AgentTesla.v4 | f2a3d321b3fb

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\Ynstr.exe

Sample File

Binary

Also Known As	C:\Users\RDhJ0CNFevzX\AppData\Roaming\Mtwbsyxsy.exe (Accessed File, Dropped File) C:\Users\RDhJ0CNFevzX\AppData\Roaming\sBRfm\sBRfm.exe (Accessed File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	718.00 KB
MD5	43a00ef10637139c060f1139df3b9cc1
SHA1	f717df8434925d25e03512c91385bc528576339e
SHA256	f2a3d321b3fbb2d3be23e5416a82b92d9aa73c3573ef0630d0570483ced8a731
SSDeep	12288:RCcj8EhT1GrAjbadQSIVCXfUWQBZoeAfeDlV25x3nGxYcBa8k:Icj8EzCdQSIkXsWQE4lV259Gx
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

File Reputation Information

Verdict	Malicious
Names	Mal/Generic-S

PE Information

Image Base	0x00400000
Entry Point	0x004B4C4E
Size Of Code	0x000B2E00
Size Of Initialized Data	0x00000800
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2024-02-12 11:23 (UTC+1)

Version Information (11)

Comments	-
CompanyName	-
FileDescription	-
FileVersion	1.0.0.0
InternalName	Ynstr.exe
LegalCopyright	-
LegalTrademarks	-
OriginalFilename	Ynstr.exe
ProductName	-
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Sections (3)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00402000	0x000B2C64	0x000B2E00	0x00000200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	7.64
.rsrc	0x004B6000	0x00000556	0x00000600	0x000B3000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	3.91
.reloc	0x004B8000	0x0000000C	0x00000200	0x000B3600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.1

Imports (1)

mscoree.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	-	0x004B4C5C	0x000B4C28	0x000B2E28	0x00000000

Memory Dumps (47)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
ynstr.exe	1	0x00B80000	0x00C39FFF	Relevant Image	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x04750000	0x04801FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x04840000	0x04840FFF	First Execution	32-bit	0x04840000	... Actions Go to Process Download Dump
clrjit.dll	1	0x6DCE0000	0x6DD5FFFF	First Execution	32-bit	0x6DD41D21	... Actions Go to Process Download Dump
buffer	1	0x04890000	0x048CDFFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x04B30000	0x04B75FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x04890000	0x048CDFFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
ynstr.exe	1	0x00B80000	0x00C39FFF	Final Dump	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00400000	0x00441FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
ynstr.exe	2	0x00CC0000	0x00D79FFF	Relevant Image	32-bit	-	... Actions Go to Process Download Dump
ynstr.exe	1	0x00B80000	0x00C39FFF	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x04F9E000	0x04F9FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x04B9C000	0x04B9FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00BCE000	0x00BCFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00189000	0x0018FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00400000	0x00441FFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
ynstr.exe	2	0x00CC0000	0x00D79FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
mtwbsyxsy.exe	6	0x00DE0000	0x00E99FFF	Relevant Image	32-bit	-	... Actions Go to Process Download Dump
sbrfm.exe	7	0x00250000	0x00309FFF	Relevant Image	32-bit	-	... Actions Go to Process Download Dump
buffer	6	0x049E0000	0x04A91FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	7	0x04780000	0x04831FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	7	0x04870000	0x04870FFF	First Execution	32-bit	0x04870000	... Actions Go to Process Download Dump
buffer	6	0x02680000	0x02680FFF	First Execution	32-bit	0x02680000	... Actions Go to Process Download Dump
clrjit.dll	7	0x72E70000	0x72EEFFFF	First Execution	32-bit	0x72ED6C02	... Actions Go to Process Download Dump
clrjit.dll	6	0x72E70000	0x72EEFFFF	First Execution	32-bit	0x72EC2A1E	... Actions Go to Process Download Dump
buffer	6	0x04AE0000	0x04B1DFFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	6	0x04DD0000	0x04E15FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	7	0x048C0000	0x048FDFFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	7	0x04B60000	0x04BA5FFF	Reflectively Loaded .NET Assembly	32-bit	-	... Actions Go to Process Download Dump
buffer	8	0x00400000	0x00441FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
mtwbsyxsy.exe	8	0x00790000	0x00849FFF	Relevant Image	32-bit	-	... Actions Go to Process Download Dump
buffer	9	0x00400000	0x00441FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
sbrfm.exe	9	0x00FC0000	0x01079FFF	Relevant Image	32-bit	-	... Actions Go to Process Download Dump
mtwbsyxsy.exe	6	0x00DE0000	0x00E99FFF	Process Termination	32-bit	-	... Actions Go to Process Download Dump
sbrfm.exe	7	0x00250000	0x00309FFF	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	9	0x04EFD000	0x04EFFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	9	0x00E2C000	0x00E2FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	9	0x00BEE000	0x00BEFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	9	0x00188000	0x0018FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	9	0x00400000	0x00441FFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
sbrfm.exe	9	0x00FC0000	0x01079FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	8	0x04E4E000	0x04E4FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	8	0x0493C000	0x0493FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	8	0x043AE000	0x043AFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	8	0x00189000	0x0018FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	8	0x00400000	0x00441FFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
mtwbsyxsy.exe	8	0x00790000	0x00849FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump

1a95ef6e164b7b75a798264283d1207315732bb7b02cc56c4a6c95d51da6b8ca

Downloaded File

Text

MIME Type	text/plain
File Size	12 Bytes
MD5	fe9ff3066fe8164afd6e58254136c014
SHA1	c25dfd9956f9d91b3470c8b920a129207baf0144
SHA256	1a95ef6e164b7b75a798264283d1207315732bb7b02cc56c4a6c95d51da6b8ca
SSDeep	3:Cec:o
ImpHash	-

Remarks (2/2)

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information