· 6 years ago · Sep 19, 2019, 03:36 AM
1
2* ID: 2376
3* MalFamily: "Malicious"
4
5* MalScore: 10.0
6
7* File Name: "AgentTesla_e15bab28504f2cdb4bbfe599210011e6.exe"
8* File Size: 946176
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "97eb5d2a978dd05b4166c88ebdbb41a5f41e34363b464e680cab603ec531977f"
11* MD5: "e15bab28504f2cdb4bbfe599210011e6"
12* SHA1: "14db79114c1abf11e0d8e5a491f0ccea10a22aa3"
13* SHA512: "c9b6d24bb6464476151bc194c9c6d0f729814ca2e0e35b11c8cd41aa7da2d6710d70a7ef63a4536fff0d94e2612d6488f9ecf74884d67ce7cc8c1562784bdf2e"
14* CRC32: "F09E7F3F"
15* SSDEEP: "12288:qWowpLgjfTmUbnmxiS2cSDz5FzNzprbzvf5l9vsXmji7QF+YyUaM3:rwSynmxILNt3i7QF+YyUz3"
16
17* Process Execution:
18 "ffpZntrZL.exe",
19 "ffpZntrZL.exe",
20 "reg.exe",
21 "services.exe",
22 "svchost.exe",
23 "WmiPrvSE.exe",
24 "lsass.exe",
25 "taskhost.exe",
26 "WMIADAP.exe"
27
28
29* Executed Commands:
30 "\"C:\\Users\\user\\AppData\\Local\\Temp\\ffpZntrZL.exe\"",
31 "REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableTaskMgr /t REG_DWORD /d 1 /f",
32 "C:\\Windows\\system32\\lsass.exe"
33
34
35* Signatures Detected:
36
37 "Description": "Behavioural detection: Executable code extraction",
38 "Details":
39
40
41 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
42 "Details":
43
44
45 "Description": "Creates RWX memory",
46 "Details":
47
48
49 "Description": "Guard pages use detected - possible anti-debugging.",
50 "Details":
51
52
53 "Description": "A process attempted to delay the analysis task.",
54 "Details":
55
56 "Process": "ffpZntrZL.exe tried to sleep 769 seconds, actually delayed analysis time by 0 seconds"
57
58
59
60
61 "Description": "Uses Windows utilities for basic functionality",
62 "Details":
63
64 "command": "REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"
65
66
67
68
69 "Description": "Behavioural detection: Injection (Process Hollowing)",
70 "Details":
71
72 "Injection": "ffpZntrZL.exe(2936) -> ffpZntrZL.exe(1408)"
73
74
75
76
77 "Description": "Executed a process and injected code into it, probably while unpacking",
78 "Details":
79
80 "Injection": "ffpZntrZL.exe(2936) -> ffpZntrZL.exe(1408)"
81
82
83
84
85 "Description": "Attempts to remove evidence of file being downloaded from the Internet",
86 "Details":
87
88 "file": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe:Zone.Identifier"
89
90
91
92
93 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
94 "Details":
95
96 "Spam": "ffpZntrZL.exe (2936) called API GetLocalTime 351701 times"
97
98
99 "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 6489625 times"
100
101
102
103
104 "Description": "Steals private information from local Internet browsers",
105 "Details":
106
107 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
108
109
110
111
112 "Description": "Installs itself for autorun at Windows startup",
113 "Details":
114
115 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MyApp"
116
117
118 "data": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe"
119
120
121
122
123 "Description": "Creates a hidden or system file",
124 "Details":
125
126 "file": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe"
127
128
129
130
131 "Description": "File has been identified by 13 Antiviruses on VirusTotal as malicious",
132 "Details":
133
134 "FireEye": "Generic.mg.e15bab28504f2cdb"
135
136
137 "Cylance": "Unsafe"
138
139
140 "Cybereason": "malicious.8504f2"
141
142
143 "Symantec": "Packed.Generic.535"
144
145
146 "APEX": "Malicious"
147
148
149 "Trapmine": "malicious.moderate.ml.score"
150
151
152 "Microsoft": "Trojan:Win32/Wacatac.B!ml"
153
154
155 "Endgame": "malicious (high confidence)"
156
157
158 "Acronis": "suspicious"
159
160
161 "McAfee": "Fareit-FPZ!E15BAB28504F"
162
163
164 "ESET-NOD32": "a variant of Win32/GenKryptik.DTDZ"
165
166
167 "CrowdStrike": "win/malicious_confidence_60% (D)"
168
169
170 "Qihoo-360": "HEUR/QVM03.0.F7BD.Malware.Gen"
171
172
173
174
175 "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
176 "Details":
177
178
179 "Description": "Creates a copy of itself",
180 "Details":
181
182 "copy": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe"
183
184
185
186
187 "Description": "Attempts to disable System Restore",
188 "Details":
189
190
191 "Description": "Harvests information related to installed mail clients",
192 "Details":
193
194 "file": "C:\\Users\\user\\AppData\\Roaming\\Thunderbird\\profiles.ini"
195
196
197 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676"
198
199
200 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
201
202
203 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Password"
204
205
206 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
207
208
209 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP Password"
210
211
212 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
213
214
215 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP Password"
216
217
218 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
219
220
221 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Password"
222
223
224 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
225
226
227 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Password"
228
229
230 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Password"
231
232
233 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
234
235
236 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Password"
237
238
239 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Password"
240
241
242 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
243
244
245
246
247 "Description": "Collects information to fingerprint the system",
248 "Details":
249
250
251 "Description": "Uses suspicious command line tools or Windows utilities",
252 "Details":
253
254 "command": "REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"
255
256
257
258
259
260* Started Service:
261 "VaultSvc"
262
263
264* Mutexes:
265 "Global\\CLR_PerfMon_WrapMutex",
266 "Global\\CLR_CASOFF_MUTEX",
267 "Local\\_!MSFTHISTORY!_",
268 "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
269 "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
270 "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
271 "Global\\ADAP_WMI_ENTRY",
272 "Global\\RefreshRA_Mutex",
273 "Global\\RefreshRA_Mutex_Lib",
274 "Global\\RefreshRA_Mutex_Flag"
275
276
277* Modified Files:
278 "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe",
279 "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
280 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
281 "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
282 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
283 "\\??\\WMIDataDevice",
284 "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8"
285
286
287* Deleted Files:
288 "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe:Zone.Identifier"
289
290
291* Modified Registry Keys:
292 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MyApp",
293 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR",
294 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
295 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr"
296
297
298* Deleted Registry Keys:
299
300* DNS Communications:
301
302* Domains:
303
304* Network Communication - ICMP:
305
306* Network Communication - HTTP:
307
308* Network Communication - SMTP:
309
310* Network Communication - Hosts:
311
312* Network Communication - IRC: