Malware analysis SecuriteInfo.com.Trojan.Locsyz.720.16264.13765 Malicious activity

Add for printing

File name:	SecuriteInfo.com.Trojan.Locsyz.720.16264.13765
Full analysis:	https://app.any.run/tasks/d76b9923-ff91-4e1d-b178-c3ba4ea9a0ac
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. Agent Tesla ist eine Spyware, die Informationen über die Aktionen ihrer Opfer sammelt, indem sie Tastatureingaben und Benutzerinteraktionen aufzeichnet. Sie wird auf der speziellen Website, auf der diese Malware verkauft wird, fälschlicherweise als legitime Software vermarktet. Malware Trends Tracker >>>
Analysis date:	February 01, 2023, 03:30:02
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	agenttesla
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	577FA8C1E92EBF08182247C415340EA2
SHA1:	93FCF426B197BAF75EB998C2A85AD62066352D7C
SHA256:	25A0D8EB4C8716B0B1DC5D5F04D2CBD3F130026AC25482AA5EC6A3D4BA8C194B
SSDEEP:	24576:0eLa9r8jAq/+nhRPX+dlC0XjZa0w6R7c4N34:0j9r8jz/+nPgVJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
Mozilla Maintenance Service (67.0.4)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 552)
- Drops the executable file immediately after the start
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 552)
- Steals credentials from Web Browsers
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 552)
- AGENTTESLA detected by memory dumps
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 552)
- Actions looks like stealing of personal data
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 552)
SUSPICIOUS
- Application launched itself
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 1644)
- Reads settings of System Certificates
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 552)
- Executable content was dropped or overwritten
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 552)
- Reads browser cookies
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 552)
INFO
- Checks supported languages
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 1644)
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 552)
- Reads the computer name
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 1644)
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 552)
- Reads the machine GUID from the registry
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 1644)
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 552)
- The process checks LSA protection
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 1644)
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 552)
- Reads Environment values
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 552)
- Creates files or folders in the user directory
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 552)
- Drops a file that was compiled in debug mode
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 552)
- Create files in a temporary directory
  - SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe (PID: 552)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

AgentTesla

(PID) Process(552) SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe

Protocoltelegram

Urlhttps://api.telegram.org/bot5801961827:AAHU2YhkfiXQwgVf7WnbO6mcJG_3zpTOec4/

Strings (687)

<hr>

[

] (

)

False

{BACK}

{ALT+TAB}

{ALT+F4}

{TAB}

{ESC}

{Win}

{CAPSLOCK}

↑

↓

←

→

{DEL}

{END}

{HOME}

{Insert}

{NumLock}

{PageDown}

{PageUp}

{ENTER}

{F1}

{F2}

{F3}

{F4}

{F5}

{F6}

{F7}

{F8}

{F9}

{F10}

{F11}

{F12}

control

{CTRL}

<hr>Copied Text:

The binary key cannot have an odd number of digits: {0}

:Zone.Identifier

SystemDrive

ObjectLength

ChainingModeGCM

AuthTagLength

ChainingMode

KeyDataBlob

AES

Microsoft Primitive Provider

Windows RDP

credential

policy

blob

rdg

chrome

{{{0}}}

Length

CopyTo

ComputeHash

sha512

Copy

True

https://api.ipify.org

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

https://api.telegram.org/bot5801961827:AAHU2YhkfiXQwgVf7WnbO6mcJG_3zpTOec4/

5811473778

appdata

Skype

Skype.exe

\drivers\etc\hosts

Software\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

image/jpeg

/log.tmp

text/html

[

yyyy-MM-dd HH:mm:ss

]

URL:

Username:

Password:

Application:

application/zip

Add

chat_id

caption

yyyy-MM-dd HH-mm-ss

.html

.jpg

.zip

sendDocument

document

---------------------------

multipart/form-data; boundary=

POST

Content-Disposition: form-data; name="{0}" {1}

Content-Disposition: form-data; name="{0}"; filename="{1}" Content-Type: {2}

Time:

MM/dd/yyyy HH:mm:ss

User Name:

Computer Name:

OSFullName:

CPU:

RAM:

IP Address:

New

Recovered!

Time

User Name

OSFullName

CPU:

RAM:

None

win32_processor

processorID

12ce5c57-ad52-4866-980d-4630823f7f4f

Win32_NetworkAdapterConfiguration

IPEnabled

MacAddress

6cbfe37f-d634-4d68-9a49-92628b61a41b

WinMgmts:

InstancesOf

Win32_BaseBoard

SerialNumber

f28f567e-bf65-4e9b-b7c8-b7060cec5bbd

GET

GetBytes

SELECT * FROM Win32_Processor

Name

Unknown

ExtractFile

{0}

Key

Mode

Padding

CreateDecryptor

TransformFinalBlock

SEQUENCE {

{0:X2}

INTEGER

OCTETSTRING

OBJECTIDENTIFIER

}

sha256

cookies.sqlite

Path=([A-z0-9\/\.\-]+)

profiles.ini

\Default\

Profile

origin_url

username_value

password_value

v10

v11

Opera Stable

\Local State

"encrypted_key":"(.*?)"

\Default\Login Data

\Login Data

logins

\Microsoft\Edge\User Data

Edge Chromium

Major

Minor

2F1A6504-0641-44CF-8BB5-3612D865F2E5

Windows Secure Note

3CCD5499-87A8-4B10-A215-608888DD3B55

Windows Web Password Credential

154E23D0-C644-4E6F-8CE6-5069272F999F

Windows Credential Picker Protector

4BF4C442-9B8A-41A0-B380-DD4A704DDB28

Web Credentials

77BC582B-F0A6-4E15-4E80-61736B6F3B29

Windows Credentials

E69D7838-91B5-4FC9-89D5-230D4D4CC2BC

Windows Domain Certificate Credential

3E0E35BE-1B77-43E7-B873-AED901B6275B

Windows Domain Password Credential

3C886FF3-2669-4AA2-A8FB-3F6759A77548

Windows Extended Credential

00000000-0000-0000-0000-000000000000

SchemaId

pResourceElement

pIdentityElement

pPackageSid

pAuthenticatorElement

IE/Edge

UCBrowser\

journal

UC Browser

wow_logins

\Common Files\Apple\Apple Application Support\plutil.exe

\Apple Computer\Preferences\keychain.plist

\Microsoft\Credentials\

\Microsoft\Protect\

GuidMasterKey

Tencent\QQBrowser\User Data

\Default\EncryptedStorage

\EncryptedStorage

entries

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (70.7)
.scr	\|	Windows screen saver (12.6)
.dll	\|	Win32 Dynamic Link Library (generic) (6.3)
.exe	\|	Win32 Executable (generic) (4.3)
.exe	\|	Win16/32 Executable Delphi generic (2)

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	2023-Feb-01 00:53:24
Debug artifacts:	VOPa.pdb
Comments:	Custom Sound
CompanyName:	Chevrolet
FileDescription:	Sagittarius
FileVersion:	1.2.0.0
InternalName:	VOPa.exe
LegalCopyright:	Chevrolet 2023
LegalTrademarks:	-
OriginalFilename:	VOPa.exe
ProductName:	Sagittarius
ProductVersion:	1.2.0.0
Assembly Version:	1.2.0.0

DOS Header

e_magic:	MZ
e_cblp:	144
e_cp:	3
e_crlc:	-
e_cparhdr:	4
e_minalloc:	-
e_maxalloc:	65535
e_ss:	-
e_sp:	184
e_csum:	-
e_ip:	-
e_cs:	-
e_ovno:	-
e_oemid:	-
e_oeminfo:	-
e_lfanew:	128

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
NumberofSections:	3
TimeDateStamp:	2023-Feb-01 00:53:24
PointerToSymbolTable:	-
NumberOfSymbols:	-
SizeOfOptionalHeader:	224
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	8192	788840	790528	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	7.34963
.rsrc	802816	6404	8192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	6.11091
.reloc	811008	12	2048	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.0293968

Resources

Title	Entropy	Size	Codepage	Language	Type
1	7.78255	4758	UNKNOWN	UNKNOWN	RT_ICON
32512	1.51664	20	UNKNOWN	UNKNOWN	RT_GROUP_ICON
1 (#2)	3.29264	824	UNKNOWN	UNKNOWN	RT_VERSION
1 (#3)	5.00112	490	UNKNOWN	UNKNOWN	RT_MANIFEST

Imports


mscoree.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

552

"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe"

C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe

SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe

User:

admin

Company:

Chevrolet

Integrity Level:

MEDIUM

Description:

Sagittarius

Exit code:

Version:

1.2.0.0

Modules

Images
c:\users\admin\appdata\local\temp\securiteinfo.com.trojan.locsyz.720.16264.13765.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

AgentTesla

(PID) Process(552) SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe

Protocoltelegram

Urlhttps://api.telegram.org/bot5801961827:AAHU2YhkfiXQwgVf7WnbO6mcJG_3zpTOec4/

Strings (687)

<hr>

[

] (

)

False

{BACK}

{ALT+TAB}

{ALT+F4}

{TAB}

{ESC}

{Win}

{CAPSLOCK}

↑

↓

←

→

{DEL}

{END}

{HOME}

{Insert}

{NumLock}

{PageDown}

{PageUp}

{ENTER}

{F1}

{F2}

{F3}

{F4}

{F5}

{F6}

{F7}

{F8}

{F9}

{F10}

{F11}

{F12}

control

{CTRL}

<hr>Copied Text:

The binary key cannot have an odd number of digits: {0}

:Zone.Identifier

SystemDrive

ObjectLength

ChainingModeGCM

AuthTagLength

ChainingMode

KeyDataBlob

AES

Microsoft Primitive Provider

Windows RDP

credential

policy

blob

rdg

chrome

{{{0}}}

Length

CopyTo

ComputeHash

sha512

Copy

True

https://api.ipify.org

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

https://api.telegram.org/bot5801961827:AAHU2YhkfiXQwgVf7WnbO6mcJG_3zpTOec4/

5811473778

appdata

Skype

Skype.exe

\drivers\etc\hosts

Software\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

image/jpeg

/log.tmp

text/html

[

yyyy-MM-dd HH:mm:ss

]

URL:

Username:

Password:

Application:

application/zip

Add

chat_id

caption

yyyy-MM-dd HH-mm-ss

.html

.jpg

.zip

sendDocument

document

---------------------------

multipart/form-data; boundary=

POST

Content-Disposition: form-data; name="{0}" {1}

Content-Disposition: form-data; name="{0}"; filename="{1}" Content-Type: {2}

Time:

MM/dd/yyyy HH:mm:ss

User Name:

Computer Name:

OSFullName:

CPU:

RAM:

IP Address:

New

Recovered!

Time

User Name

OSFullName

CPU:

RAM:

None

win32_processor

processorID

12ce5c57-ad52-4866-980d-4630823f7f4f

Win32_NetworkAdapterConfiguration

IPEnabled

MacAddress

6cbfe37f-d634-4d68-9a49-92628b61a41b

WinMgmts:

InstancesOf

Win32_BaseBoard

SerialNumber

f28f567e-bf65-4e9b-b7c8-b7060cec5bbd

GET

GetBytes

SELECT * FROM Win32_Processor

Name

Unknown

ExtractFile

{0}

Key

Mode

Padding

CreateDecryptor

TransformFinalBlock

SEQUENCE {

{0:X2}

INTEGER

OCTETSTRING

OBJECTIDENTIFIER

}

sha256

cookies.sqlite

Path=([A-z0-9\/\.\-]+)

profiles.ini

\Default\

Profile

origin_url

username_value

password_value

v10

v11

Opera Stable

\Local State

"encrypted_key":"(.*?)"

\Default\Login Data

\Login Data

logins

\Microsoft\Edge\User Data

Edge Chromium

Major

Minor

2F1A6504-0641-44CF-8BB5-3612D865F2E5

Windows Secure Note

3CCD5499-87A8-4B10-A215-608888DD3B55

Windows Web Password Credential

154E23D0-C644-4E6F-8CE6-5069272F999F

Windows Credential Picker Protector

4BF4C442-9B8A-41A0-B380-DD4A704DDB28

Web Credentials

77BC582B-F0A6-4E15-4E80-61736B6F3B29

Windows Credentials

E69D7838-91B5-4FC9-89D5-230D4D4CC2BC

Windows Domain Certificate Credential

3E0E35BE-1B77-43E7-B873-AED901B6275B

Windows Domain Password Credential

3C886FF3-2669-4AA2-A8FB-3F6759A77548

Windows Extended Credential

00000000-0000-0000-0000-000000000000

SchemaId

pResourceElement

pIdentityElement

pPackageSid

pAuthenticatorElement

IE/Edge

UCBrowser\

journal

UC Browser

wow_logins

\Common Files\Apple\Apple Application Support\plutil.exe

\Apple Computer\Preferences\keychain.plist

\Microsoft\Credentials\

\Microsoft\Protect\

GuidMasterKey

Tencent\QQBrowser\User Data

\Default\EncryptedStorage

\EncryptedStorage

entries

Modules

Images
c:\users\admin\appdata\local\temp\securiteinfo.com.trojan.locsyz.720.16264.13765.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\mscoree.dll

