Try VMRay Platform
Malicious
Classifications

Spyware

Threat Names

Agent Tesla v3 Mal/Generic-S

Dynamic Analysis Report

Created on 2021-09-27T19:15:00

ccfec983bc3c78598d2fed9861fde7a3c75ec512ab8642f132b30dbb9e516eac.exe

Windows Exe (x86-32)
...

Remarks (1/1)

(0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\ccfec983bc3c78598d2fed9861fde7a3c75ec512ab8642f132b30dbb9e516eac.exe Sample File Binary
malicious
...
»
Also Known As C:\Users\RDhJ0CNFevzX\AppData\Roaming\xlpVvRzhctudF.exe (Dropped File)
C:\Users\RDhJ0CNFevzX\AppData\Roaming\kprUEGC\kprUEGC.exe (Dropped File)
MIME Type application/vnd.microsoft.portable-executable
File Size 720.50 KB
MD5 81b92680fb33ddfaccae09031e1888f2 Copy to Clipboard
SHA1 880a7e88ca219c5361ddfbad786bfeea9bb6b6fa Copy to Clipboard
SHA256 ccfec983bc3c78598d2fed9861fde7a3c75ec512ab8642f132b30dbb9e516eac Copy to Clipboard
SSDeep 12288:juZqIF/OXft1u0J9mmbXQBy79MxXhWnTl+uXk56gpmz7zLmMr52HEAmD:AqIFm/u0Xmk2y7UXsTg6QgHC Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
File Reputation Information
»
Verdict
malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x400000
Entry Point 0x4a4d76
Size Of Code 0xa2e00
Size Of Initialized Data 0x11200
File Type FileType.executable
Subsystem Subsystem.windows_gui
Machine Type MachineType.i386
Compile Timestamp 2021-09-27 09:52:39+00:00
Version Information (11)
»
Comments -
CompanyName -
FileDescription Twitter Client
FileVersion 0.28.3.1
InternalName PathHelp.exe
LegalCopyright Copyright © 2016 - 2021 Hanalen
LegalTrademarks -
OriginalFilename PathHelp.exe
ProductName Twitter Client
ProductVersion 0.28.3.1
Assembly Version 0.28.3.1
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x402000 0xa2d7c 0xa2e00 0x200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.38
.rsrc 0x4a6000 0x10eb8 0x11000 0xa3000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.92
.reloc 0x4b8000 0xc 0x200 0xb4000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.1
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x402000 0xa4d4c 0xa2f4c 0x0
Memory Dumps (2)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point AV YARA Actions
ccfec983bc3c78598d2fed9861fde7a3c75ec512ab8642f132b30dbb9e516eac.exe 1 0x00400000 0x004B9FFF Relevant Image False 32-bit - False False
...
buffer 3 0x00400000 0x0043BFFF Content Changed False 32-bit - False True
...
C:\Windows\system32\drivers\etc\hosts Modified File Text
clean
...
»
MIME Type text/plain
File Size 835 Bytes
MD5 6eb47c1cf858e25486e42440074917f2 Copy to Clipboard
SHA1 6a63f93a95e1ae831c393a97158c526a4fa0faae Copy to Clipboard
SHA256 9b13a3ea948a1071a81787aac1930b89e30df22ce13f8ff751f31b5d83e79ffb Copy to Clipboard
SSDeep 24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\tmp43D6.tmp Dropped File Text
clean
...
»
Also Known As C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\tmp433E.tmp (Dropped File)
MIME Type text/xml
File Size 1.61 KB
MD5 d01615f9362d079027189e8542e3b2b6 Copy to Clipboard
SHA1 ca086442fa8869ed5fd2703055c02315c1d15702 Copy to Clipboard
SHA256 0c85484f8b21e89e70f588eaff182bfd0cfef5df63832a3249728fb7c247a69b Copy to Clipboard
SSDeep 24:2dH4+SEqC9Y7JlNMFV/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBzOtn:cbh27JlNQV/rydbz9I3YODOLNdq3i Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image