2282AgentTesla_df4957fb92f40a7478b01e55242dc71e_exe_2019-09-18_13_30.txt

1.  
2. * ID: 2282
3. * MalFamily: "Malicious"
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "AgentTesla_df4957fb92f40a7478b01e55242dc71e.exe"
8. * File Size: 949248
9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10. * SHA256: "cf02549faef08f98e623e4bec2bd4f60b2931bce249649b188bdaa63ae26f435"
11. * MD5: "df4957fb92f40a7478b01e55242dc71e"
12. * SHA1: "0679f9b8bd05ebe3d0dd0ab1dae22ef456800eab"
13. * SHA512: "5c610763d4aff15b76bb15ef52d04cb236f8ffc0a1c52bf86c5e4376597ff9863d67f0292832482da2e8ffa01cf595341ef59a77dccac4943a722b18d39a4e45"
14. * CRC32: "97F9690A"
15. * SSDEEP: "24576:JhofYZe7q+mOgmwJCcFLYYNmEl+5IvjxpAjuUsxZ0WTy:Jm+bN5EkYwAyUgZq"
16.  
17. * Process Execution:
18. "K2QqbPnCkVhWyGs.exe",
19. "K2QqbPnCkVhWyGs.exe",
20. "svchost.exe",
21. "WmiPrvSE.exe",
22. "svchost.exe"
23.  
24.  
25. * Executed Commands:
26. "\"C:\\Users\\user\\AppData\\Local\\Temp\\K2QqbPnCkVhWyGs.exe\"",
27. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding"
28.  
29.  
30. * Signatures Detected:
31.  
32. "Description": "Behavioural detection: Executable code extraction",
33. "Details":
34.  
35.  
36. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
37. "Details":
38.  
39.  
40. "Description": "Possible date expiration check, exits too soon after checking local time",
41. "Details":
42.  
43. "process": "K2QqbPnCkVhWyGs.exe, PID 2172"
44.  
45.  
46.  
47.  
48. "Description": "Guard pages use detected - possible anti-debugging.",
49. "Details":
50.  
51.  
52. "Description": "A process attempted to delay the analysis task.",
53. "Details":
54.  
55. "Process": "K2QqbPnCkVhWyGs.exe tried to sleep 567 seconds, actually delayed analysis time by 0 seconds"
56.  
57.  
58.  
59.  
60. "Description": "The binary likely contains encrypted or compressed data.",
61. "Details":
62.  
63. "section": "name: .rsrc, entropy: 7.27, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ, raw_size: 0x0004a400, virtual_size: 0x0004a208"
64.  
65.  
66.  
67.  
68. "Description": "Behavioural detection: Injection (Process Hollowing)",
69. "Details":
70.  
71. "Injection": "K2QqbPnCkVhWyGs.exe(2172) -> K2QqbPnCkVhWyGs.exe(2684)"
72.  
73.  
74.  
75.  
76. "Description": "Executed a process and injected code into it, probably while unpacking",
77. "Details":
78.  
79. "Injection": "K2QqbPnCkVhWyGs.exe(2172) -> K2QqbPnCkVhWyGs.exe(2684)"
80.  
81.  
82.  
83.  
84. "Description": "Behavioural detection: Injection (inter-process)",
85. "Details":
86.  
87.  
88. "Description": "Tries to unhook or modify Windows functions monitored by Cuckoo",
89. "Details":
90.  
91. "unhook": "function_name: NtCreateSection, type: modification"
92.  
93.  
94.  
95.  
96. "Description": "Stack pivoting was detected when using a critical API",
97. "Details":
98.  
99. "process": "svchost.exe:1804"
100.  
101.  
102.  
103.  
104. "Description": "File has been identified by 38 Antiviruses on VirusTotal as malicious",
105. "Details":
106.  
107. "MicroWorld-eScan": "Gen:Variant.Ulise.68047"
108.  
109.  
110. "McAfee": "GenericRXIO-PV!DF4957FB92F4"
111.  
112.  
113. "Cylance": "Unsafe"
114.  
115.  
116. "CrowdStrike": "win/malicious_confidence_80% (D)"
117.  
118.  
119. "BitDefender": "Gen:Variant.Ulise.68047"
120.  
121.  
122. "K7AntiVirus": "Riskware ( 0040eff71 )"
123.  
124.  
125. "TrendMicro": "TrojanSpy.Win32.LOKI.SMDD.hp"
126.  
127.  
128. "Symantec": "Packed.Generic.516"
129.  
130.  
131. "ESET-NOD32": "a variant of Win32/Injector.EHVA"
132.  
133.  
134. "APEX": "Malicious"
135.  
136.  
137. "Avast": "Win32:Trojan-gen"
138.  
139.  
140. "GData": "Gen:Variant.Ulise.68047"
141.  
142.  
143. "Kaspersky": "HEUR:Trojan-PSW.Win32.Azorult.gen"
144.  
145.  
146. "Ad-Aware": "Gen:Variant.Ulise.68047"
147.  
148.  
149. "Sophos": "Mal/Fareit-V"
150.  
151.  
152. "DrWeb": "Trojan.PWS.Siggen2.31104"
153.  
154.  
155. "Invincea": "heuristic"
156.  
157.  
158. "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.dc"
159.  
160.  
161. "Trapmine": "malicious.high.ml.score"
162.  
163.  
164. "FireEye": "Generic.mg.df4957fb92f40a74"
165.  
166.  
167. "Emsisoft": "Gen:Variant.Ulise.68047 (B)"
168.  
169.  
170. "SentinelOne": "DFI - Malicious PE"
171.  
172.  
173. "MAX": "malware (ai score=80)"
174.  
175.  
176. "Endgame": "malicious (high confidence)"
177.  
178.  
179. "Arcabit": "Trojan.Ulise.D109CF"
180.  
181.  
182. "ZoneAlarm": "HEUR:Trojan-PSW.Win32.Azorult.gen"
183.  
184.  
185. "Microsoft": "Trojan:Win32/Wacatac.B!ml"
186.  
187.  
188. "AhnLab-V3": "Trojan/Win32.Infostealer.R291746"
189.  
190.  
191. "Acronis": "suspicious"
192.  
193.  
194. "Malwarebytes": "Spyware.LokiBot"
195.  
196.  
197. "TrendMicro-HouseCall": "TrojanSpy.Win32.LOKI.SMDD.hp"
198.  
199.  
200. "Rising": "Trojan.Injector!1.AFE3 (CLASSIC)"
201.  
202.  
203. "Ikarus": "Trojan-Spy.LokiBot"
204.  
205.  
206. "Fortinet": "W32/Injector.EHDJ!tr"
207.  
208.  
209. "Webroot": "W32.Loki.Smdd"
210.  
211.  
212. "AVG": "Win32:Trojan-gen"
213.  
214.  
215. "Cybereason": "malicious.8bd05e"
216.  
217.  
218. "Qihoo-360": "HEUR/QVM05.1.F737.Malware.Gen"
219.  
220.  
221.  
222.  
223. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
224. "Details":
225.  
226.  
227. "Description": "Collects information to fingerprint the system",
228. "Details":
229.  
230.  
231. "Description": "Anomalous binary characteristics",
232. "Details":
233.  
234. "anomaly": "Timestamp on binary predates the release date of the OS version it requires by at least a year"
235.  
236.  
237.  
238.  
239.  
240. * Started Service:
241.  
242. * Mutexes:
243. "Global\\CLR_PerfMon_WrapMutex",
244. "Global\\CLR_CASOFF_MUTEX"
245.  
246.  
247. * Modified Files:
248. "\\??\\PIPE\\samr",
249. "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
250. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
251. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
252. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
253. "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
254. "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
255. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
256. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
257. "\\??\\WMIDataDevice"
258.  
259.  
260. * Deleted Files:
261.  
262. * Modified Registry Keys:
263. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
264. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
265. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
266. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
267. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
268. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
269. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
270. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
271.  
272.  
273. * Deleted Registry Keys:
274.  
275. * DNS Communications:
276.  
277. * Domains:
278.  
279. * Network Communication - ICMP:
280.  
281. * Network Communication - HTTP:
282.  
283. * Network Communication - SMTP:
284.  
285. * Network Communication - Hosts:
286.  
287. * Network Communication - IRC: