Malware Sandbox Comparison — AgentTesla, WannaCry & Pulsar RAT Analysis
Executive Summary
This report documents a comparative malware analysis project using three popular sandbox platforms: VirusTotal (Static), ANY.RUN (Dynamic), and Hybrid Analysis (Deep Tech). Three distinct malware samples spanning different threat categories were analyzed:
- AgentTesla — InfoStealer with SMTP exfiltration
- WannaCry — Ransomware/Worm with EternalBlue exploit
- Pulsar RAT — Remote Access Trojan with scheduled task persistence
Key Finding: No single tool provides complete visibility. VirusTotal excels at rapid triage, ANY.RUN visualizes behavioral logic (like kill switches), and Hybrid Analysis delivers deep technical attribution (CVEs, exploit details).
Methodology
Sandbox Platform Selection
| Platform | Analysis Type | Primary Strength |
|---|---|---|
| VirusTotal | Static/Reputation | Multi-vendor consensus, IOC extraction |
| ANY.RUN | Dynamic/Interactive | Real-time execution visualization, network traffic |
| Hybrid Analysis | Hybrid (Static+Dynamic) | Technical depth, exploit identification, threat scoring |
Sample Selection Criteria
Samples were chosen to represent diverse attack vectors:
- Credential theft (InfoStealer)
- File encryption + network propagation (Ransomware/Worm)
- Persistent remote access (RAT)
Sample 1: AgentTesla InfoStealer
Sample Hash (SHA256):
5f6a6db3743bbe2132f934943e1fe431d70290878193c2d47c89dec99c2228cd
File Type: PE32 Executable (delivered inside ZIP archive)
Malware Family: AgentTesla
Threat Category: InfoStealer / Credential Harvester
Static Analysis — VirusTotal
Detection Rate: 38/72 vendors (52.8% detection)
Key Findings:
- Family Identification: Correctly identified by GData as
MSIL.Trojan-Stealer.AgentTesla - Delivery Mechanism: Flagged as
Trojan.AutoItby multiple vendors - Infrastructure IOC: Relations tab revealed connection to
mail.cottondreams.org
Analysis:
The relatively modest detection rate (52%) indicates the use of evasion techniques. The AutoIt signature suggests the malware is wrapped in a legitimate scripting framework to bypass static analysis.
Dynamic Analysis — ANY.RUN
Execution Flow:
1
2
3
4
Invoice-109900.exe (Initial File)
└── Spawns child process
└── Injects into RegSvcs.exe (Microsoft .NET Framework)
└── SMTP connection to mail.cottondreams.org:587
Network Activity:
- Protocol: SMTP (TCP Port 587)
- Destination:
mail.cottondreams.org - Purpose: Credential exfiltration via email
Behavioral Indicators:
- Process injection into legitimate Windows binary
RegSvcs.exe - Use of trusted Microsoft tool to evade firewall inspection
- Outbound SMTP traffic from non-email client process
Technical Analysis — Hybrid Analysis
Threat Score: 100/100 (Certain Malicious)
Confirmed Techniques:
- File Type:
peexe autoit executable— confirms AutoIt wrapper - Defense Evasion: Binary obfuscation using legitimate automation framework
- Process Injection: Code injection into
RegSvcs.exeto achieve stealthier network access
Key Learnings
Living Off the Land (LOLBins):
The malware doesn’t run as a standalone process for long. By injecting into RegSvcs.exe (a trusted Microsoft .NET utility), it tricks both endpoint detection and network firewalls into trusting the traffic.
AutoIt Wrappers:
Attackers use legitimate scripting tools to “wrap” malicious payloads, altering file signatures to evade static AV detection. This is why VirusTotal’s detection rate was only 52% despite the payload being a known family.
SMTP as Exfiltration Channel:
Non-corporate SMTP traffic (Port 587) to unusual domains is a high-fidelity indicator of data theft. In a SOC environment, this would trigger immediate investigation.
Sample 2: WannaCry Ransomware/Worm
Sample Hash (SHA256):
3bbe95a65e0ef8862e242d522d85050e25d0897cfe0a19f0739f5499b17eb55b
File Type: PE32 Executable
Malware Family: WannaCry (WanaCrypt0r 2.0)
Threat Category: Ransomware + Network Worm
Static Analysis — VirusTotal
Detection Rate: 68/72 vendors (94.4% detection)
Key Findings:
- High-Confidence Detection: Correctly identified by Microsoft, Kaspersky, SentinelOne
- Kill Switch Domain Extracted:
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - Family Labels: WannaCry, WannaCrypt0r, Wcry
Analysis:
The relations tab successfully extracted the hardcoded kill switch domain — a critical IOC. This domain acts as a global “off switch” for the malware.
Dynamic Analysis — ANY.RUN
Execution Logic Observed:
Kill Switch Check:
Malware attempts HTTP GET request to kill switch domainResult: HTTP 200 OK (Domain is live)
Outcome: Malware aborts encryption routine and does not deploy payload
Network Behavior:
- Heavy scanning on TCP Port 445 (SMB)
- Attempted connections to random internal/external IPs
- Confirms presence of EternalBlue exploit for worm propagation
Payload Artifacts:
tasksche.exe— Dropped but not fully executed due to kill switch- File extension target:
.WNCRY - Ransom note: Would display if kill switch failed
Technical Analysis — Hybrid Analysis
Exploit Identification:
- CVE-2017-0147 — SMB Remote Code Execution (EternalBlue)
- Persistence: Service installation as
mssecsvc2.0
Worm Characteristics:
- Self-propagation via SMB vulnerability
- Distinguishes WannaCry from standard ransomware
Key Learnings
The Kill Switch Mechanism:
This sample contains the original logic that allowed security researcher Marcus Hutchins to stop the 2017 outbreak by registering the kill switch domain. The malware checks if the domain is reachable; if yes, it assumes it’s being analyzed and aborts.
Static vs. Dynamic Visibility:
- VirusTotal instantly provided the C2 domain and family name
- ANY.RUN demonstrated why the encryption didn’t trigger (kill switch activation)
- Both perspectives are essential for complete understanding
Worm Detection:
The massive outbound traffic on Port 445 (SMB scanning) differentiates this from standard ransomware. In a real SOC, this would immediately trigger “Network Scanning” alerts.
Sample 3: Pulsar RAT (NjRAT Variant)
Sample Hash (SHA256):
e9c8470cf58fe9e8069d8417528c335201c527a3074a73883304f07a08b816ac
File Type: PE32 Executable
Malware Family: Pulsar / NjRAT
Threat Category: Remote Access Trojan (RAT)
Static Analysis — VirusTotal
Detection Rate: 39/72 vendors (54.2% detection)
Key Finding:
Low detection rate suggests this is a “FUD” (Fully Undetectable) build designed to evade signature-based AV.
Dynamic Analysis — ANY.RUN
Persistence Mechanism Observed:
Instead of simple startup folder placement, the malware used Windows Task Scheduler for elevated persistence:
1
schtasks.exe /create /tn "WinSys" /tr "C:\Windows\System32\SystemAttachments\Sys.exe" /sc onlogon /rl highest
Breakdown:
- Task Name:
WinSys(masquerading as system task) - Executable:
Sys.exehidden inSystem32\SystemAttachments\ - Trigger: On every user logon
- Privilege: The
/rl highestflag explicitly requests the highest available privileges (Admin/System), ensuring the malware has full control over the machine every time it reboots
Behavioral Indicators:
- Use of
schtasks.exe(legitimate Windows utility) - Hidden file placement in System32 subdirectory
- High-privilege execution request
Technical Analysis — Hybrid Analysis
Confirmed Techniques:
- Persistence: T1053.005 (Scheduled Task/Job)
- Defense Evasion: Masquerading as system file
- Privilege Escalation: Request for highest privilege level
Key Learnings
Behavioral Detection is Critical:
With only 54% static detection, traditional AV would miss this RAT. However, ANY.RUN immediately flagged the suspicious Task Scheduler activity, demonstrating the value of behavioral analysis.
Scheduled Tasks as Persistence:
Modern RATs avoid obvious persistence mechanisms (Registry Run keys). Task Scheduler provides:
- Elevated privileges
- Legitimate appearance (schtasks.exe is a Windows binary)
- Harder to detect without behavioral monitoring
Comparative Analysis Matrix
Tool Strengths & Weaknesses
| Feature | VirusTotal | ANY.RUN | Hybrid Analysis |
|---|---|---|---|
| Best For | Quick triage, known hashes | Visualizing malware logic | Deep technical extraction |
| Analysis Type | Static/Reputation | Dynamic/Interactive | Hybrid (Static+Dynamic) |
| Verdict Format | Detection ratio (68/72) | Malicious/Suspicious label | Threat score (0-100) |
| Key Strength | Multi-vendor consensus | Real-time behavior observation | CVE/exploit attribution |
| Primary Weakness | Cannot scan encrypted archives; misses 0-days | Limited runtime (60-120s); detectable sandbox | Can be slow; overwhelming detail |
Detection Results Summary
| Sample | VirusTotal | ANY.RUN | Hybrid Analysis |
|---|---|---|---|
| AgentTesla | 38/72 (53%) | Malicious | 100/100 |
| WannaCry | 68/72 (94%) | Malicious | 100/100 |
| Pulsar RAT | 39/72 (54%) | Malicious | 100/100 |
