2376AgentTesla_e15bab28504f2cdb4bbfe599210011e6_exe_2019-09-19_03_30.txt

1.  
2. * ID: 2376
3. * MalFamily: "Malicious"
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "AgentTesla_e15bab28504f2cdb4bbfe599210011e6.exe"
8. * File Size: 946176
9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10. * SHA256: "97eb5d2a978dd05b4166c88ebdbb41a5f41e34363b464e680cab603ec531977f"
11. * MD5: "e15bab28504f2cdb4bbfe599210011e6"
12. * SHA1: "14db79114c1abf11e0d8e5a491f0ccea10a22aa3"
13. * SHA512: "c9b6d24bb6464476151bc194c9c6d0f729814ca2e0e35b11c8cd41aa7da2d6710d70a7ef63a4536fff0d94e2612d6488f9ecf74884d67ce7cc8c1562784bdf2e"
14. * CRC32: "F09E7F3F"
15. * SSDEEP: "12288:qWowpLgjfTmUbnmxiS2cSDz5FzNzprbzvf5l9vsXmji7QF+YyUaM3:rwSynmxILNt3i7QF+YyUz3"
16.  
17. * Process Execution:
18. "ffpZntrZL.exe",
19. "ffpZntrZL.exe",
20. "reg.exe",
21. "services.exe",
22. "svchost.exe",
23. "WmiPrvSE.exe",
24. "lsass.exe",
25. "taskhost.exe",
26. "WMIADAP.exe"
27.  
28.  
29. * Executed Commands:
30. "\"C:\\Users\\user\\AppData\\Local\\Temp\\ffpZntrZL.exe\"",
31. "REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableTaskMgr /t REG_DWORD /d 1 /f",
32. "C:\\Windows\\system32\\lsass.exe"
33.  
34.  
35. * Signatures Detected:
36.  
37. "Description": "Behavioural detection: Executable code extraction",
38. "Details":
39.  
40.  
41. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
42. "Details":
43.  
44.  
45. "Description": "Creates RWX memory",
46. "Details":
47.  
48.  
49. "Description": "Guard pages use detected - possible anti-debugging.",
50. "Details":
51.  
52.  
53. "Description": "A process attempted to delay the analysis task.",
54. "Details":
55.  
56. "Process": "ffpZntrZL.exe tried to sleep 769 seconds, actually delayed analysis time by 0 seconds"
57.  
58.  
59.  
60.  
61. "Description": "Uses Windows utilities for basic functionality",
62. "Details":
63.  
64. "command": "REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"
65.  
66.  
67.  
68.  
69. "Description": "Behavioural detection: Injection (Process Hollowing)",
70. "Details":
71.  
72. "Injection": "ffpZntrZL.exe(2936) -> ffpZntrZL.exe(1408)"
73.  
74.  
75.  
76.  
77. "Description": "Executed a process and injected code into it, probably while unpacking",
78. "Details":
79.  
80. "Injection": "ffpZntrZL.exe(2936) -> ffpZntrZL.exe(1408)"
81.  
82.  
83.  
84.  
85. "Description": "Attempts to remove evidence of file being downloaded from the Internet",
86. "Details":
87.  
88. "file": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe:Zone.Identifier"
89.  
90.  
91.  
92.  
93. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
94. "Details":
95.  
96. "Spam": "ffpZntrZL.exe (2936) called API GetLocalTime 351701 times"
97.  
98.  
99. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 6489625 times"
100.  
101.  
102.  
103.  
104. "Description": "Steals private information from local Internet browsers",
105. "Details":
106.  
107. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
108.  
109.  
110.  
111.  
112. "Description": "Installs itself for autorun at Windows startup",
113. "Details":
114.  
115. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MyApp"
116.  
117.  
118. "data": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe"
119.  
120.  
121.  
122.  
123. "Description": "Creates a hidden or system file",
124. "Details":
125.  
126. "file": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe"
127.  
128.  
129.  
130.  
131. "Description": "File has been identified by 13 Antiviruses on VirusTotal as malicious",
132. "Details":
133.  
134. "FireEye": "Generic.mg.e15bab28504f2cdb"
135.  
136.  
137. "Cylance": "Unsafe"
138.  
139.  
140. "Cybereason": "malicious.8504f2"
141.  
142.  
143. "Symantec": "Packed.Generic.535"
144.  
145.  
146. "APEX": "Malicious"
147.  
148.  
149. "Trapmine": "malicious.moderate.ml.score"
150.  
151.  
152. "Microsoft": "Trojan:Win32/Wacatac.B!ml"
153.  
154.  
155. "Endgame": "malicious (high confidence)"
156.  
157.  
158. "Acronis": "suspicious"
159.  
160.  
161. "McAfee": "Fareit-FPZ!E15BAB28504F"
162.  
163.  
164. "ESET-NOD32": "a variant of Win32/GenKryptik.DTDZ"
165.  
166.  
167. "CrowdStrike": "win/malicious_confidence_60% (D)"
168.  
169.  
170. "Qihoo-360": "HEUR/QVM03.0.F7BD.Malware.Gen"
171.  
172.  
173.  
174.  
175. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
176. "Details":
177.  
178.  
179. "Description": "Creates a copy of itself",
180. "Details":
181.  
182. "copy": "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe"
183.  
184.  
185.  
186.  
187. "Description": "Attempts to disable System Restore",
188. "Details":
189.  
190.  
191. "Description": "Harvests information related to installed mail clients",
192. "Details":
193.  
194. "file": "C:\\Users\\user\\AppData\\Roaming\\Thunderbird\\profiles.ini"
195.  
196.  
197. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676"
198.  
199.  
200. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
201.  
202.  
203. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Password"
204.  
205.  
206. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
207.  
208.  
209. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP Password"
210.  
211.  
212. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
213.  
214.  
215. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP Password"
216.  
217.  
218. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
219.  
220.  
221. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Password"
222.  
223.  
224. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
225.  
226.  
227. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Password"
228.  
229.  
230. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Password"
231.  
232.  
233. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
234.  
235.  
236. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Password"
237.  
238.  
239. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Password"
240.  
241.  
242. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
243.  
244.  
245.  
246.  
247. "Description": "Collects information to fingerprint the system",
248. "Details":
249.  
250.  
251. "Description": "Uses suspicious command line tools or Windows utilities",
252. "Details":
253.  
254. "command": "REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"
255.  
256.  
257.  
258.  
259.  
260. * Started Service:
261. "VaultSvc"
262.  
263.  
264. * Mutexes:
265. "Global\\CLR_PerfMon_WrapMutex",
266. "Global\\CLR_CASOFF_MUTEX",
267. "Local\\_!MSFTHISTORY!_",
268. "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
269. "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
270. "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
271. "Global\\ADAP_WMI_ENTRY",
272. "Global\\RefreshRA_Mutex",
273. "Global\\RefreshRA_Mutex_Lib",
274. "Global\\RefreshRA_Mutex_Flag"
275.  
276.  
277. * Modified Files:
278. "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe",
279. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
280. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
281. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
282. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
283. "\\??\\WMIDataDevice",
284. "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8"
285.  
286.  
287. * Deleted Files:
288. "C:\\Users\\user\\AppData\\Roaming\\MyApp\\MyApp.exe:Zone.Identifier"
289.  
290.  
291. * Modified Registry Keys:
292. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MyApp",
293. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR",
294. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
295. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr"
296.  
297.  
298. * Deleted Registry Keys:
299.  
300. * DNS Communications:
301.  
302. * Domains:
303.  
304. * Network Communication - ICMP:
305.  
306. * Network Communication - HTTP:
307.  
308. * Network Communication - SMTP:
309.  
310. * Network Communication - Hosts:
311.  
312. * Network Communication - IRC: