Try VMRay Platform
Malicious
Classifications

Spyware Injector

Threat Names

Mal/Generic-S AgentTesla.v3

Dynamic Analysis Report

Created on 2022-07-26T21:23:53+00:00

18f7c9fcf55206644996038b2908aa3871e3ea9affa4c6d62a7460f5b95cca90.exe

Windows Exe (x86-32)
...

Remarks (1/1)

(0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:
File Name Category Type Verdict Actions
C:\Users\kEecfMwgj\Desktop\18f7c9fcf55206644996038b2908aa3871e3ea9affa4c6d62a7460f5b95cca90.exe Sample File Binary
Malicious
...
»
Also Known As C:\Users\kEecfMwgj\AppData\Local\Temp\geater.exe (Accessed File)
MIME Type application/vnd.microsoft.portable-executable
File Size 625.50 KB
MD5 9cef8265c679bafb06f885678ceab7bd Copy to Clipboard
SHA1 ac7faaa7e8439951eaafd8e02007f33a555cd01b Copy to Clipboard
SHA256 18f7c9fcf55206644996038b2908aa3871e3ea9affa4c6d62a7460f5b95cca90 Copy to Clipboard
SSDeep 12288:7yJTxDWRQLg9r91BXxQ/q22ZzGSf1q6B0sQuc9G:7ynWRQerDxxs32NG61q6PQuc Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Entry Point 0x0049D84E
Size Of Code 0x0009BA00
Size Of Initialized Data 0x00000A00
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 1998-02-21 20:56 (UTC+1)
Version Information (10)
»
Comments ?HE?CBIE@@DCB3:@I
CompanyName C82?H<3=<85:I=3A;C
FileDescription D3D:A@;J8I3;75JFFD66B
FileVersion 6.10.13.16
InternalName D6GEVBNNH11111.exe
LegalCopyright Copyright © 2009 C82?H<3=<85:I=3A;C
OriginalFilename D6GEVBNNH11111.exe
ProductName D3D:A@;J8I3;75JFFD66B
ProductVersion 6.10.13.16
Assembly Version 1.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x0009B854 0x0009BA00 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.69
.rsrc 0x0049E000 0x00000646 0x00000800 0x0009BC00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.73
.reloc 0x004A0000 0x0000000C 0x00000200 0x0009C400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x00402000 0x0009D820 0x0009BA20 0x00000000
Memory Dumps (49)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
18f7c9fcf55206644996038b2908aa3871e3ea9affa4c6d62a7460f5b95cca90.exe 1 0x011E0000 0x01281FFF Relevant Image False 32-bit - False
...
buffer 1 0x004F0000 0x00519FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
buffer 1 0x005A0000 0x005B2FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
18f7c9fcf55206644996038b2908aa3871e3ea9affa4c6d62a7460f5b95cca90.exe 1 0x011E0000 0x01281FFF Process Termination False 32-bit - False
...
geater.exe 3 0x011E0000 0x01281FFF Relevant Image False 32-bit - False
...
buffer 3 0x00EEE000 0x00EEFFFF First Network Behavior False 32-bit - False
...
buffer 3 0x003C8000 0x003CFFFF First Network Behavior False 32-bit - False
...
geater.exe 3 0x011E0000 0x01281FFF First Network Behavior False 32-bit - False
...
buffer 3 0x00550000 0x00579FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
buffer 3 0x006C0000 0x006D2FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
buffer 3 0x00550000 0x00579FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00FB0000 0x00FB0FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
buffer 3 0x00B80000 0x00B91FFF Marked Executable False 32-bit - False
...
geater.exe 3 0x011E0000 0x01281FFF Process Termination False 32-bit - False
...
C:\Users\kEecfMwgj\AppData\Roaming\Acrobat\Acrobat.exe Dropped File Binary
Clean
Known to be clean.
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 40.15 KB
MD5 af862061889f5b9b956e9469dcdae773 Copy to Clipboard
SHA1 da30624e8a4a123a03da91905537283ddf88efd2 Copy to Clipboard
SHA256 af5cbd35c7d8dea7d879113fda61b0f64ac6618bcdae15c0c732a018babf68ee Copy to Clipboard
SSDeep 384:CtpFVLK0MsihB9VKS7xdgsHKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+IPZTJ:uBMs2SqdPg6Iq8crSVq1hLxiSPBDBpf Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
File Reputation Information
»