Critical Observations
AgentTesla:
- VirusTotal identified AutoIt wrapper
- ANY.RUN captured SMTP exfiltration
- Hybrid Analysis confirmed process injection technique
WannaCry:
- VirusTotal extracted kill switch domain
- ANY.RUN demonstrated kill switch activation
- Hybrid Analysis identified EternalBlue CVE
Pulsar RAT:
- VirusTotal showed low detection (FUD build)
- ANY.RUN flagged suspicious scheduled task creation
- Hybrid Analysis mapped to MITRE ATT&CK T1053.005
The Triangle of Analysis
Recommended Workflow:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
1. VirusTotal (Static)
├─→ Quick verdict from 72 vendors
├─→ Extract IOCs (domains, IPs, hashes)
└─→ Identify malware family
↓
2. ANY.RUN (Dynamic)
├─→ Observe execution flow
├─→ Capture network traffic (PCAP)
└─→ Understand behavioral logic
↓
3. Hybrid Analysis (Deep Tech)
├─→ Confirm exploits and CVEs
├─→ Extract technical indicators
└─→ Map to MITRE ATT&CK framework
Key Insight:
Using only one tool leaves blind spots:
- Static alone: Missed the WannaCry kill switch activation
- Dynamic alone: Didn’t identify the specific CVE-2017-0147 exploit
- Deep tech alone: Slower for rapid triage
Indicators of Compromise (IOCs)
AgentTesla InfoStealer
| Type | Value | Description |
|---|---|---|
| SHA256 | 5f6a6db3...c2228cd | Sample hash |
| Domain | mail.cottondreams.org | C2/Exfiltration server |
| Port | 587 (SMTP) | Exfiltration channel |
| Process | RegSvcs.exe | Injection target |
| Technique | T1055 (Process Injection) | MITRE ATT&CK |
WannaCry Ransomware
| Type | Value | Description |
|---|---|---|
| SHA256 | 3bbe95a6...7eb55b | Sample hash |
| Domain | www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com | Kill switch domain |
| CVE | CVE-2017-0147 | EternalBlue exploit |
| Port | 445 (SMB) | Propagation vector |
| Service | mssecsvc2.0 | Persistence mechanism |
| File Extension | .WNCRY | Encrypted file marker |
Pulsar RAT
| Type | Value | Description |
|---|---|---|
| SHA256 | e9c8470c...8b816ac | Sample hash |
| Task Name | WinSys | Scheduled task |
| File Path | C:\Windows\System32\SystemAttachments\Sys.exe | Malware location |
| Command | schtasks.exe /create ... | Persistence command |
| Technique | T1053.005 (Scheduled Task) | MITRE ATT&CK |
SOC Detection Strategies
Network-Based Detection
AgentTesla:
1
2
3
Alert: Non-standard SMTP traffic from system process
Trigger: RegSvcs.exe → TCP 587 → External Domain
Action: Investigate process tree, capture PCAP
WannaCry:
1
2
3
Alert: Mass SMB scanning detected
Trigger: Single host → Multiple IPs on Port 445
Action: Isolate host, check for EternalBlue patches
Endpoint-Based Detection
Pulsar RAT:
1
2
3
Alert: Suspicious scheduled task creation
Trigger: schtasks.exe with /rl highest flag
Action: Review task details, analyze executable path
General Rules
- AutoIt wrappers: Flag executables with AutoIt signatures + network activity
- Process injection: Alert on RegSvcs.exe with unexpected network connections
- Kill switch checks: Monitor for DNS queries to long random domain names
- Task Scheduler abuse: Baseline normal task creation, flag anomalies
Conclusion
This sandbox comparison project demonstrated that multi-tool analysis is essential for comprehensive malware understanding:
- VirusTotal provided rapid family identification and IOC extraction
- ANY.RUN revealed behavioral logic (kill switch activation, SMTP exfiltration, task creation)
- Hybrid Analysis delivered technical depth (CVEs, exploit confirmation, threat scoring)
Key Takeaways
- Evasion is common: 50-55% detection rates for AgentTesla and Pulsar RAT prove static analysis alone is insufficient
- Behavior matters: Dynamic analysis was required to validate the functionality of the WannaCry kill switch logic, whereas static analysis only identified the presence of the domain
- Context is critical: Understanding why malware behaves a certain way (AutoIt wrapper, scheduled task) informs better detection rules
- No single source of truth: Triangulate findings across static, dynamic, and deep technical analysis
Tools Used:
- VirusTotal (virustotal.com)
- ANY.RUN (app.any.run)
- Hybrid Analysis (hybrid-analysis.com)
Analysis Date: December 12, 2025
Analyst: El OMARI Zakaria
Tags: malware-analysis, sandbox-comparison, agenttesla, wannacry, pulsar-rat, eternalblue, smtp-exfiltration, process-injection, scheduled-tasks, ioc-extraction