2326AgentTesla_351eb287618799d48f4bdb3225c94029_exe_2019-09-18_18_30.txt


* ID: 2326
* MalFamily: ""

* MalScore: 10.0

* File Name: "AgentTesla_351eb287618799d48f4bdb3225c94029.exe"
* File Size: 614400
* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
* SHA256: "b9e355d367b2d26a2f1f558e1b4e77ac351e2e9b9a7a4bb81acdf104c692b2c2"
* MD5: "351eb287618799d48f4bdb3225c94029"
* SHA1: "1594df98665618c97e05be9d3f8545d4a9f19214"
* SHA512: "8e9b38ef86b0b32147287ef5dcf0a47f7a3a3063f988cf564f39ec0ad708d3ac62b81ba9922dfaab0c67f403127012e9206d7b4f1ca366c7204e52ce023c090a"
* CRC32: "EE5E5E5F"
* SSDEEP: "12288:NKx4Jj666+dnSqTGt0a10OCNlKDpOVpeYaQX:No4JJ6+pSqTGt0o5CXAQVbaY"

* Process Execution:
    "Y1bZEW.exe",
    "Y1bZEW.exe",
    "svchost.exe",
    "WmiPrvSE.exe",
    "WmiPrvSE.exe",
    "svchost.exe",
    "WMIADAP.exe"


* Executed Commands:
    "\"C:\\Users\\user\\AppData\\Local\\Temp\\Y1bZEW.exe\"",
    "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding",
    "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
    "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R"


* Signatures Detected:

        "Description": "Behavioural detection: Executable code extraction",
        "Details":


        "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
        "Details":


        "Description": "Possible date expiration check, exits too soon after checking local time",
        "Details":

                "process": "Y1bZEW.exe, PID 1428"


        "Description": "Guard pages use detected - possible anti-debugging.",
        "Details":


        "Description": "A process attempted to delay the analysis task.",
        "Details":

                "Process": "Y1bZEW.exe tried to sleep 882 seconds, actually delayed analysis time by 0 seconds"


                "Process": "WmiPrvSE.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds"


        "Description": "A process created a hidden window",
        "Details":

                "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"


        "Description": "The binary likely contains encrypted or compressed data.",
        "Details":

                "section": "name: .text, entropy: 7.19, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00093000, virtual_size: 0x00092278"


        "Description": "Behavioural detection: Injection (Process Hollowing)",
        "Details":

                "Injection": "Y1bZEW.exe(1428) -> Y1bZEW.exe(3048)"


        "Description": "Executed a process and injected code into it, probably while unpacking",
        "Details":

                "Injection": "Y1bZEW.exe(1428) -> Y1bZEW.exe(3048)"


        "Description": "Stack pivoting was detected when using a critical API",
        "Details":

                "process": "svchost.exe:1832"


        "Description": "File has been identified by 41 Antiviruses on VirusTotal as malicious",
        "Details":

                "MicroWorld-eScan": "Gen:Variant.Midie.66301"


                "McAfee": "Fareit-FPZ!351EB2876187"


                "Malwarebytes": "Trojan.MalPack.VB.Generic"


                "Cybereason": "malicious.866561"


                "Arcabit": "Trojan.Midie.D102FD"


                "TrendMicro": "TROJ_GEN.R015C0DII19"


                "F-Prot": "W32/VBKrypt.SQ.gen!Eldorado"


                "Symantec": "ML.Attribute.HighConfidence"


                "APEX": "Malicious"


                "Paloalto": "generic.ml"


                "Kaspersky": "Trojan.Win32.VBKryjetor.chax"


                "BitDefender": "Gen:Variant.Midie.66301"


                "Avast": "Win32:TrojanX-gen Trj"


                "Rising": "Trojan.Injector!1.B459 (CLASSIC)"


                "Ad-Aware": "Gen:Variant.Midie.66301"


                "Sophos": "Mal/FareitVB-N"


                "F-Secure": "Trojan.TR/Kryptik.hfzvw"


                "DrWeb": "Trojan.PWS.Banker1.34969"


                "Invincea": "heuristic"


                "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.jc"


                "Trapmine": "malicious.moderate.ml.score"


                "FireEye": "Generic.mg.351eb287618799d4"


                "Emsisoft": "Gen:Variant.Midie.66301 (B)"


                "Ikarus": "Trojan.VB.Agent"


                "Cyren": "W32/VBKrypt.SQ.gen!Eldorado"


                "Avira": "TR/Kryptik.hfzvw"


                "MAX": "malware (ai score=85)"


                "Microsoft": "Trojan:Win32/Vbobfus.A!eml"


                "Endgame": "malicious (high confidence)"


                "ZoneAlarm": "Trojan.Win32.VBKryjetor.chax"


                "GData": "Gen:Variant.Midie.66301"


                "AhnLab-V3": "Win-Trojan/VBKrypt.RP12"


                "Acronis": "suspicious"


                "ALYac": "Gen:Variant.Midie.66301"


                "Cylance": "Unsafe"


                "ESET-NOD32": "a variant of Win32/Injector.EHVD"


                "SentinelOne": "DFI - Suspicious PE"


                "Fortinet": "W32/GenKryptik.EHBD!tr"


                "AVG": "Win32:TrojanX-gen Trj"


                "Panda": "Trj/GdSda.A"


                "CrowdStrike": "win/malicious_confidence_100% (W)"


* Started Service:

* Mutexes:
    "Global\\CLR_PerfMon_WrapMutex",
    "Global\\CLR_CASOFF_MUTEX",
    "Global\\ADAP_WMI_ENTRY",
    "Global\\RefreshRA_Mutex",
    "Global\\RefreshRA_Mutex_Lib",
    "Global\\RefreshRA_Mutex_Flag"


* Modified Files:
    "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
    "\\??\\WMIDataDevice"


* Deleted Files:

* Modified Registry Keys:

* Deleted Registry Keys:

* DNS Communications:

* Domains:

* Network Communication - ICMP:

* Network Communication - HTTP:

* Network Communication - SMTP:

* Network Communication - Hosts:

* Network Communication - IRC: