AgentTesla.v3 | 81baf55c19c0

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\kEecfMwgj\Desktop\81baf55c19c00ec38dd62ea3b30a3af669be588442dc0648865f80195665d2b2.exe

Sample File

Binary

Also Known As	C:\Users\kEecfMwgj\AppData\Local\Temp\noise.exe (Accessed File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	626.50 KB
MD5	ade71491b076ca7a43effaf0214dd030
SHA1	75623647a35d7bfbfc0df5dfc24646c8d53367d1
SHA256	81baf55c19c00ec38dd62ea3b30a3af669be588442dc0648865f80195665d2b2
SSDeep	6144:EJCAIlFP8EYO+nm5NhbQ26Ldtb5joi2lEfbi4xzn+CzXJFSf19M/6ETrM00nQbql:OO2m5F+dtmi22ZzxSf1q6B0sQuc9Gy
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

File Reputation Information

Verdict	Malicious
Names	Mal/Generic-S

PE Information

Image Base	0x00400000
Entry Point	0x0049DDBE
Size Of Code	0x0009BE00
Size Of Initialized Data	0x00000A00
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	1997-03-02 23:09 (UTC+1)

Version Information (10)

Comments	5652?37G=@HEID8B6BF5GF
CompanyName	I368@4EBE6@3;AA <:h>
FileDescription	::4F=JA35I6=>FHH3
FileVersion	3.5.7.8
InternalName	4EBE6@3.exe
LegalCopyright	Copyright © 1999 I368@4EBE6@3;AA <:h>
OriginalFilename	4EBE6@3.exe
ProductName	::4F=JA35I6=>FHH3
ProductVersion	3.5.7.8
Assembly Version	1.0.0.0

Sections (3)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00402000	0x0009BDC4	0x0009BE00	0x00000200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.78
.rsrc	0x0049E000	0x00000606	0x00000800	0x0009C000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	3.63
.reloc	0x004A0000	0x0000000C	0x00000200	0x0009C800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.1

Imports (1)

mscoree.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	-	0x00402000	0x0009DD98	0x0009BF98	0x00000000

Memory Dumps (49)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
81baf55c19c00ec38dd62ea3b30a3af669be588442dc0648865f80195665d2b2.exe	1	0x010B0000	0x01151FFF	Relevant Image	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00980000	0x009A9FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00A00000	0x00A12FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
81baf55c19c00ec38dd62ea3b30a3af669be588442dc0648865f80195665d2b2.exe	1	0x010B0000	0x01151FFF	Process Termination	32-bit	-	... Actions Go to Process Download Dump
noise.exe	3	0x010B0000	0x01151FFF	Relevant Image	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x0101E000	0x0101FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x002D7000	0x002DFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
noise.exe	3	0x010B0000	0x01151FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x005B0000	0x005D9FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x005E0000	0x005F2FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x005B0000	0x005D9FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x00510000	0x00510FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	3	0x004E0000	0x004F1FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
noise.exe	3	0x010B0000	0x01151FFF	Process Termination	32-bit	-	... Actions Go to Process Download Dump

C:\Users\kEecfMwgj\AppData\Roaming\Acrobat\Acrobat.exe

Dropped File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	40.15 KB
MD5	af862061889f5b9b956e9469dcdae773
SHA1	da30624e8a4a123a03da91905537283ddf88efd2
SHA256	af5cbd35c7d8dea7d879113fda61b0f64ac6618bcdae15c0c732a018babf68ee
SSDeep	384:CtpFVLK0MsihB9VKS7xdgsHKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+IPZTJ:uBMs2SqdPg6Iq8crSVq1hLxiSPBDBpf
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

File Reputation Information

Verdict

Clean

PE Information

Image Base	0x00400000
Entry Point	0x00407286
Size Of Code	0x00005400
Size Of Initialized Data	0x00000C00
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_CUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2019-03-28 07:56 (UTC+1)

Version Information (10)

CompanyName	Microsoft Corporation
FileDescription	.NET Framework installation utility
FileVersion	4.8.3761.0 built by: NET48REL1
InternalName	InstallUtil.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	InstallUtil.exe
ProductName	Microsoft® .NET Framework
ProductVersion	4.8.3761.0
Comments	Flavor=Retail
PrivateBuild	DDBLD438

