AgentTesla.v3 | ce125ef2e645

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\c8GJy5ypctxsh2cr.exe

Sample File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	632.50 KB
MD5	2448315c3145b034626c9a37bf5209b2
SHA1	4b20292989c31a3881ed6b878897d6722627b436
SHA256	ce125ef2e6456f77458063b89fcad72f81b0f07e0c9dbd3235a7ed5e71164fc4
SSDeep	12288:zOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPikgZEAmDllk7Xn4sEWf5vA+p1AjFN:zq5TfcdHj4fmbTgZr7XfEWf5o5jX
ImpHash	ef471c0edf1877cd5a881a6a8bf647b9

File Reputation Information

Verdict	Malicious
Names	Mal/Generic-S

PE Information

Image Base	0x00400000
Entry Point	0x00521F70
Size Of Code	0x00055000
Size Of Initialized Data	0x0004A000
Size Of Uninitialized Data	0x000CD000
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2024-11-25 00:42 (UTC+1)

Sections (3)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
UPX0	0x00401000	0x000CD000	0x00000000	0x00000400	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.0
UPX1	0x004CE000	0x00055000	0x00054200	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.94
.rsrc	0x00523000	0x0004A000	0x00049C00	0x00054600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.49

Imports (18)

KERNEL32.DLL (6)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
LoadLibraryA	-	0x0056C89C	0x0016C89C	0x0009DE9C	0x00000000
GetProcAddress	-	0x0056C8A0	0x0016C8A0	0x0009DEA0	0x00000000
VirtualProtect	-	0x0056C8A4	0x0016C8A4	0x0009DEA4	0x00000000
VirtualAlloc	-	0x0056C8A8	0x0016C8A8	0x0009DEA8	0x00000000
VirtualFree	-	0x0056C8AC	0x0016C8AC	0x0009DEAC	0x00000000
ExitProcess	-	0x0056C8B0	0x0016C8B0	0x0009DEB0	0x00000000

ADVAPI32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
AddAce	-	0x0056C8B8	0x0016C8B8	0x0009DEB8	0x00000000

COMCTL32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ImageList_Remove	-	0x0056C8C0	0x0016C8C0	0x0009DEC0	0x00000000

COMDLG32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetSaveFileNameW	-	0x0056C8C8	0x0016C8C8	0x0009DEC8	0x00000000

GDI32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
LineTo	-	0x0056C8D0	0x0016C8D0	0x0009DED0	0x00000000

IPHLPAPI.DLL (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
IcmpSendEcho	-	0x0056C8D8	0x0016C8D8	0x0009DED8	0x00000000

MPR.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
WNetUseConnectionW	-	0x0056C8E0	0x0016C8E0	0x0009DEE0	0x00000000

ole32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CoGetObject	-	0x0056C8E8	0x0016C8E8	0x0009DEE8	0x00000000

OLEAUT32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
VariantInit	0x00000008	0x0056C8F0	0x0016C8F0	0x0009DEF0	-

PSAPI.DLL (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetProcessMemoryInfo	-	0x0056C8F8	0x0016C8F8	0x0009DEF8	0x00000000

SHELL32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
DragFinish	-	0x0056C900	0x0016C900	0x0009DF00	0x00000000

USER32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetDC	-	0x0056C908	0x0016C908	0x0009DF08	0x00000000

USERENV.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
LoadUserProfileW	-	0x0056C910	0x0016C910	0x0009DF10	0x00000000

UxTheme.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
IsThemeActive	-	0x0056C918	0x0016C918	0x0009DF18	0x00000000

VERSION.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
VerQueryValueW	-	0x0056C920	0x0016C920	0x0009DF20	0x00000000

WININET.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
FtpOpenFileW	-	0x0056C928	0x0016C928	0x0009DF28	0x00000000

WINMM.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
timeGetTime	-	0x0056C930	0x0016C930	0x0009DF30	0x00000000

WSOCK32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
socket	0x00000017	0x0056C938	0x0016C938	0x0009DF38	-

Memory Dumps (24)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	First Execution	32-bit	0x014E1F70	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x013E6AC0	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x013DF08B	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x0143197B	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x013C2322	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x013D4800	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x013DC75A	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x013C3BD9	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x013EE4C8	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x01434F16	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x013C9048	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x01409CAB	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x013CE8D0	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x013CF030	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x01424EDD	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x013CFE30	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x013D097E	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x01407F2F	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x0140690B	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x013EB043	... Actions Go to Process Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Content Changed	32-bit	0x01420D09	... Actions Go to Process Download Dump
buffer	1	0x00EE2870	0x00EE606F	First Execution	32-bit	0x00EE4C20	... Actions Go to Process Download Dump
buffer	1	0x012A0000	0x012D6FFF	Image In Buffer	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
c8gjy5ypctxsh2cr.exe	1	0x013C0000	0x0152CFFF	Process Termination	32-bit	-	... Actions Go to Process Download Dump

C:\Users\RDhJ0CNFevzX\AppData\Roaming\yGbzOMp\yGbzOMp.exe

Dropped File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	44.15 KB
MD5	62ce5ef995fd63a1847a196c2e8b267b
SHA1	114706d7e56e91685042430f783ae227866aa77f
SHA256	89f23e31053c39411b4519bf6823969cad9c7706a94ba7e234b9062ace229745
SSDeep	768:Vjs96lj/cps+zk2d0suWB6Iq8NbeYjiwMEBQwp:VAhRzdd0sHI+eYfMEBHp
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

File Reputation Information

Verdict

Clean

PE Information

Image Base	0x00400000
Entry Point	0x004082FE
Size Of Code	0x00006400
Size Of Initialized Data	0x00000C00
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_CUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2016-07-14 21:51 (UTC+2)

Version Information (10)

CompanyName	Microsoft Corporation
FileDescription	Microsoft .NET Services Installation Utility
FileVersion	4.6.1590.0 built by: NETFXREL2
InternalName	RegSvcs.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	RegSvcs.exe
ProductName	Microsoft® .NET Framework
ProductVersion	4.6.1590.0
Comments	Flavor=Retail
PrivateBuild	DDBLD400

Sections (3)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00402000	0x00006304	0x00006400	0x00000200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	5.09
.rsrc	0x0040A000	0x00000938	0x00000A00	0x00006600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.36
.reloc	0x0040C000	0x0000000C	0x00000200	0x00007000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.06

Imports (1)

mscoree.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	-	0x00402000	0x000082D4	0x000064D4	0x00000000

Digital Signature Information

Verification Status

Valid

Certificate: Microsoft Corporation

Issued by	Microsoft Corporation
Parent Certificate	Microsoft Code Signing PCA
Country Name	US
Valid From	2015-06-04 19:42 (UTC+2)
Valid Until	2016-09-04 19:42 (UTC+2)
Algorithm	sha1_rsa
Serial Number	33 00 00 01 0A 2C 79 AE D7 79 7B A6 AC 00 01 00 00 01 0A
Thumbprint	3B DA 32 3E 55 2D B1 FD E5 F4 FB EE 75 D6 D5 B2 B1 87 EE DC

Certificate: Microsoft Code Signing PCA

Issued by	Microsoft Code Signing PCA
Country Name	US
Valid From	2010-09-01 00:19 (UTC+2)
Valid Until	2020-09-01 00:29 (UTC+2)
Algorithm	sha1_rsa
Serial Number	61 33 26 1A 00 00 00 00 00 31
Thumbprint	3C AF 9B A2 DB 55 70 CA F7 69 42 FF 99 10 1B 99 38 88 E2 57

Memory Dumps (2)

Name	Process ID	Start VA	End VA	Dump Reason	PE Rebuild	Bitness	Entry Point	YARA	Actions
ygbzomp.exe	7	0x009B0000	0x009BDFFF	Relevant Image		32-bit	-		... Actions Go to Process Download Dump
ygbzomp.exe	7	0x009B0000	0x009BDFFF	Process Termination		32-bit	-		... Actions Go to Process Download Dump

C:\Users\RDHJ0C~1\AppData\Local\Temp\harrowment

Dropped File

Stream

MIME Type	application/octet-stream
File Size	218.00 KB
MD5	00291352892c61d9f6ced3aaf209a455
SHA1	360357ecbbd602c4a61e2857cd8b7b52e287bdd6
SHA256	fa5007196ba5822a19020e7be1088725816dfc6f4b42c47651229e52a9520725
SSDeep	3072:KzI9H8GF7GOnhtl6Zx4sZXixJVFFXTFgvW/Jh/o5CuqaSlAAAhJ/JUau6kZPRjGt:RWGFGOfl6LixJVFFXJvA9P+6kZ5jQ
ImpHash	-

C:\Users\RDHJ0C~1\AppData\Local\Temp\autB27C.tmp

Dropped File

Stream

MIME Type	application/octet-stream
File Size	165.24 KB
MD5	f658f3a01a50f3d9e7d7f951c0289213
SHA1	dc086ad48a0023f65feb56a2a6b228db930fa5a5
SHA256	1832c3cca0ada7b961494afe8769dfed9fc66d62448920afbd97ec3ae2826e50
SSDeep	3072:H6O0jI1XaWxAk9ASW3LMECwNjoZtdkxGjiMxW9kM8LLZapkKtzbOCHqx:HM0FaWikhpzZbOyVCkbPU/bLHo
ImpHash	-

C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\tmpF5ED.tmp

Dropped File

Empty

MIME Type	application/x-empty
File Size	0 Bytes (not extracted)
MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep	3::
ImpHash	-

Remarks (1/1)

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information