Verdict
Clean
Known to be clean.
PE Information
»
Image Base 0x00400000
Entry Point 0x00407286
Size Of Code 0x00005400
Size Of Initialized Data 0x00000C00
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-03-28 07:56 (UTC+1)
Version Information (10)
»
CompanyName Microsoft Corporation
FileDescription .NET Framework installation utility
FileVersion 4.8.3761.0 built by: NET48REL1
InternalName InstallUtil.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename InstallUtil.exe
ProductName Microsoft® .NET Framework
ProductVersion 4.8.3761.0
Comments Flavor=Retail
PrivateBuild DDBLD438
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x0000528C 0x00005400 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.91
.rsrc 0x00408000 0x00000918 0x00000A00 0x00005600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.53
.reloc 0x0040A000 0x0000000C 0x00000200 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.08
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x00402000 0x0000725C 0x0000545C 0x00000000
Digital Signature Information
»
Verification Status Valid
Certificate: Microsoft Corporation
»
Issued by Microsoft Corporation
Parent Certificate Microsoft Code Signing PCA
Country Name US
Valid From 2018-07-12 22:11 (UTC+2)
Valid Until 2019-07-26 22:11 (UTC+2)
Algorithm sha1_rsa
Serial Number 33 00 00 01 B1 DD ED BA 54 E9 65 B8 5F 00 01 00 00 01 B1
Thumbprint 9D C1 78 88 B5 CF AD 98 B3 CB 35 C1 99 4E 96 22 7F 06 16 75
Certificate: Microsoft Code Signing PCA
»
Issued by Microsoft Code Signing PCA
Country Name US
Valid From 2010-09-01 00:19 (UTC+2)
Valid Until 2020-09-01 00:29 (UTC+2)
Algorithm sha1_rsa
Serial Number 61 33 26 1A 00 00 00 00 00 31
Thumbprint 3C AF 9B A2 DB 55 70 CA F7 69 42 FF 99 10 1B 99 38 88 E2 57
Memory Dumps (2)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
acrobat.exe 9 0x00380000 0x0038BFFF Relevant Image False 32-bit - False
...
acrobat.exe 9 0x00380000 0x0038BFFF Process Termination False 32-bit - False
...
c:\users\keecfmwgj\appdata\local\gdipfontcachev1.dat Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 108.45 KB
MD5 56d2f28f0adec4114f48b86f239380ae Copy to Clipboard
SHA1 0541cb654103e3b839e7c5b74406b4d33de8f21e Copy to Clipboard
SHA256 61602c8a9d8f81c3d33068c5fc846c4cddb9cd00ed033a0f8a456dfd32582629 Copy to Clipboard
SSDeep 768:HU33iHuvsHgTllu5Ro9Ix68tSvSww+oOO5HBBpWkhJNiKcEI0UaXiZ4lXik:omuvsHgTllsoWxGsOO5ckhJNiKcoqZk Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\gdipfontcachev1.dat Dropped File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 8.03 KB
MD5 3b124f39977734e519b4d76da3fd1429 Copy to Clipboard
SHA1 93258edf50199af514b466e27af94b44f9eee8a7 Copy to Clipboard
SHA256 790a6af00576b6ee07663cf571a92e5b72379c9d24f3599af1fa9fec8aeb168a Copy to Clipboard
SSDeep 3:5tmlNlPlcy:5tm/ Copy to Clipboard
ImpHash -
3a45c4ff7bc28dc34f596e124dae411940e2215b6ce74bef76c9a5a005f80dc4 Downloaded File HTML
Clean
...
»
MIME Type text/html
File Size 49.11 KB
MD5 8584f90b5e603def47bb3c1c6f7345d9 Copy to Clipboard
SHA1 3d8810c0a5d4fe1dc836bb9ae51ac97064b513eb Copy to Clipboard
SHA256 3a45c4ff7bc28dc34f596e124dae411940e2215b6ce74bef76c9a5a005f80dc4 Copy to Clipboard
SSDeep 768:bzEVoOsbUGQU9WBsdY5ocQGIdBqIEANgBsvi6zD1JpNxPrIi:bIofQU9WAQAGIdMIEANgitzDPxTb Copy to Clipboard
ImpHash -
2ab43247d3d367bcfb779e1e167b252a3f54e7046dad71abc2bd4c2d66e16c7d Downloaded File HTML
Clean
...
»
MIME Type text/html
File Size 49.02 KB
MD5 4bb0a4606ea54b5aa81bbeea0434c8ac Copy to Clipboard
SHA1 a3c6f6ca7a432efa6e8cb1dea1078398ef3efaff Copy to Clipboard
SHA256 2ab43247d3d367bcfb779e1e167b252a3f54e7046dad71abc2bd4c2d66e16c7d Copy to Clipboard
SSDeep 768:bmWEVoOsbUGQU9WBvdY5ocQGIhBqIyANgBsvQ6TD5JpNiJkI9:bAofQU9W/QAGIhMIyANgirTDDiOw Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image