Malicious
Classifications
Keylogger Injector Spyware
Threat Names
AgentTesla AgentTesla.v3
Dynamic Analysis Report
Created on 2022-05-04T13:14:09+00:00
31941c96fa470de35d08fd8bdc215c2ff2cbeb82dd72e91aafa563c08af7c969.exe
Windows Exe (x86-32)
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\RDhJ0CNFevzX\Desktop\31941c96fa470de35d08fd8bdc215c2ff2cbeb82dd72e91aafa563c08af7c969.exe | Sample File | Binary |
Malicious
|
...
|
»
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x004A5D3A |
Size Of Code | 0x000A3E00 |
Size Of Initialized Data | 0x00004600 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2079-12-18 17:53 (UTC+1) |
Version Information (11)
»
Comments | |
CompanyName | sandboxie-plus.com |
FileDescription | Sandboxie Installer |
FileVersion | 1.0.0.0 |
InternalName | Generic.exe |
LegalCopyright | Copyright © 2020-2021 by David Xanatos (xanasoft.com) |
LegalTrademarks | |
OriginalFilename | Generic.exe |
ProductName | Sandboxie |
ProductVersion | 1.0.0.0 |
Assembly Version | 1.0.0.0 |
Sections (3)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x000A3D40 | 0x000A3E00 | 0x00000200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.98 |
.rsrc | 0x004A6000 | 0x0000420E | 0x00004400 | 0x000A4000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.03 |
.reloc | 0x004AC000 | 0x0000000C | 0x00000200 | 0x000A8400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x000A5D10 | 0x000A3F10 | 0x00000000 |
Memory Dumps (5)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
31941c96fa470de35d08fd8bdc215c2ff2cbeb82dd72e91aafa563c08af7c969.exe | 1 | 0x00400000 | 0x004ADFFF | Relevant Image | 32-bit | - |
...
|
||
buffer | 1 | 0x04890000 | 0x048A1FFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
buffer | 1 | 0x07B70000 | 0x07C04FFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
buffer | 1 | 0x07C50000 | 0x07CB2FFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
31941c96fa470de35d08fd8bdc215c2ff2cbeb82dd72e91aafa563c08af7c969.exe | 1 | 0x00400000 | 0x004ADFFF | Process Termination | 32-bit | - |
...
|
C:\Users\RDhJ0CNFevzX\AppData\Roaming\ykVBUY\ykVBUY.exe | Dropped File | Binary |
Clean
Known to be clean.
|
...
|
»
File Reputation Information
»
Verdict |
Clean
Known to be clean.
|
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x00439422 |
Size Of Code | 0x00037600 |
Size Of Initialized Data | 0x00004200 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2015-10-08 03:13 (UTC+2) |
Version Information (10)
»
CompanyName | Microsoft Corporation |
FileDescription | MSBuild.exe |
FileVersion | 4.6.1038.0 built by: NETFXREL2 |
InternalName | MSBuild.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | MSBuild.exe |
ProductName | Microsoft® .NET Framework |
ProductVersion | 4.6.1038.0 |
Comments | Flavor=Retail |
PrivateBuild | DDBLD597 |
Sections (3)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x00037440 | 0x00037600 | 0x00000200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.97 |
.rsrc | 0x0043A000 | 0x00003EF4 | 0x00004000 | 0x00037800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.27 |
.reloc | 0x0043E000 | 0x0000000C | 0x00000200 | 0x0003B800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x000393F5 | 0x000375F5 | 0x00000000 |
Digital Signature Information
»
Verification Status | Valid |
Certificate: Microsoft Corporation
»
Issued by | Microsoft Corporation |
Parent Certificate | Microsoft Code Signing PCA |
Country Name | US |
Valid From | 2015-06-04 19:42 (UTC+2) |
Valid Until | 2016-09-04 19:42 (UTC+2) |
Algorithm | sha1_rsa |
Serial Number | 33 00 00 01 0A 2C 79 AE D7 79 7B A6 AC 00 01 00 00 01 0A |
Thumbprint | 3B DA 32 3E 55 2D B1 FD E5 F4 FB EE 75 D6 D5 B2 B1 87 EE DC |
Certificate: Microsoft Code Signing PCA
»
Issued by | Microsoft Code Signing PCA |
Country Name | US |
Valid From | 2010-09-01 00:19 (UTC+2) |
Valid Until | 2020-09-01 00:29 (UTC+2) |
Algorithm | sha1_rsa |
Serial Number | 61 33 26 1A 00 00 00 00 00 31 |
Thumbprint | 3C AF 9B A2 DB 55 70 CA F7 69 42 FF 99 10 1B 99 38 88 E2 57 |
C:\Windows\system32\drivers\etc\hosts | Modified File | Text |
Clean
|
...
|
»