DYNAMIC ANALYSIS REPORT #6816650 Classifications: Spyware MALICIOUS Threat Names: Agent Tesla v3 Mal/Generic-S Trojan.GenericKD.37357258 Verdict Reason: - Sample Type Windows Exe (x86-32) File Name 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe ID #2588924 MD5 31e1f96a97f41b0d8e2595424359b968 SHA1 1c15f9447b5cf9c8246dfbe07ccf793301f45dc5 SHA256 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a File Size 702.00 KB Report Created 2021-08-07 05:50 (UTC+2) Target Environment win7_64_sp1_en_mso2016 | exe X-Ray Vision for Malware - www.vmray.com 1 / 17 DYNAMIC ANALYSIS REPORT #6816650 OVERVIEW VMRay Threat Identifiers (18 rules, 33 matches) Score Category Operation Count Classification 5/5 YARA Malicious content matched by YARA rules 1 Spyware • Rule "AgentTesla_StringDecryption_v3" from ruleset "Malware" has matched on a memory dump for (process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe. 5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware • Tries to read sensitive data of: Postbox, BlackHawk, Opera Mail, FTP Navigator, Comodo IceDragon, Ipswitch WS_FTP, Mozilla Thunderbird, k-Meleon, Opera, IncrediMail, WinSCP. 4/5 Reputation Known malicious file 1 - • Reputation analysis labels the sample itself as "Mal/Generic-S". 4/5 Antivirus Malicious content was detected by heuristic scan 1 - • Built-in AV detected the sample itself as "Trojan.GenericKD.37357258". 2/5 Data Collection Reads sensitive browser data 4 - • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of web browser "Opera" by file. • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of web browser "BlackHawk" by file. • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of web browser "Comodo IceDragon" by file. • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of web browser "k-Meleon" by file. 2/5 Data Collection Reads sensitive ftp data 2 - • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of ftp application "FTP Navigator" by file. • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of ftp application "Ipswitch WS_FTP" by file. 2/5 Data Collection Reads sensitive mail data 4 - • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of mail application "Opera Mail" by file. • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of mail application "Postbox" by file. • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of mail application "IncrediMail" by registry. • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of mail application "Mozilla Thunderbird" by file. 2/5 Data Collection Reads sensitive application data 1 - • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to read sensitive data of application "WinSCP" by registry. 2/5 Injection Writes into the memory of a process started from a created or modified executable 1 - • (Process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe modifies memory of (process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe. 2/5 Injection Modifies control flow of a process started from a created or modified executable 1 - • (Process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe alters context of (process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe. 1/5 Mutex Creates mutex 1 - • (Process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe creates mutex with name "AOaflTiLYojLiB". 1/5 Hide Tracks Creates process with hidden window 1 - X-Ray Vision for Malware - www.vmray.com 2 / 17 DYNAMIC ANALYSIS REPORT #6816650 Score Category Operation Count Classification • (Process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe starts (process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe with a hidden window. 1/5 Obfuscation Reads from memory of another process 1 - • (Process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe reads from (process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe. 1/5 Obfuscation Creates a page with write and execute permissions 1 - • (Process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. 1/5 Privilege Escalation Enables process privilege 1 - • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe enables process privilege "SeDebugPrivilege". 1/5 Discovery Possibly does reconnaissance 9 - • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "blackHawk" by file. • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "FTP Navigator" by file. • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "Opera Mail" by file. • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "WinSCP" by registry. • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "Comodo IceDragon" by file. • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "Postbox" by file. • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "WS_FTP" by file. • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "Qualcomm Eudora" by registry. • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe tries to gather information about application "k-Meleon" by file. 1/5 Obfuscation Resolves API functions dynamically 1 - • (Process #2) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe resolves 42 API functions by name. 1/5 Execution Executes itself 1 - • (Process #1) 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe executes a copy of the sample at C: \Users\kEecfMwgj\Desktop\8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe. X-Ray Vision for Malware - www.vmray.com 3 / 17 DYNAMIC ANALYSIS REPORT #6816650 Mitre ATT&CK Matrix Privilege Defense Credential Lateral Command Initial Access Execution Persistence Discovery Collection Exfiltration Impact Escalation Evasion Access Movement and Control #T1081 #T1083 File #T1119 #T1143 Hidden Credentials in and Directory Automated Window Files Discovery Collection #T1045 #T1214 #T1005 Data #T1012 Query Software Credentials in from Local Registry Packing Registry System X-Ray Vision for Malware - www.vmray.com 4 / 17 DYNAMIC ANALYSIS REPORT #6816650 Sample Information ID #2588924 MD5 31e1f96a97f41b0d8e2595424359b968 SHA1 1c15f9447b5cf9c8246dfbe07ccf793301f45dc5 SHA256 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a SSDeep 12288:vrBmb0Abs1YXPqKGT57NIVJgnahQtSFWGUorEl0T87LRBmzchQf3t2NjFG:A0l1ulGl7NIVUahQcTOuyyzcSMNjs ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 File Name 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe File Size 702.00 KB Sample Type Windows Exe (x86-32) Has Macros Analysis Information Creation Time 2021-08-07 05:50 (UTC+2) Analysis Duration 00:04:00 Termination Reason Timeout Number of Monitored Processes 2 Execution Successful False Reputation Enabled WHOIS Enabled Built-in AV Enabled Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files Number of AV Matches 1 YARA Enabled YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files Number of YARA Matches 1 X-Ray Vision for Malware - www.vmray.com 5 / 17 DYNAMIC ANALYSIS REPORT #6816650 X-Ray Vision for Malware - www.vmray.com 6 / 17 DYNAMIC ANALYSIS REPORT #6816650 NETWORK General 0 bytes total sent 0 bytes total received 0 ports 0 contacted IP addresses 0 URLs extracted 0 files downloaded 0 malicious hosts detected DNS 0 DNS requests for 0 domains 0 nameservers contacted 0 total requests returned errors HTTP/S 0 URLs contacted, 0 servers 0 sessions, 0 bytes sent, 0 bytes received X-Ray Vision for Malware - www.vmray.com 7 / 17 DYNAMIC ANALYSIS REPORT #6816650 BEHAVIOR Process Graph Modify Memory #1 Modify Control Flow #2 Sample Start 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe Child Process X-Ray Vision for Malware - www.vmray.com 8 / 17 DYNAMIC ANALYSIS REPORT #6816650 Process #1: 8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe ID 1 File Name c:\users\keecfmwgj\desktop\8d5eb16aeba67696418ab7e29e862f80c1e13eae1ab6b6ac38d8e8d9fbe6d33a.exe