Try VMRay Platform
Malicious
Classifications

Spyware Injector

Threat Names

Agent Tesla v3 Trojan.GenericKD.36177418

Dynamic Analysis Report

Created on 2021-03-16T11:10:00

fcf182d0ea46a01f7c98913ca565dec004c635eda697ef4be7b7d93beb1945f9.exe

Windows Exe (x86-32)
...

Remarks (2/2)

(0x02000050): This analysis has been updated with the latest reputation and static analysis results from the original analysis with the ID #862568.

(0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:
File Name Category Type Verdict Actions
C:\Users\kEecfMwgj\Desktop\fcf182d0ea46a01f7c98913ca565dec004c635eda697ef4be7b7d93beb1945f9.exe Sample File Binary
malicious
...
»
Also Known As C:\Users\kEecfMwgj\AppData\Roaming\EmVFlIse.exe (Dropped File)
MIME Type application/vnd.microsoft.portable-executable
File Size 1.27 MB
MD5 e02679aabb13a943f79c6831f3bfc43f Copy to Clipboard
SHA1 5d8e29c210eff0c6f8066293b804333e61c42285 Copy to Clipboard
SHA256 fcf182d0ea46a01f7c98913ca565dec004c635eda697ef4be7b7d93beb1945f9 Copy to Clipboard
SSDeep 24576:hmPr2DpgYUGwBaI8STbL90srMkkdO31e:mStgYUnBaIZTbNoO3w Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
AV Matches (1)
»
Threat Name Verdict
Trojan.GenericKD.36177418
malicious
PE Information
»
Image Base 0x400000
Entry Point 0x51780e
Size Of Code 0x115a00
Size Of Initialized Data 0x2fc00
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2021-01-19 01:12:03+00:00
Version Information (11)
»
Comments Principle Pleasure
CompanyName -
FileDescription Record Bgy System
FileVersion 7.20.17.0
InternalName AlgorithmClass.exe
LegalCopyright Copyright © 2019 Principle Pleasure
LegalTrademarks -
OriginalFilename AlgorithmClass.exe
ProductName Record Bgy System
ProductVersion 7.20.17.0
Assembly Version 7.20.17.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x402000 0x115814 0x115a00 0x200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.28
.rsrc 0x518000 0x2fa00 0x2fa00 0x115c00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.27
.reloc 0x548000 0xc 0x200 0x145600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x402000 0x1177dc 0x1159dc 0x0
Memory Dumps (1)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
fcf182d0ea46a01f7c98913ca565dec004c635eda697ef4be7b7d93beb1945f9.exe 1 0x012B0000 0x013F9FFF Relevant Image False 32-bit - False False
...
C:\Users\kEecfMwgj\AppData\Roaming\CsGlckR\CsGlckR.exe Dropped File Binary
suspicious
...
»
Also Known As C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe (Dropped File)
MIME Type application/vnd.microsoft.portable-executable
File Size 44.19 KB
MD5 19855c0dc5bec9fdf925307c57f9f5fc Copy to Clipboard
SHA1 d2d0c486bc5422d4e7602ce349af2f00de7a2685 Copy to Clipboard
SHA256 c09191a1a46b7bfa82e381c5a0cc5fae83787d63f550a8bd6beaf33cc5c0c344 Copy to Clipboard
SSDeep 768:xBbSoy+SdIBf0k2dsUG56Iq8/FfNpNiBIBsmyS:2oOIBf0ddsUGQIfNP6IBsmX Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
PE Information
»
Image Base 0x400000
Entry Point 0x408356
Size Of Code 0x6400
Size Of Initialized Data 0xc00
File Type FileType.executable
Subsystem Subsystem.windows_cui
Machine Type MachineType.i386
Compile Timestamp 2019-03-28 06:49:21+00:00
Version Information (10)
»
CompanyName Microsoft Corporation
FileDescription Microsoft .NET Services Installation Utility
FileVersion 4.8.3761.0 built by: NET48REL1
InternalName RegSvcs.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename RegSvcs.exe
ProductName Microsoft® .NET Framework
ProductVersion 4.8.3761.0
Comments Flavor=Retail
PrivateBuild DDBLD438
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x402000 0x635c 0x6400 0x200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 5.1
.rsrc 0x40a000 0x938 0xa00 0x6600 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.36
.reloc 0x40c000 0xc 0x200 0x7000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.08
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x402000 0x832c 0x652c 0x0
Digital Signature Information
»
Verification Status Valid
Certificate: Microsoft Corporation
»
Issued by Microsoft Corporation
Parent Certificate Microsoft Code Signing PCA
Country Name US
Valid From 2018-07-12 22:11 (UTC+2)
Valid Until 2019-07-26 22:11 (UTC+2)
Algorithm sha1_rsa
Serial Number 33 00 00 01 B1 DD ED BA 54 E9 65 B8 5F 00 01 00 00 01 B1
Thumbprint 9D C1 78 88 B5 CF AD 98 B3 CB 35 C1 99 4E 96 22 7F 06 16 75
Certificate: Microsoft Code Signing PCA
»
Issued by Microsoft Code Signing PCA
Country Name US
Valid From 2010-09-01 00:19 (UTC+2)
Valid Until 2020-09-01 00:29 (UTC+2)
Algorithm sha1_rsa
Serial Number 61 33 26 1A 00 00 00 00 00 31
Thumbprint 3C AF 9B A2 DB 55 70 CA F7 69 42 FF 99 10 1B 99 38 88 E2 57
C:\Users\kEecfMwgj\AppData\Local\Temp\tmpC3E3.tmp Dropped File Text
clean
...
»
Also Known As C:\Users\kEecfMwgj\AppData\Local\Temp\tmp9C4E.tmp (Dropped File)
MIME Type text/xml
File Size 1.60 KB
MD5 929b1d6f93a82ff89e5fe3b56d4ba42d Copy to Clipboard
SHA1 ba27b26c29be8d545b92a7d6453dfa55786f59f2 Copy to Clipboard
SHA256 065d99be30497142407c0ba76e7a5996efba79f7a8cc1d04c67fce8554d53714 Copy to Clipboard
SSDeep 24:2dH4+SEqCD5v7qNlNMFy5/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBOtn:cbhD17qNlNQy5/rydbz9I3YODOLNdq3u Copy to Clipboard
ImpHash -
authroot.stl Embedded File Stream
clean
...
»
Also Known As c:\users\keecfmwgj\appdata\local\temp\tar225f.tmp (Dropped File)
Parent File c:\users\keecfmwgj\appdata\local\temp\cab225e.tmp
MIME Type application/octet-stream
File Size 149.21 KB
MD5 4e0487e929adbba279fd752e7fb9a5c4 Copy to Clipboard
SHA1 2497e03f42d2cbb4f4989e87e541b5bb27643536 Copy to Clipboard
SHA256 ae781e4f9625949f7b8a9445b8901958adece7e3b95af344e2fcb24fe989eeb7 Copy to Clipboard
SSDeep 1536:TIz6c7xcjgCyrYBZ5pimp4Ydm6Caku2Dnsz0JD8reJgMnl3rlMGGv:TNqccCymfdmoku2DMykMnNGG0 Copy to Clipboard
ImpHash -
c:\users\keecfmwgj\appdata\local\temp\cab225e.tmp Downloaded File CAB
clean
...
»
MIME Type application/vnd.ms-cab-compressed
File Size 57.22 KB
MD5 61a03d15cf62612f50b74867090dbe79 Copy to Clipboard
SHA1 15228f34067b4b107e917bebaf17cc7c3c1280a8 Copy to Clipboard
SHA256 f9e23dc21553daa34c6eb778cd262831e466ce794f4bea48150e8d70d3e6af6d Copy to Clipboard
SSDeep 1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ Copy to Clipboard
ImpHash -
Archive Information
»
Number of Files 1
Number of Folders 0
Size of Packed Archive Contents 149.21 KB
Size of Unpacked Archive Contents 149.21 KB
File Format cab
Contents (1)
»
File Name Packed Size Unpacked Size Compression Is Encrypted Modify Time Severity Recursively Submitted Actions
authroot.stl 149.21 KB 149.21 KB MSZip False 2021-03-02 23:31 (UTC+1)
Clean
-
...
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image