Try VMRay Platform
Malicious
Classifications

Spyware

Threat Names

AgentTesla.v3 Mal/Generic-S

Dynamic Analysis Report

Created on 2022-08-05T11:37:29+00:00

b5a23c2ef617a9a0b87f82ebc9f6c2c892a179a53bd35ce725be92c68465b245.exe

Windows Exe (x86-32)
...

Remarks (1/1)

(0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\b5a23c2ef617a9a0b87f82ebc9f6c2c892a179a53bd35ce725be92c68465b245.exe Sample File Binary
Malicious
...
»
Also Known As C:\Users\RDhJ0CNFevzX\AppData\Roaming\kqruryFrIFc.exe (Accessed File)
MIME Type application/vnd.microsoft.portable-executable
File Size 782.50 KB
MD5 f7c9cf1410373a60a5c5a5e02aa4bd3c Copy to Clipboard
SHA1 97cf7689f3b6dfd0efd37e7f16aa1bd2cfe537de Copy to Clipboard
SHA256 b5a23c2ef617a9a0b87f82ebc9f6c2c892a179a53bd35ce725be92c68465b245 Copy to Clipboard
SSDeep 12288:hk2xg+ugGp2SrKUhxw3YjusvkRgutp43ARSepVIAnlFxCn9nLtzHeb:y2xgP01D3tRgutOzepVIAlLGnc Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Entry Point 0x004C3E96
Size Of Code 0x000C2000
Size Of Initialized Data 0x00001800
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2096-03-19 20:00 (UTC+1)
Version Information (11)
»
Comments
CompanyName
FileDescription MaterialSurface
FileVersion 1.0.0.0
InternalName ConstructionRespo.exe
LegalCopyright Copyright © 2021
LegalTrademarks
OriginalFilename ConstructionRespo.exe
ProductName MaterialSurface
ProductVersion 1.0.0.0
Assembly Version 1.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x000C1E9C 0x000C2000 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.7
.rsrc 0x004C4000 0x000014F8 0x00001600 0x000C2200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.36
.reloc 0x004C6000 0x0000000C 0x00000200 0x000C3800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x00402000 0x000C3E6C 0x000C206C 0x00000000
Memory Dumps (8)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
b5a23c2ef617a9a0b87f82ebc9f6c2c892a179a53bd35ce725be92c68465b245.exe 1 0x00400000 0x004C7FFF Relevant Image False 32-bit - False
...
buffer 1 0x04830000 0x0483FFFF Reflectively Loaded .NET Assembly False 32-bit - False
...
buffer 1 0x04860000 0x04862FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
buffer 1 0x00680000 0x00701FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
b5a23c2ef617a9a0b87f82ebc9f6c2c892a179a53bd35ce725be92c68465b245.exe 1 0x00400000 0x004C7FFF Final Dump False 32-bit - False
...
buffer 1 0x0A2E0000 0x0A317FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
buffer 7 0x00400000 0x00439FFF Content Changed False 32-bit - False
...
b5a23c2ef617a9a0b87f82ebc9f6c2c892a179a53bd35ce725be92c68465b245.exe 1 0x00400000 0x004C7FFF Process Termination False 32-bit - False
...
C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\tmp621.tmp Dropped File Text
Clean
...
»
MIME Type text/xml
File Size 1.56 KB
MD5 98a4effa5725adecdca65f1ea6930433 Copy to Clipboard
SHA1 4221630879606e760c38d221c6083a696fa7f19e Copy to Clipboard
SHA256 46206dae5258d36c346b9203feadd3e1e31d637c0d96f2c2a49bb2a1bbff1f73 Copy to Clipboard
SSDeep 24:2di4+S2qh9Y1Sy1mlUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLjxvn:cge2UYrFdOFzOzN33ODOiDdKrsuTLdv Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image