Add for printing

Total events

2 452

Read events

2 414

Write events

Delete events

Modification events


(PID) Process:	(552) SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(552) SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(552) SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(552) SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(552) SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(552) SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(552) SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(552) SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(552) SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(552) SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS
Operation:	write	Name:	FileTracingMask
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
552	SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506		binary
		MD5:—	SHA256:—
552	SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	C:\Users\admin\AppData\Roaming\cenk4qlf.ieg\Chrome\Default\Cookies		sqlite
		MD5:387B1D63B45DA12EE4D0C68A9E777271	SHA256:40BD4B959B25DBF4D65864B92F548C5373C12FC7EF99FE70A9BE479A90FBF0D2
552	SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	C:\Users\admin\AppData\Roaming\Skype\Skype.exe		executable
		MD5:—	SHA256:—
552	SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	C:\Users\admin\AppData\Local\Temp\TarF260.tmp		cat
		MD5:73B4B714B42FC9A6AAEFD0AE59ADB009	SHA256:C0CF8CC04C34B5B80A2D86AD0EAFB2DD71436F070C86B0321FBA0201879625FD
552	SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	C:\Users\admin\AppData\Local\Temp\CabF25F.tmp		compressed
		MD5:FC4666CBCA561E864E7FDF883A9E6661	SHA256:10F3DEB6C452D749A7451B5D065F4C0449737E5EE8A44F4D15844B503141E65B
552	SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	C:\Users\admin\AppData\Roaming\cenk4qlf.ieg\Firefox\Profiles\nltxvmn2.default\cookies.sqlite		sqlite
		MD5:FF3819BA79CA33058AB110FEC5CD0955	SHA256:C5140A31EA483E1E6AFE2A2750B853FA46FA3C5B0A04C973094E23E6C8AD533E
552	SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506		compressed
		MD5:FC4666CBCA561E864E7FDF883A9E6661	SHA256:10F3DEB6C452D749A7451B5D065F4C0449737E5EE8A44F4D15844B503141E65B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
552	SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	GET	200	8.248.117.254:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2f4b7f4b71344aee	US	compressed	61.4 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
552	SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	64.185.227.155:443	api.ipify.org	WEBNX	US	malicious
552	SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	149.154.167.220:443	api.telegram.org	Telegram Messenger Inc	GB	malicious
552	SecuriteInfo.com.Trojan.Locsyz.720.16264.13765.exe	8.248.117.254:80	ctldl.windowsupdate.com	LEVEL3	US	malicious

DNS requests

Domain	IP	Reputation
api.ipify.org	64.185.227.155 173.231.16.76 104.237.62.211	shared
ctldl.windowsupdate.com	8.248.117.254 8.238.36.254 8.241.9.254 8.238.189.126 8.241.11.126	whitelisted
api.telegram.org	149.154.167.220	shared

Threats

PID	Process	Class	Message
—	—	Misc activity	ET INFO Telegram API Domain in DNS Lookup
—	—	Misc activity	ET INFO Observed Telegram API Domain (api .telegram .org in TLS SNI)
—	—	Misc activity	ET POLICY Telegram API Certificate Observed

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

SecuriteInfo.com.Trojan.Locsyz.720.16264.13765

577FA8C1E92EBF08182247C415340EA2

93FCF426B197BAF75EB998C2A85AD62066352D7C

25A0D8EB4C8716B0B1DC5D5F04D2CBD3F130026AC25482AA5EC6A3D4BA8C194B

24576:0eLa9r8jAq/+nhRPX+dlC0XjZa0w6R7c4N34:0j9r8jz/+nPgVJ

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Drops the executable file immediately after the start

Steals credentials from Web Browsers

AGENTTESLA detected by memory dumps

Actions looks like stealing of personal data

SUSPICIOUS

Application launched itself

Reads settings of System Certificates

Executable content was dropped or overwritten

Reads browser cookies

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

The process checks LSA protection

Reads Environment values

Creates files or folders in the user directory

Drops a file that was compiled in debug mode

Create files in a temporary directory

Malware configuration

AgentTesla

Static information

TRiD

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Malware configuration

AgentTesla

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings