data Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\Iridium\User Data Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\7Star\7Star\User Data Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\Elements Browser\User Accessed File Access CLEAN Data
C:\Users\RDhJ0CNFevzX\AppData\Local\QIP Surf\User Data Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\Epic Privacy Browser\User Accessed File Access CLEAN Data
X-Ray Vision for Malware - www.vmray.com 12 / 19 DYNAMIC ANALYSIS REPORT #2113970
File Name Category Operations Verdict
C:\Users\RDhJ0CNFevzX\AppData\Local\Comodo\Dragon\User Data Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\Chedot\User Data Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\Coowon\Coowon\User Accessed File Access CLEAN Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Kometa\User Data Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\Chromium\User Data Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\360Chrome\Chrome\User Accessed File Access CLEAN Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Orbitum\User Data Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Local\MapleStudio\ChromePlus\U Accessed File Access CLEAN ser Data
C: \Users\RDhJ0CNFevzX\AppData\Roaming\Ipswitch\WS_FTP\Sites\ Accessed File Access CLEAN ws_ftp.ini
C: Accessed File Access CLEAN \Users\RDhJ0CNFevzX\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Program Files (x86)\Common Files\Apple\Apple Application Accessed File Access CLEAN Support\plutil.exe
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Psi\profiles Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Psi+\profiles Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Roaming\K-Meleon\profiles.ini Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Roaming\MySQL\Workbench\work Accessed File Access CLEAN bench_user_data.dat
C:\FTP Navigator\Ftplist.txt Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Credentials\ Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Credentials\ Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Credentials\DFBE Accessed File Access, Read CLEAN 70A7E5CC19A398EBF1B96859CE5D
C: \Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Protect\S-1-5-2 Accessed File Access, Read CLEAN 1-1560258661-3990802383-1811730007-1000\a4ede1be-784c-4ac4- b56e-64697a368189
C: \Users\RDhJ0CNFevzX\AppData\Roaming\Mozilla\SeaMonkey\profi Accessed File Access CLEAN les.ini
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Thunderbird\profiles.ini Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Claws-mail Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Claws-mail\clawsrc Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Roaming\NETGATE Accessed File Access CLEAN Technologies\BlackHawk\profiles.ini
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Opera Mail\Opera Accessed File Access CLEAN Mail\wand.dat
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Pocomail\accounts.ini Accessed File Access CLEAN
C:\Program Files\Private Internet Access\data Accessed File Access CLEAN
C:\Private Internet Access\data Accessed File Access CLEAN
C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.dat Accessed File Access CLEAN
X-Ray Vision for Malware - www.vmray.com 13 / 19 DYNAMIC ANALYSIS REPORT #2113970
File Name Category Operations Verdict
C:\Users\RDhJ0CNFevzX\Desktop\Folder.lst Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Roaming\FTPGetter\servers.xml Accessed File Access CLEAN
C:\Storage\ Accessed File Access CLEAN
C:\mail\ Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\VirtualStore\Program Accessed File Access CLEAN Files\Foxmail\mail\
C:\Users\RDhJ0CNFevzX\AppData\Local\VirtualStore\Program Files Accessed File Access CLEAN (x86)\Foxmail\mail\
C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Edge\User Data Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Roaming\Trillian\users\global\acco Accessed File Access CLEAN unts.dat
C: Accessed File Access CLEAN \Users\RDhJ0CNFevzX\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\RDhJ0CNFevzX\AppData\Local\NordVPN Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Roaming\Comodo\IceDragon\profil Accessed File Access CLEAN es.ini
C:\Users\RDhJ0CNFevzX\AppData\Local\falkon\profiles\profiles.ini Accessed File Access CLEAN
C:\Program Files (x86)\uvnc bvba\UltraVNC\ultravnc.ini Accessed File Access CLEAN
C:\Program Files (x86)\UltraVNC\ultravnc.ini Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\Mailbird\Store\Store.db Accessed File Access CLEAN
C:\cftp\Ftplist.txt Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Roaming\CoreFTP\sites.idx Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Roaming\The Bat! Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Moonchild Accessed File Access CLEAN Productions\Pale Moon\profiles.ini
C: \Users\RDhJ0CNFevzX\AppData\Roaming\8pecxstudios\Cyberfox\p Accessed File Access CLEAN rofiles.ini
C:\Users\RDhJ0CNFevzX\AppData\Local\Google\Chrome\User Data\ Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Roaming\FileZilla\recentservers.x Accessed File Access CLEAN ml
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Waterfox\profiles.ini Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\Tencent\QQBrowser\User Accessed File Access CLEAN Data
C:\Users\RDhJ0CNFevzX\AppData\Local\Tencent\QQBrowser\User Accessed File Access CLEAN Data\Default\EncryptedStorage
C:\Users\RDhJ0CNFevzX\AppData\Roaming\eM Client Accessed File Access CLEAN
C: Accessed File Access CLEAN \Users\RDhJ0CNFevzX\AppData\Roaming\Mozilla\icecat\profiles.ini
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Postbox\profiles.ini Accessed File Access CLEAN
C:\Program Files (x86)\jDownloader\config\database.script Accessed File Access CLEAN
Domain
Domain IP Address Country Protocols Verdict
mail.scottbyscott.com 50.87.146.199 - DNS CLEAN
X-Ray Vision for Malware - www.vmray.com 14 / 19 DYNAMIC ANALYSIS REPORT #2113970
Domain IP Address Country Protocols Verdict
scottbyscott.com 50.87.146.199 - DNS CLEAN
IP
IP Address Domains Country Protocols Verdict
192.168.0.1 - - UDP, DNS CLEAN
50.87.146.199 mail.scottbyscott.com, scottbyscott.com United States TCP, DNS CLEAN
Registry
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework access msbuild.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Dbg access, read msbuild.exe CLEAN JITDebugLaunchSetting
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Dbg access, read msbuild.exe CLEAN ManagedDebugger
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows access msbuild.exe CLEAN NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows access, read msbuild.exe CLEAN NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ access msbuild.exe CLEAN AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ access msbuild.exe CLEAN v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ access, read msbuild.exe CLEAN v4.0.30319\SchUseStrongCrypto
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting access msbuild.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Defa access, read msbuild.exe CLEAN ult Impersonation Level
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Defa access, read msbuild.exe CLEAN ult Namespace
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows access msbuild.exe CLEAN NT\CurrentVersion\Time Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows access, read msbuild.exe CLEAN NT\CurrentVersion\Time Zones\W. Europe Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic access msbuild.exe CLEAN DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard access, read msbuild.exe CLEAN Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows access, read msbuild.exe CLEAN NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows access, read msbuild.exe CLEAN NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Dlt
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLi access msbuild.exe CLEAN ne
HKEY_CURRENT_USER\Software\IncrediMail\Identities access msbuild.exe CLEAN
HKEY_CURRENT_USER\Software\RimArts\B2\Settings access msbuild.exe CLEAN
HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP access msbuild.exe CLEAN 2\Sessions
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview access msbuild.exe CLEAN
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1 access msbuild.exe CLEAN
HKEY_CURRENT_USER\Software\OpenVPN-GUI\configs access msbuild.exe CLEAN
X-Ray Vision for Malware - www.vmray.com 15 / 19 DYNAMIC ANALYSIS REPORT #2113970
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\RealVNC\ access msbuild.exe CLEAN WinVNC4
HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\RealVNC\ access msbuild.exe CLEAN WinVNC4
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver access msbuild.exe CLEAN
HKEY_CURRENT_USER\SOFTWARE\RealVNC\vncserver access msbuild.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 access msbuild.exe CLEAN
HKEY_CURRENT_USER\SOFTWARE\RealVNC\WinVNC4 access msbuild.exe CLEAN
HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3 access msbuild.exe CLEAN
HKEY_CURRENT_USER\Software\ORL\WinVNC3 access msbuild.exe CLEAN
HKEY_LOCAL_MACHINE\Software\TightVNC\Server access msbuild.exe CLEAN
HKEY_CURRENT_USER\Software\TightVNC\Server access msbuild.exe CLEAN
HKEY_LOCAL_MACHINE\Software\TigerVNC\Server access msbuild.exe CLEAN
HKEY_CURRENT_USER\Software\TigerVNC\Server access msbuild.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Pr access msbuild.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging access msbuild.exe CLEAN Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging access msbuild.exe CLEAN Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access msbuild.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access msbuild.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Em access, read msbuild.exe CLEAN ail
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\IMA access, read msbuild.exe CLEAN P Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\PO access, read msbuild.exe CLEAN P3 Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\HT access, read msbuild.exe CLEAN TP Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\SM access, read msbuild.exe CLEAN TP Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access msbuild.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Em access, read msbuild.exe CLEAN ail
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMA access, read msbuild.exe CLEAN P Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\PO access, read msbuild.exe CLEAN P3 Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HT access, read msbuild.exe CLEAN TP Password
X-Ray Vision for Malware - www.vmray.com 16 / 19 DYNAMIC ANALYSIS REPORT #2113970
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM access, read msbuild.exe CLEAN TP Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SM access, read msbuild.exe CLEAN TP Server
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr access msbuild.exe CLEAN ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Em access, read msbuild.exe CLEAN ail
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\IMA access, read msbuild.exe CLEAN P Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\PO access, read msbuild.exe CLEAN P3 Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\HT access, read msbuild.exe CLEAN TP Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Pr ofiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SM access, read msbuild.exe CLEAN TP Password
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites\Host access, read msbuild.exe CLEAN
\HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesPort access, read msbuild.exe CLEAN
\HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesUser access, read msbuild.exe CLEAN
\HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesPW access, read msbuild.exe CLEAN
\HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesName access, read msbuild.exe CLEAN
HKEY_CURRENT_USER\Software\DownloadManager\Passwords access msbuild.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ access, read msbuild.exe CLEAN v4.0.30319\HWRPortReuseOnSocketBind
Process
Process Name Commandline Verdict
mn.exe "C:\Users\RDhJ0CNFevzX\Desktop\mn.exe" MALICIOUS
X-Ray Vision for Malware - www.vmray.com 17 / 19 DYNAMIC ANALYSIS REPORT #2113970
YARA / AV
YARA (2)
Ruleset Name Rule Name Rule Description File Type File Name Classification Verdict
AgentTesla_StringDecryptio Malware Agent Tesla v3 string decryption Memory Dump - Spyware 5/5 n_v3
AgentTesla_StringDecryptio Malware Agent Tesla v3 string decryption Memory Dump - Spyware 5/5 n_v3
Antivirus (1)
File Type Threat Name File Name Verdict
Memory Dump IL:Trojan.MSILZilla.1773 - MALICIOUS
X-Ray Vision for Malware - www.vmray.com 18 / 19 DYNAMIC ANALYSIS REPORT #2113970
ENVIRONMENT
Virtual Machine Information
Name win10_64_th2_en_mso2016
Description win10_64_th2_en_mso2016
Architecture x86 64-bit
Operating System Windows 10 Threshold 2
Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Information
Analyzer Version 4.2.2
Dynamic Engine Version 4.2.2 / 07/23/2021 03:44
Static Engine Version 4.2.2.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)
Built-in AV Database Update Release 2021-08-09 17:49:31+00:00 Date
AV Exceptions Version 4.2.2.54 / 2021-07-23 03:00:10
VTI Ruleset Version 4.2.2.31 / 2021-07-19 18:52:40
YARA Built-in Ruleset Version 4.2.2.32
Link Detonation Heuristics Version -
Signature Trust Store Version 4.2.2.54 / 2021-07-23 03:00:10
Analysis Report Layout Version 10
Software Information
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 11.0.10586.0
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 19 / 19