AgentTesla.v3 | 9eeac4773d7f | Files

Classifications

Spyware

Threat Names

AgentTesla.v3

Dynamic Analysis Report

Created on 2022-05-04T08:03:00+00:00

9eeac4773d7f0e7f4303baed25c04f0b138e55f9fa7e7c718e3e6599a2e41513.exe

Windows Exe (x86-32)

Remarks (1/1)

Auto Reboot Triggered (0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\AppData\Roaming\gfLnSNNH.exe

Sample File

Binary

»

Also Known As	C:\Users\RDhJ0CNFevzX\Desktop\9eeac4773d7f0e7f4303baed25c04f0b138e55f9fa7e7c718e3e6599a2e41513.exe (Sample File, Accessed File, VM File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	698.50 KB
MD5	b78eed700665bf868771e371d2622000
SHA1	48daa093155e9eaa563f6eb537a57f940f2aa6c6
SHA256	9eeac4773d7f0e7f4303baed25c04f0b138e55f9fa7e7c718e3e6599a2e41513
SSDeep	12288:+V2L2Ij3hxwDvVbyP8wqEBI1sIAzYy3/w+8RqbVVte2moi2bOxNtbs5:M2p3MDvVmkwqYnIA/ItWVVtX
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

PE Information

»

Image Base	0x00400000
Entry Point	0x0049AC7A
Size Of Code	0x00098E00
Size Of Initialized Data	0x00015A00
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2058-09-27 10:07 (UTC+2)

Version Information (11)

»

Comments
CompanyName	HP Inc.
FileDescription	Snake Game
FileVersion	1.0.0.0
InternalName	HijriCalen.exe
LegalCopyright	Copyright © HP Inc. 2020
LegalTrademarks
OriginalFilename	HijriCalen.exe
ProductName	Snake Game
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Sections (3)

»

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00402000	0x00098C80	0x00098E00	0x00000200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	7.84
.rsrc	0x0049C000	0x00015640	0x00015800	0x00099000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.74
.reloc	0x004B2000	0x0000000C	0x00000200	0x000AE800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.1

Imports (1)

»

mscoree.dll (1)

»

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	-	0x00402000	0x0009AC50	0x00098E50	0x00000000

Memory Dumps (7)

»

Name	Process ID	Start VA	End VA	Dump Reason	PE Rebuild	Bitness	Entry Point	AV	YARA	Actions
9eeac4773d7f0e7f4303baed25c04f0b138e55f9fa7e7c718e3e6599a2e41513.exe	1	0x00400000	0x004B3FFF	Relevant Image		32-bit	-			... Actions Go to Process Download Dump
buffer	1	0x04950000	0x04961FFF	Reflectively Loaded .NET Assembly		32-bit	-			... Actions Go to Process Download Dump
buffer	1	0x07BB0000	0x07C27FFF	Reflectively Loaded .NET Assembly		32-bit	-			... Actions Go to Process Download Dump
9eeac4773d7f0e7f4303baed25c04f0b138e55f9fa7e7c718e3e6599a2e41513.exe	1	0x00400000	0x004B3FFF	Final Dump		32-bit	-			... Actions Go to Process Download Dump
buffer	1	0x07D50000	0x07D86FFF	Reflectively Loaded .NET Assembly		32-bit	-			... Actions Go to Process Download Dump
buffer	7	0x00400000	0x00439FFF	Content Changed		32-bit	-			... Actions Go to Process Go to YARA Match Download Dump
9eeac4773d7f0e7f4303baed25c04f0b138e55f9fa7e7c718e3e6599a2e41513.exe	1	0x00400000	0x004B3FFF	Process Termination		32-bit	-			... Actions Go to Process Download Dump

C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\tmpA573.tmp

Dropped File

Text

»

MIME Type	text/xml
File Size	1.56 KB
MD5	0244f355d32355c5da49fa213a5b428a
SHA1	b939b03c2fdd13f0d12407cc2d23330f83b99b00
SHA256	4d4844431fdb09c416e08786528fdc22b5e1cf105b5e26f55b99978c948deed0
SSDeep	24:2di4+S2qh9Y1Sy1mlUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtcb+xvn:cge2UYrFdOFzOzN33ODOiDdKrsuTcbyv
ImpHash	-

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".

Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".

After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".

WHOIS Domain Information

Screenshot