· 6 years ago · Sep 12, 2019, 01:16 PM
1
2* ID: 1651
3* MalFamily: "AgentTesla"
4
5* MalScore: 10.0
6
7* File Name: "AgentTesla_bb0cb63cd1f24f666217be9405090016.exe"
8* File Size: 1278464
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "77f5d8bbf5b22a43f60bcc4ded7dbc56529fa0ba00b29e916132bddbeae3ca26"
11* MD5: "bb0cb63cd1f24f666217be9405090016"
12* SHA1: "78b7c961ac2f719330fce0901fca454a37ae1fbd"
13* SHA512: "b2639317f54b721b262106e0ce9dcd4b92871c4115f3b43357f83f52e329c8de9581a2c69393f53dd13ad728f4d229892966d4e9dd909cbb71a64b624773b646"
14* CRC32: "AFE43057"
15* SSDEEP: "24576:LAHnh+eWsN3skA4RV1Hom2KXMmHaUWYyIgMRFDlbqNOeEG5A5:mh+ZkldoPK8YaAJFRFDBIOeE/"
16
17* Process Execution:
18 "7uggFmh2cagM.exe",
19 "RegAsm.exe",
20 "services.exe",
21 "svchost.exe",
22 "WmiPrvSE.exe",
23 "lsass.exe",
24 "taskhost.exe",
25 "taskhost.exe",
26 "WMIADAP.exe"
27
28
29* Executed Commands:
30 "\"C:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework\\\\\\\\v2.0.50727\\\\\\\\RegAsm.exe\"",
31 "C:\\Windows\\system32\\lsass.exe",
32 "taskhost.exe $(Arg0)"
33
34
35* Signatures Detected:
36
37 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
38 "Details":
39
40
41 "Description": "Behavioural detection: Executable code extraction",
42 "Details":
43
44
45 "Description": "Guard pages use detected - possible anti-debugging.",
46 "Details":
47
48
49 "Description": "A process attempted to delay the analysis task.",
50 "Details":
51
52 "Process": "RegAsm.exe tried to sleep 851 seconds, actually delayed analysis time by 0 seconds"
53
54
55 "Process": "WmiPrvSE.exe tried to sleep 301 seconds, actually delayed analysis time by 0 seconds"
56
57
58
59
60 "Description": "Reads data out of its own binary image",
61 "Details":
62
63 "self_read": "process: 7uggFmh2cagM.exe, pid: 1576, offset: 0x00000000, length: 0x00010000"
64
65
66 "self_read": "process: 7uggFmh2cagM.exe, pid: 1576, offset: 0x00000000, length: 0x00138200"
67
68
69
70
71 "Description": "The binary likely contains encrypted or compressed data.",
72 "Details":
73
74 "section": "name: .rsrc, entropy: 7.92, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0006dc00, virtual_size: 0x0006dabc"
75
76
77
78
79 "Description": "Sniffs keystrokes",
80 "Details":
81
82 "SetWindowsHookExW": "Process: RegAsm.exe(1760)"
83
84
85
86
87 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
88 "Details":
89
90 "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 13743916 times"
91
92
93
94
95 "Description": "Steals private information from local Internet browsers",
96 "Details":
97
98 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
99
100
101
102
103 "Description": "Installs itself for autorun at Windows startup",
104 "Details":
105
106 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\0x433A5C55736572735C7362755C417070446174615C636D737470"
107
108
109 "data": "C:\\Users\\user\\AppData\\cmstp\\chgusr.bat"
110
111
112
113
114 "Description": "File has been identified by 32 Antiviruses on VirusTotal as malicious",
115 "Details":
116
117 "MicroWorld-eScan": "Trojan.AutoIt.Agent.XS"
118
119
120 "Qihoo-360": "HEUR/QVM10.1.D51F.Malware.Gen"
121
122
123 "McAfee": "Artemis!BB0CB63CD1F2"
124
125
126 "CrowdStrike": "win/malicious_confidence_90% (W)"
127
128
129 "BitDefender": "Trojan.AutoIt.Agent.XS"
130
131
132 "Invincea": "heuristic"
133
134
135 "Cyren": "W32/Autoit.G.gen!Eldorado"
136
137
138 "ESET-NOD32": "a variant of Win32/Injector.Autoit.EHD"
139
140
141 "APEX": "Malicious"
142
143
144 "Paloalto": "generic.ml"
145
146
147 "GData": "Trojan.AutoIt.Agent.XS (2x)"
148
149
150 "Kaspersky": "HEUR:Trojan.Win32.Generic"
151
152
153 "Alibaba": "Trojan:Win32/AutoitInject.544c07ce"
154
155
156 "Endgame": "malicious (high confidence)"
157
158
159 "F-Secure": "Heuristic.HEUR/AGEN.1043182"
160
161
162 "McAfee-GW-Edition": "BehavesLike.Win32.Downloader.tc"
163
164
165 "FireEye": "Generic.mg.bb0cb63cd1f24f66"
166
167
168 "Emsisoft": "Trojan.AutoIt.Agent.XS (B)"
169
170
171 "F-Prot": "W32/Autoit.G.gen!Eldorado"
172
173
174 "Avira": "HEUR/AGEN.1043182"
175
176
177 "Antiy-AVL": "Trojan/Generic.ASVCS3S.1E5"
178
179
180 "Microsoft": "Trojan:Win32/AutoitInject.BH!MTB"
181
182
183 "Arcabit": "Trojan.AutoIt.Agent.XS"
184
185
186 "ZoneAlarm": "HEUR:Trojan.Win32.Generic"
187
188
189 "AhnLab-V3": "Win-Trojan/Autoinj02.Exp"
190
191
192 "Acronis": "suspicious"
193
194
195 "MAX": "malware (ai score=86)"
196
197
198 "Ad-Aware": "Trojan.AutoIt.Agent.XS"
199
200
201 "Rising": "Trojan.Injector/Autoit!1.BB82 (CLASSIC)"
202
203
204 "Fortinet": "AutoIt/Injector.EGX!tr"
205
206
207 "Cybereason": "malicious.1ac2f7"
208
209
210 "MaxSecure": "Trojan.Malware.300983.susgen"
211
212
213
214
215 "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
216 "Details":
217
218
219 "Description": "Checks the system manufacturer, likely for anti-virtualization",
220 "Details":
221
222
223 "Description": "Harvests credentials from local FTP client softwares",
224 "Details":
225
226 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
227
228
229 "file": "C:\\Users\\user\\AppData\\Roaming\\SmartFTP\\Client 2.0\\Favorites\\Quick Connect\\"
230
231
232 "file": "C:\\Users\\user\\AppData\\Roaming\\SmartFTP\\Client 2.0\\Favorites\\Quick Connect\\*.xml"
233
234
235 "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\servers.xml"
236
237
238 "file": "C:\\Users\\user\\AppData\\Roaming\\Ipswitch\\WS_FTP\\Sites\\ws_ftp.ini"
239
240
241 "file": "C:\\cftp\\Ftplist.txt"
242
243
244 "key": "HKEY_CURRENT_USER\\Software\\FTPWare\\COREFTP\\Sites"
245
246
247
248
249 "Description": "Harvests information related to installed mail clients",
250 "Details":
251
252 "file": "C:\\Users\\user\\AppData\\Roaming\\Thunderbird\\profiles.ini"
253
254
255 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676"
256
257
258 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
259
260
261 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Password"
262
263
264 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
265
266
267 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP Password"
268
269
270 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
271
272
273 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP Password"
274
275
276 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
277
278
279 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Password"
280
281
282 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
283
284
285 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Password"
286
287
288 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Password"
289
290
291 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
292
293
294 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Password"
295
296
297 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Password"
298
299
300 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
301
302
303
304
305 "Description": "Creates a slightly modified copy of itself",
306 "Details":
307
308 "file": "C:\\Users\\user\\AppData\\cmstp\\chgusr.bat"
309
310
311 "percent_match": 100
312
313
314
315
316 "Description": "Collects information to fingerprint the system",
317 "Details":
318
319
320 "Description": "Anomalous binary characteristics",
321 "Details":
322
323 "anomaly": "Actual checksum does not match that reported in PE header"
324
325
326
327
328
329* Started Service:
330 "VaultSvc"
331
332
333* Mutexes:
334 "Global\\CLR_PerfMon_WrapMutex",
335 "Global\\CLR_CASOFF_MUTEX",
336 "Local\\_!MSFTHISTORY!_",
337 "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
338 "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
339 "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
340 "Global\\.net clr networking",
341 "Global\\F659A567-8ACB-4E4A-92A7-5C2DD1884F72",
342 "Global\\__?_c:_programdata_microsoft_rac_statedata_racdatabase.sdf",
343 "Global\\__?_c:_programdata_microsoft_rac_statedata_racdatabase.sdf:x",
344 "Global\\__?_c:_programdata_microsoft_rac_statedata_racdatabase.sdf:splk:2548",
345 "Global\\c90164ff-0d5a-4e39-975b-1f6e5d98cbd7:sqlce_se_lck:1",
346 "Global\\c90164ff-0d5a-4e39-975b-1f6e5d98cbd7:sqlce_se_lck:2",
347 "Global\\ADAP_WMI_ENTRY",
348 "Global\\RefreshRA_Mutex",
349 "Global\\RefreshRA_Mutex_Lib",
350 "Global\\RefreshRA_Mutex_Flag"
351
352
353* Modified Files:
354 "C:\\Users\\user\\AppData\\cmstp\\chgusr.bat",
355 "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
356 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
357 "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
358 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
359 "\\??\\WMIDataDevice",
360 "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8",
361 "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
362 "C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacMetaData.dat",
363 "C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf"
364
365
366* Deleted Files:
367
368* Modified Registry Keys:
369 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\0x433A5C55736572735C7362755C417070446174615C636D737470",
370 "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\RegAsm_RASAPI32",
371 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\EnableFileTracing",
372 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\EnableConsoleTracing",
373 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\FileTracingMask",
374 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\ConsoleTracingMask",
375 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\MaxFileSize",
376 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\RegAsm_RASAPI32\\FileDirectory",
377 "HKEY_CURRENT_USER\\Software\\Microsoft\\SQMClient\\Reliability\\AdaptiveSqm\\ManifestInfo\\Version"
378
379
380* Deleted Registry Keys:
381
382* DNS Communications:
383
384 "type": "A",
385 "request": "checkip.amazonaws.com",
386 "answers":
387
388
389
390* Domains:
391
392 "ip": "52.55.255.113",
393 "domain": "checkip.amazonaws.com"
394
395
396
397* Network Communication - ICMP:
398
399* Network Communication - HTTP:
400
401* Network Communication - SMTP:
402
403* Network Communication - Hosts:
404
405* Network Communication - IRC: