Malicious
Classifications
Spyware Injector
Threat Names
AgentTesla.v3 Mal/Generic-S
Dynamic Analysis Report
Created on 2022-08-05T10:57:18+00:00
81baf55c19c00ec38dd62ea3b30a3af669be588442dc0648865f80195665d2b2.exe
Windows Exe (x86-32)
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\kEecfMwgj\Desktop\81baf55c19c00ec38dd62ea3b30a3af669be588442dc0648865f80195665d2b2.exe | Sample File | Binary |
Malicious
|
...
|
»
File Reputation Information
»
Verdict |
Malicious
|
Names | Mal/Generic-S |
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x0049DDBE |
Size Of Code | 0x0009BE00 |
Size Of Initialized Data | 0x00000A00 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 1997-03-02 23:09 (UTC+1) |
Version Information (10)
»
Comments | 5652?37G=@HEID8B6BF5GF |
CompanyName | I368@4EBE6@3;AA <:h> |
FileDescription | ::4F=JA35I6=>FHH3 |
FileVersion | 3.5.7.8 |
InternalName | 4EBE6@3.exe |
LegalCopyright | Copyright © 1999 I368@4EBE6@3;AA <:h> |
OriginalFilename | 4EBE6@3.exe |
ProductName | ::4F=JA35I6=>FHH3 |
ProductVersion | 3.5.7.8 |
Assembly Version | 1.0.0.0 |
Sections (3)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x0009BDC4 | 0x0009BE00 | 0x00000200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.78 |
.rsrc | 0x0049E000 | 0x00000606 | 0x00000800 | 0x0009C000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.63 |
.reloc | 0x004A0000 | 0x0000000C | 0x00000200 | 0x0009C800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.1 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x0009DD98 | 0x0009BF98 | 0x00000000 |
Memory Dumps (49)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
81baf55c19c00ec38dd62ea3b30a3af669be588442dc0648865f80195665d2b2.exe | 1 | 0x010B0000 | 0x01151FFF | Relevant Image | 32-bit | - |
...
|
||
buffer | 1 | 0x00980000 | 0x009A9FFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
buffer | 1 | 0x00A00000 | 0x00A12FFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
81baf55c19c00ec38dd62ea3b30a3af669be588442dc0648865f80195665d2b2.exe | 1 | 0x010B0000 | 0x01151FFF | Process Termination | 32-bit | - |
...
|
||
noise.exe | 3 | 0x010B0000 | 0x01151FFF | Relevant Image | 32-bit | - |
...
|
||
buffer | 3 | 0x0101E000 | 0x0101FFFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 3 | 0x002D7000 | 0x002DFFFF | First Network Behavior | 32-bit | - |
...
|
||
noise.exe | 3 | 0x010B0000 | 0x01151FFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 3 | 0x005B0000 | 0x005D9FFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
buffer | 3 | 0x005E0000 | 0x005F2FFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
buffer | 3 | 0x005B0000 | 0x005D9FFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x00510000 | 0x00510FFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 3 | 0x004E0000 | 0x004F1FFF | Marked Executable | 32-bit | - |
...
|
||
noise.exe | 3 | 0x010B0000 | 0x01151FFF | Process Termination | 32-bit | - |
...
|
C:\Users\kEecfMwgj\AppData\Roaming\Acrobat\Acrobat.exe | Dropped File | Binary |
Clean
Known to be clean.
|
...
|
»
File Reputation Information
»
Verdict |
Clean
Known to be clean.
|
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x00407286 |
Size Of Code | 0x00005400 |
Size Of Initialized Data | 0x00000C00 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2019-03-28 07:56 (UTC+1) |
Version Information (10)
»
CompanyName | Microsoft Corporation |
FileDescription | .NET Framework installation utility |
FileVersion | 4.8.3761.0 built by: NET48REL1 |
InternalName | InstallUtil.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | InstallUtil.exe |
ProductName | Microsoft® .NET Framework |
ProductVersion | 4.8.3761.0 |
Comments | Flavor=Retail |
PrivateBuild | DDBLD438 |
Sections (3)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x0000528C | 0x00005400 | 0x00000200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 4.91 |
.rsrc | 0x00408000 | 0x00000918 | 0x00000A00 | 0x00005600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.53 |
.reloc | 0x0040A000 | 0x0000000C | 0x00000200 | 0x00006000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.08 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x0000725C | 0x0000545C | 0x00000000 |
Digital Signature Information
»
Verification Status | Valid |
Certificate: Microsoft Corporation
»
Issued by | Microsoft Corporation |
Parent Certificate | Microsoft Code Signing PCA |
Country Name | US |
Valid From | 2018-07-12 22:11 (UTC+2) |
Valid Until | 2019-07-26 22:11 (UTC+2) |
Algorithm | sha1_rsa |
Serial Number | 33 00 00 01 B1 DD ED BA 54 E9 65 B8 5F 00 01 00 00 01 B1 |
Thumbprint | 9D C1 78 88 B5 CF AD 98 B3 CB 35 C1 99 4E 96 22 7F 06 16 75 |
Certificate: Microsoft Code Signing PCA
»
Issued by | Microsoft Code Signing PCA |
Country Name | US |
Valid From | 2010-09-01 00:19 (UTC+2) |
Valid Until | 2020-09-01 00:29 (UTC+2) |
Algorithm | sha1_rsa |
Serial Number | 61 33 26 1A 00 00 00 00 00 31 |
Thumbprint | 3C AF 9B A2 DB 55 70 CA F7 69 42 FF 99 10 1B 99 38 88 E2 57 |
Memory Dumps (2)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
acrobat.exe | 9 | 0x013D0000 | 0x013DBFFF | Relevant Image | 32-bit | - |
...
|
||
acrobat.exe | 9 | 0x013D0000 | 0x013DBFFF | Process Termination | 32-bit | - |
...
|
c:\users\keecfmwgj\appdata\local\gdipfontcachev1.dat | Dropped File | Stream |
Clean
|
...
|
»
c:\users\keecfmwgj\appdata\local\gdipfontcachev1.dat | Dropped File | Stream |
Clean
|
...
|
»
d80dc87554c41cd7928c07033dba8e0dc3955e603a898b7f1b251d9e3150d87a | Downloaded File | HTML |
Clean
|
...
|
»
76f83b8d3b58ece2705234d7f703f668681897d84ae563292464676d27428a6c | Downloaded File | HTML |
Clean
|
...
|
»