Sections (3)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00402000	0x0000528C	0x00005400	0x00000200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	4.91
.rsrc	0x00408000	0x00000918	0x00000A00	0x00005600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.53
.reloc	0x0040A000	0x0000000C	0x00000200	0x00006000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.08

Imports (1)

mscoree.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	-	0x00402000	0x0000725C	0x0000545C	0x00000000

Digital Signature Information

Verification Status

Valid

Certificate: Microsoft Corporation

Issued by	Microsoft Corporation
Parent Certificate	Microsoft Code Signing PCA
Country Name	US
Valid From	2018-07-12 22:11 (UTC+2)
Valid Until	2019-07-26 22:11 (UTC+2)
Algorithm	sha1_rsa
Serial Number	33 00 00 01 B1 DD ED BA 54 E9 65 B8 5F 00 01 00 00 01 B1
Thumbprint	9D C1 78 88 B5 CF AD 98 B3 CB 35 C1 99 4E 96 22 7F 06 16 75

Certificate: Microsoft Code Signing PCA

Issued by	Microsoft Code Signing PCA
Country Name	US
Valid From	2010-09-01 00:19 (UTC+2)
Valid Until	2020-09-01 00:29 (UTC+2)
Algorithm	sha1_rsa
Serial Number	61 33 26 1A 00 00 00 00 00 31
Thumbprint	3C AF 9B A2 DB 55 70 CA F7 69 42 FF 99 10 1B 99 38 88 E2 57

Memory Dumps (2)

Name	Process ID	Start VA	End VA	Dump Reason	PE Rebuild	Bitness	Entry Point	YARA	Actions
acrobat.exe	9	0x013D0000	0x013DBFFF	Relevant Image		32-bit	-		... Actions Go to Process Download Dump
acrobat.exe	9	0x013D0000	0x013DBFFF	Process Termination		32-bit	-		... Actions Go to Process Download Dump

c:\users\keecfmwgj\appdata\local\gdipfontcachev1.dat

Dropped File

Stream

MIME Type	application/octet-stream
File Size	108.54 KB
MD5	a3b1e277c328514420a76f0422cc8f05
SHA1	f95132b895c4877a66cb348888456d62c3d03b28
SHA256	91ae1a069a43ad7649868807cada6242cdb2cb4c689f1191c6cca43eb5a8d064
SSDeep	768:SU33iHuvsHgTllu5oo92x68tSLSww+oOPbHBBpWkxJeiKHEI00aX9C4lXiI:ZmuvsHgTlldoUxGoOPbckxJeiKHoF2I
ImpHash	-

c:\users\keecfmwgj\appdata\local\gdipfontcachev1.dat

Dropped File

Stream

MIME Type	application/octet-stream
File Size	8.03 KB
MD5	3b3c25a73972ae17e57cf588f4bc6f25
SHA1	8be4759a067d1a625f492737af7dc040d74c8dfb
SHA256	c5e68bc6ec9388f0b0be98a6100459c5573044e269a87f804dac29c025505f52
SSDeep	3:5tmlNl/myll/:5tmo2l/
ImpHash	-

d80dc87554c41cd7928c07033dba8e0dc3955e603a898b7f1b251d9e3150d87a

Downloaded File

HTML

MIME Type	text/html
File Size	48.00 KB
MD5	b7c15bf5fffd1f986f1ff521413d96e9
SHA1	1a13b5e45007e0456bab72456630a99fbeaeaf60
SHA256	d80dc87554c41cd7928c07033dba8e0dc3955e603a898b7f1b251d9e3150d87a
SSDeep	768:pEVoOsbUGQU9WBRI1MEcQGISchFqIfiANgBsvIR6rDdJpNq8B:uofQU9WLbkGI7WI6ANgidrDHqo
ImpHash	-

76f83b8d3b58ece2705234d7f703f668681897d84ae563292464676d27428a6c

Downloaded File

HTML

MIME Type	text/html
File Size	47.93 KB
MD5	94f28a2c0ed08108c51be8b46487bb63
SHA1	07d5a5e347aebd2b89ab6f8495efcb4cc388ff9a
SHA256	76f83b8d3b58ece2705234d7f703f668681897d84ae563292464676d27428a6c
SSDeep	768:wEVoOsbUGQU9WBMI1MEcQGI8hFqI9ANgBsvx6vDfJpNkLP:jofQU9WabkGI8WI9ANgiUvDVkr
ImpHash	-

Remarks (1/1)

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information