Edit tour

Windows Analysis Report
Sysiq.exe

Overview

General Information

Sample name:	Sysiq.exe
Analysis ID:	1364079
MD5:	d4ba5e2982463378357486b8d7f656c1
SHA1:	dd0502d38ad2bb63e57bb71956bb02b38f825c86
SHA256:	d13bebabc4063d86102cef3bdaed105d826ee3f604986eebefa2e8be3620f29d
Tags:	exe
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected PureLog Stealer

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Sysiq.exe (PID: 5024 cmdline: C:\Users\user\Desktop\Sysiq.exe MD5: D4BA5E2982463378357486B8D7F656C1)

Sysiq.exe (PID: 5480 cmdline: C:\Users\user\Desktop\Sysiq.exe MD5: D4BA5E2982463378357486B8D7F656C1)

Sysiq.exe (PID: 2928 cmdline: C:\Users\user\Desktop\Sysiq.exe MD5: D4BA5E2982463378357486B8D7F656C1)

Sysiq.exe (PID: 5784 cmdline: C:\Users\user\Desktop\Sysiq.exe MD5: D4BA5E2982463378357486B8D7F656C1)

Sysiq.exe (PID: 5864 cmdline: C:\Users\user\Desktop\Sysiq.exe MD5: D4BA5E2982463378357486B8D7F656C1)

Sysiq.exe (PID: 5608 cmdline: C:\Users\user\Desktop\Sysiq.exe MD5: D4BA5E2982463378357486B8D7F656C1)

Sysiq.exe (PID: 5284 cmdline: C:\Users\user\Desktop\Sysiq.exe MD5: D4BA5E2982463378357486B8D7F656C1)

Sysiq.exe (PID: 1684 cmdline: C:\Users\user\Desktop\Sysiq.exe MD5: D4BA5E2982463378357486B8D7F656C1)

Sysiq.exe (PID: 4720 cmdline: C:\Users\user\Desktop\Sysiq.exe MD5: D4BA5E2982463378357486B8D7F656C1)

Sysiq.exe (PID: 7104 cmdline: C:\Users\user\Desktop\Sysiq.exe MD5: D4BA5E2982463378357486B8D7F656C1)

Sysiq.exe (PID: 1436 cmdline: C:\Users\user\Desktop\Sysiq.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 1568 cmdline: "C:\Users\user\AppData\Roaming\customer.exe" MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 4180 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 6984 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 2380 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 5564 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 6620 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 4512 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 3496 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 1684 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 5284 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 5568 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 6196 cmdline: "C:\Users\user\AppData\Roaming\customer.exe" MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 2284 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 2812 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 5792 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 4336 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 6664 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 6056 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 6096 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 4848 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 6760 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

customer.exe (PID: 6788 cmdline: C:\Users\user\AppData\Roaming\customer.exe MD5: D4BA5E2982463378357486B8D7F656C1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/ https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.asiaparadisehotel.com", "Username": "asia@asiaparadisehotel.com", "Password": "^b2ycDldex$@"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2029549814.000001D3254D5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2030388281.000001D33DA90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000018.00000002.2265691260.000001C800280000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000018.00000002.2265691260.000001C800214000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000002.2265691260.000001C800214000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2030034541.000001D3353A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2030034541.000001D3353A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2181771504.0000018589C00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2029549814.000001D325474000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2029549814.000001D325474000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: Sysiq.exe PID: 5024	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Sysiq.exe PID: 5024	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Sysiq.exe PID: 5024	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Sysiq.exe PID: 5024	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: customer.exe PID: 1568	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: customer.exe PID: 1568	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: customer.exe PID: 1568	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: customer.exe PID: 1568	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: customer.exe PID: 6196	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: customer.exe PID: 6196	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: customer.exe PID: 6196	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: customer.exe PID: 6196	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Sysiq.exe.1d33da90000.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Sysiq.exe.1d3353bad30.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Sysiq.exe.1d3353bad30.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Sysiq.exe.1d3353bad30.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32618:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3268a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32714:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x327a6:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32810:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32882:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32918:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x329a8:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Sysiq.exe.1d3353bad30.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Sysiq.exe.1d3353bad30.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Sysiq.exe.1d3353bad30.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34418:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3448a:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34514:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345a6:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34610:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34682:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34718:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347a8:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.customer.exe.18589a98a98.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.customer.exe.18589a98a98.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.customer.exe.18589a98a98.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x12c6a0:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x12c712:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x12c79c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x12c82e:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x12c898:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x12c90a:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x12c9a0:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x12ca30:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 5 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Sysiq.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://45.137.22.163/Sluhmuv.mp3	Avira URL Cloud: Label: malware
Source: http://45.137.22.163	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\customer.exe

Avira: detection malicious, Label: HEUR/AGEN.1360909

Found malware configuration

Source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.asiaparadisehotel.com", "Username": "asia@asiaparadisehotel.com", "Password": "^b2ycDldex$@"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\customer.exe

ReversingLabs: Detection: 37%

Multi AV Scanner detection for submitted file

Source: Sysiq.exe

ReversingLabs: Detection: 56%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\customer.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Sysiq.exe

Joe Sandbox ML: detected

Source: Sysiq.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Sysiq.exe, 00000000.00000002.2030613160.000001D33DD50000.00000004.08000000.00040000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D3352E9000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D335271000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Sysiq.exe, 00000000.00000002.2030613160.000001D33DD50000.00000004.08000000.00040000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D3352E9000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D335271000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp

Source: global traffic	HTTP traffic detected: GET /Sluhmuv.mp3 HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Sluhmuv.mp3 HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Sluhmuv.mp3 HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 45.137.22.163 45.137.22.163
Source: Joe Sandbox View	IP Address: 45.137.22.163 45.137.22.163

Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163

Source: global traffic	HTTP traffic detected: GET /Sluhmuv.mp3 HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Sluhmuv.mp3 HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Sluhmuv.mp3 HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive

Source: Sysiq.exe, 00000000.00000002.2029549814.000001D325261000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.0000018589981000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.163
Source: Sysiq.exe, 00000000.00000002.2029549814.000001D325261000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2029075002.000001D323789000.00000004.00000020.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.0000018589981000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.163/Sluhmuv.mp3
Source: Sysiq.exe, 00000000.00000002.2029549814.000001D325261000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.0000018589981000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Sysiq.exe, 00000000.00000002.2030034541.000001D3353A5000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2029549814.000001D325474000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800214000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Sysiq.exe, 00000000.00000002.2030034541.000001D3353A5000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2029549814.000001D325474000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800214000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Sysiq.exe, 00000000.00000002.2030613160.000001D33DD50000.00000004.08000000.00040000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D3352E9000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D335271000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Sysiq.exe, 00000000.00000002.2030613160.000001D33DD50000.00000004.08000000.00040000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D3352E9000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D335271000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2182677868.0000018599A4F000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2267122749.000001C8100CF000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Sysiq.exe, 00000000.00000002.2030613160.000001D33DD50000.00000004.08000000.00040000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D3352E9000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D335271000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Sysiq.exe, 00000000.00000002.2030613160.000001D33DD50000.00000004.08000000.00040000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D3352E9000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D335271000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: customer.exe, 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Sysiq.exe, 00000000.00000002.2030613160.000001D33DD50000.00000004.08000000.00040000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D3352E9000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D335271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack, 7TKWGnXn73a.cs

.Net Code: TCRT08Jk

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Sysiq.exe.1d3353bad30.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.customer.exe.18589a98a98.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\AppData\Roaming\customer.exe

Code function: 24_2_00007FF848F79419 NtUnmapViewOfSection,

24_2_00007FF848F79419

Source: C:\Users\user\AppData\Roaming\customer.exe	Code function: 12_2_00007FF849002EF4	12_2_00007FF849002EF4
Source: C:\Users\user\AppData\Roaming\customer.exe	Code function: 24_2_00007FF848F59138	24_2_00007FF848F59138
Source: C:\Users\user\AppData\Roaming\customer.exe	Code function: 24_2_00007FF848F569F0	24_2_00007FF848F569F0
Source: C:\Users\user\AppData\Roaming\customer.exe	Code function: 24_2_00007FF848F59148	24_2_00007FF848F59148
Source: C:\Users\user\AppData\Roaming\customer.exe	Code function: 24_2_00007FF848F530F4	24_2_00007FF848F530F4
Source: C:\Users\user\AppData\Roaming\customer.exe	Code function: 24_2_00007FF848F6F32B	24_2_00007FF848F6F32B
Source: C:\Users\user\AppData\Roaming\customer.exe	Code function: 24_2_00007FF848F6E3ED	24_2_00007FF848F6E3ED

Source: customer.exe.0.dr	Static PE information: No import functions for PE file found
Source: Sysiq.exe	Static PE information: No import functions for PE file found

Source: Sysiq.exe, 00000000.00000002.2030613160.000001D33DD50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Sysiq.exe
Source: Sysiq.exe, 00000000.00000002.2030034541.000001D3353A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7abe5cc2-0bc4-4b46-a628-af4aacaf298a.exe4 vs Sysiq.exe
Source: Sysiq.exe, 00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Sysiq.exe
Source: Sysiq.exe, 00000000.00000002.2029549814.000001D325474000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7abe5cc2-0bc4-4b46-a628-af4aacaf298a.exe4 vs Sysiq.exe
Source: Sysiq.exe, 00000000.00000002.2030034541.000001D3352E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Sysiq.exe
Source: Sysiq.exe, 00000000.00000002.2030034541.000001D335271000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Sysiq.exe
Source: Sysiq.exe, 00000000.00000002.2029374005.000001D3238B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameHeqsj.dll" vs Sysiq.exe

Source: 0.2.Sysiq.exe.1d3353bad30.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.customer.exe.18589a98a98.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack, oUNrFbu7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack, JvgeUdCS7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack, UUqvN9Qp1Mm.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack, r9z0egVzR.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack, mA0cD4lJnL.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack, mvuSkzq.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack, PBhpbUDXgKv.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack, PBhpbUDXgKv.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack, PBhpbUDXgKv.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack, PBhpbUDXgKv.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@63/4@0/1

Source: C:\Users\user\Desktop\Sysiq.exe

File created: C:\Users\user\AppData\Roaming\customer.exe

Jump to behavior

Source: Sysiq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Sysiq.exe	Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\Sysiq.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\Sysiq.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Sysiq.exe

ReversingLabs: Detection: 56%

Source: C:\Users\user\Desktop\Sysiq.exe

File read: C:\Users\user\Desktop\Sysiq.exe

Jump to behavior

Source: C:\Users\user\Desktop\Sysiq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Sysiq.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Sysiq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Sysiq.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Sysiq.exe, 00000000.00000002.2030613160.000001D33DD50000.00000004.08000000.00040000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D3352E9000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D335271000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Sysiq.exe, 00000000.00000002.2030613160.000001D33DD50000.00000004.08000000.00040000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D3352E9000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D335271000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Sysiq.exe, DecoratorWrapperResolver.cs	.Net Code: InstantiateFactory System.Reflection.Assembly.Load(byte[])
Source: customer.exe.0.dr, DecoratorWrapperResolver.cs	.Net Code: InstantiateFactory System.Reflection.Assembly.Load(byte[])
Source: 0.2.Sysiq.exe.1d335299ab0.5.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.Sysiq.exe.1d335299ab0.5.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.Sysiq.exe.1d335299ab0.5.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.Sysiq.exe.1d335299ab0.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.Sysiq.exe.1d335299ab0.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.Sysiq.exe.1d33dd50000.8.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.Sysiq.exe.1d33dd50000.8.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.Sysiq.exe.1d33dd50000.8.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.Sysiq.exe.1d33dd50000.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.Sysiq.exe.1d33dd50000.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.Sysiq.exe.1d3352e9ae8.6.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.Sysiq.exe.1d3352e9ae8.6.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.Sysiq.exe.1d3352e9ae8.6.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.Sysiq.exe.1d3352e9ae8.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.Sysiq.exe.1d3352e9ae8.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.Sysiq.exe.1d33da90000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2029549814.000001D3254D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2030388281.000001D33DA90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2265691260.000001C800280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2181771504.0000018589C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Sysiq.exe PID: 5024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: customer.exe PID: 1568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: customer.exe PID: 6196, type: MEMORYSTR

Source: C:\Users\user\Desktop\Sysiq.exe	Code function: 0_2_00007FF848F0E2B3 push FFFFFFE8h; retf	0_2_00007FF848F0E2F1
Source: C:\Users\user\Desktop\Sysiq.exe	Code function: 0_2_00007FF848F000BD pushad ; iretd	0_2_00007FF848F000C1
Source: C:\Users\user\AppData\Roaming\customer.exe	Code function: 12_2_00007FF848F1E2B3 push FFFFFFE8h; retf	12_2_00007FF848F1E2F1
Source: C:\Users\user\AppData\Roaming\customer.exe	Code function: 12_2_00007FF848F100BD pushad ; iretd	12_2_00007FF848F100C1
Source: C:\Users\user\AppData\Roaming\customer.exe	Code function: 24_2_00007FF848F100BD pushad ; iretd	24_2_00007FF848F100C1
Source: C:\Users\user\AppData\Roaming\customer.exe	Code function: 24_2_00007FF848F57963 push ebx; retf	24_2_00007FF848F5796A
Source: C:\Users\user\AppData\Roaming\customer.exe	Code function: 24_2_00007FF848F55BF0 push eax; ret	24_2_00007FF848F55C5C
Source: C:\Users\user\AppData\Roaming\customer.exe	Code function: 24_2_00007FF848F70D91 push ds; ret	24_2_00007FF848F70DB4
Source: C:\Users\user\AppData\Roaming\customer.exe	Code function: 24_2_00007FF848F758B1 pushfd ; retf	24_2_00007FF848F758F1

Source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack, Gt8Y8ua.cs

High entropy of concatenated method names: 'anZeP', 'N8MkSiRD', 'HzU0NMuK6', 'obFEacQg6', 'tkzz5e', 'q3fvpUP', 'fCmKhm0O', 'G4sAGKitM', 'f42w1', 'xSTFJHrP'

Source: C:\Users\user\Desktop\Sysiq.exe

File created: C:\Users\user\AppData\Roaming\customer.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Sysiq.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run customer			Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run customer			Jump to behavior

Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Sysiq.exe, 00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Source: C:\Users\user\Desktop\Sysiq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Sysiq.exe TID: 4512	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe TID: 6620	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe TID: 3624	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe TID: 2276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe TID: 2820	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe TID: 7060	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Sysiq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: customer.exe, 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: customer.exe, 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: Sysiq.exe, 00000000.00000002.2029075002.000001D32377C000.00000004.00000020.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2180346695.0000018587FC1000.00000004.00000020.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2267415235.000001C8729AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Sysiq.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Sysiq.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Sysiq.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Sysiq.exe	Queries volume information: C:\Users\user\Desktop\Sysiq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Queries volume information: C:\Users\user\AppData\Roaming\customer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Queries volume information: C:\Users\user\AppData\Roaming\customer.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Sysiq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Sysiq.exe.1d3353bad30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.customer.exe.18589a98a98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2265691260.000001C800214000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2030034541.000001D3353A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2029549814.000001D325474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Sysiq.exe PID: 5024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: customer.exe PID: 1568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: customer.exe PID: 6196, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Sysiq.exe PID: 5024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: customer.exe PID: 1568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: customer.exe PID: 6196, type: MEMORYSTR

Source: Yara match	File source: 0.2.Sysiq.exe.1d3353bad30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.customer.exe.18589a98a98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2265691260.000001C800214000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2030034541.000001D3353A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2029549814.000001D325474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Sysiq.exe PID: 5024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: customer.exe PID: 1568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: customer.exe PID: 6196, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Sysiq.exe.1d3353bad30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Sysiq.exe.1d3353bad30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.customer.exe.18589a98a98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2265691260.000001C800214000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2030034541.000001D3353A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2029549814.000001D325474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Sysiq.exe PID: 5024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: customer.exe PID: 1568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: customer.exe PID: 6196, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Sysiq.exe PID: 5024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: customer.exe PID: 1568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: customer.exe PID: 6196, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	1 Input Capture	21 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	1 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Sysiq.exe	57%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
Sysiq.exe	100%	Avira	HEUR/AGEN.1360909
Sysiq.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\customer.exe	100%	Avira	HEUR/AGEN.1360909
C:\Users\user\AppData\Roaming\customer.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\customer.exe	38%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Source	Detection	Scanner	Label	Link
http://45.137.22.163/Sluhmuv.mp3	100%	Avira URL Cloud	malware
http://45.137.22.163	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
http://45.137.22.163/Sluhmuv.mp3	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/mgravell/protobuf-net	Sysiq.exe, 00000000.00000002.2030613160.000001D33DD50000.00000004.08000000.00040000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D3352E9000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D335271000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	Sysiq.exe, 00000000.00000002.2030034541.000001D3353A5000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2029549814.000001D325474000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800214000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.137.22.163	Sysiq.exe, 00000000.00000002.2029549814.000001D325261000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.0000018589981000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800010000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/mgravell/protobuf-neti	Sysiq.exe, 00000000.00000002.2030613160.000001D33DD50000.00000004.08000000.00040000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D3352E9000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D335271000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	customer.exe, 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	Sysiq.exe, 00000000.00000002.2030034541.000001D3353A5000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2029549814.000001D325474000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800214000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	Sysiq.exe, 00000000.00000002.2030613160.000001D33DD50000.00000004.08000000.00040000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D3352E9000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D335271000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2182677868.0000018599A4F000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2267122749.000001C8100CF000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Sysiq.exe, 00000000.00000002.2029549814.000001D325261000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.0000018589981000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800010000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	Sysiq.exe, 00000000.00000002.2030613160.000001D33DD50000.00000004.08000000.00040000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2029549814.000001D3252A2000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D3352E9000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D335271000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 0000000C.00000002.2181771504.00000185899C2000.00000004.00000800.00020000.00000000.sdmp, customer.exe, 00000018.00000002.2265691260.000001C800094000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	Sysiq.exe, 00000000.00000002.2030613160.000001D33DD50000.00000004.08000000.00040000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D3352E9000.00000004.00000800.00020000.00000000.sdmp, Sysiq.exe, 00000000.00000002.2030034541.000001D335271000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.137.22.163	unknown	Netherlands		51447	ROOTLAYERNETNL	false

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1364079
Start date and time:	2023-12-18 18:43:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Sysiq.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@63/4@0/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Sysiq.exe, PID 5024 because it is empty
Execution Graph export aborted for target customer.exe, PID 1568 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Sysiq.exe

Simulations

Behavior and APIs

Time	Type	Description
18:43:54	API Interceptor	1x Sleep call for process: Sysiq.exe modified
18:43:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run customer C:\Users\user\AppData\Roaming\customer.exe
18:44:06	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run customer C:\Users\user\AppData\Roaming\customer.exe
18:44:10	API Interceptor	2x Sleep call for process: customer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.137.22.163	NEW_ORDER_12-18-23.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	45.137.22.163/Akoob.pdf
	SecuriteInfo.com.MSIL.Generik.FMUPQYX.tr.3045.24667.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	45.137.22.163/hiii.pdf
	Controllo saldo 30% Ordine 5667.exe	Get hash	malicious	AgentTesla	Browse	45.137.22.163/bless_Jkvszuhw.png
	Quotation-pdf______________________________________.exe	Get hash	malicious	AgentTesla	Browse	45.137.22.163/Toscgshw_Yvmodcuo.png
	#Uc8fc#Ubb38 30% #Uc794#Uc561 #Ud655#Uc778.exe	Get hash	malicious	Snake Keylogger	Browse	45.137.22.163/orderfile_Hecqxfqw.png
	New order _xls.exe	Get hash	malicious	Snake Keylogger	Browse	45.137.22.163/New_order__xls_Ivuuoipf.bmp
	SecuriteInfo.com.W32.MSIL_Kryptik.GXA.genEldorado.18172.exe	Get hash	malicious	Snake Keylogger	Browse	45.137.22.163/fact_Sptqaevl.bmp
	order confirmation 46574 -QT-04-0022.exe	Get hash	malicious	Snake Keylogger	Browse	45.137.22.163/order_confirmation_46574_-QT-04-0022_Yszciyqc.jpg
	Quotation-pdf______________________________________.exe	Get hash	malicious	AgentTesla	Browse	45.137.22.163/Kwcmalox_Bcqlnfnp.jpg
	2467864 _INV_pdf.exe	Get hash	malicious	Snake Keylogger	Browse	45.137.22.163/Hebvr_Lwvvdxxi.bmp
	conferma d'ordine 46574.exe	Get hash	malicious	Snake Keylogger	Browse	45.137.22.163/fresh_Djctepjr.png
	factura proforma PI- PI04522 7486.exe	Get hash	malicious	Unknown	Browse	45.137.22.163/trans_Yygygcyg.jpg
	PI- PI04522 74868.exe	Get hash	malicious	AgentTesla	Browse	45.137.22.163/proforma_invoice_Crnbdlom.png
	paymentcopy-pdf__________________________________.exe	Get hash	malicious	AgentTesla	Browse	45.137.22.163/Wmdmjhtr_Pendcahw.bmp
	Paymentcopy-pdf___________________________________.exe	Get hash	malicious	AgentTesla	Browse	45.137.22.163/Dhjuzchby_Xwgoflwi.bmp
	AIR CARGO BOARDING shipment MAWB 40608657504.exe	Get hash	malicious	Snake Keylogger	Browse	45.137.22.163/Ejghs_Imuzrnrb.png
	PI- PI04522748-pdf.exe	Get hash	malicious	Snake Keylogger	Browse	45.137.22.163/Cpogmqp_Qhkfesil.jpg
	Ordine di acquisto PO-JTT-00001018.exe	Get hash	malicious	Snake Keylogger	Browse	45.137.22.163/Htrcekszm_Kcdcxrzw.jpg

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROOTLAYERNETNL	NEW_ORDER_12-18-23.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	45.137.22.163
	PAYMENT_TT_COPY.pdf.exe	Get hash	malicious	RedLine	Browse	185.222.58.239
	SecuriteInfo.com.MSIL.Generik.FMUPQYX.tr.3045.24667.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	45.137.22.163
	cVw2fI6l0l.exe	Get hash	malicious	PrivateLoader, RedLine, RisePro Stealer, SmokeLoader	Browse	45.137.21.8
	D4CJJrRyRV.exe	Get hash	malicious	PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, Xmrig	Browse	45.137.21.8
	C2qEwpO6ff.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, PureLog Stealer, RedLine, SmokeLoader, Xmrig	Browse	45.137.21.8
	rQ7KS66xHz.exe	Get hash	malicious	Glupteba, PureLog Stealer, RedLine, SmokeLoader, Xmrig	Browse	45.137.21.8
	cgROS79PO8.exe	Get hash	malicious	PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, Xmrig	Browse	45.137.21.8
	GQmlDdfIus.exe	Get hash	malicious	PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, Xmrig	Browse	45.137.21.8
	tFXV5OO73i.exe	Get hash	malicious	Glupteba, PureLog Stealer, RedLine, SmokeLoader, Xmrig	Browse	45.137.21.8
	xR0Sb2wGy9.exe	Get hash	malicious	RedLine	Browse	185.222.58.99
	rdU3cg9xmI.exe	Get hash	malicious	Glupteba, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoader, Xmrig	Browse	45.137.21.8
	Dzc2otu6qd.exe	Get hash	malicious	Glupteba, LummaC Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, Xmrig	Browse	45.137.21.8
	YRdCIU1WYM.exe	Get hash	malicious	PrivateLoader, RedLine, RisePro Stealer, SmokeLoader	Browse	45.137.21.8
	ae6r1Pwu4b.exe	Get hash	malicious	PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, Xmrig	Browse	45.137.21.8
	8d6f8324030f8c1566ab38f8ade3c386b7b7740ccaf28.exe	Get hash	malicious	PrivateLoader, RedLine, RisePro Stealer, SmokeLoader	Browse	45.137.21.8
	e6Ebnpst2H.exe	Get hash	malicious	PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, Xmrig	Browse	45.137.21.8
	C2Q2uZGYEJ.exe	Get hash	malicious	LummaC Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader	Browse	45.137.21.8
	O67RAr74KS.exe	Get hash	malicious	PrivateLoader, RedLine, RisePro Stealer, SmokeLoader	Browse	45.137.21.8
	HVT3sNz081.exe	Get hash	malicious	PrivateLoader, RedLine, RisePro Stealer, SmokeLoader	Browse	45.137.21.8

Process:	C:\Users\user\Desktop\Sysiq.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1492
Entropy (8bit):	5.3787668257697945
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNt1qE4GIs0E4KVE4kh:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIx
MD5:	E6AD1A632B3ED1855D07C71585EE32C3
SHA1:	D44EC2568001E1B1492B86681211788246A55ADD
SHA-256:	CA2883CA6638072E9A3E8A455CFD1C5D7903EEF606924F06E90C2F474751E88D
SHA-512:	B09AD19DB449687B3BB91CA8E97E553AB7CBC1B5323D920F75D0CC930FBF1637CB1087170AD00E34677D29A9EBDA5F9A96A4AA1C736C7AC1C24A70DFB4A215D0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\customer.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\customer.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1492
Entropy (8bit):	5.3787668257697945
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNt1qE4GIs0E4KVE4kh:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIx
MD5:	E6AD1A632B3ED1855D07C71585EE32C3
SHA1:	D44EC2568001E1B1492B86681211788246A55ADD
SHA-256:	CA2883CA6638072E9A3E8A455CFD1C5D7903EEF606924F06E90C2F474751E88D
SHA-512:	B09AD19DB449687B3BB91CA8E97E553AB7CBC1B5323D920F75D0CC930FBF1637CB1087170AD00E34677D29A9EBDA5F9A96A4AA1C736C7AC1C24A70DFB4A215D0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Roaming\customer.exe

Download File

Process:	C:\Users\user\Desktop\Sysiq.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	48640
Entropy (8bit):	5.6309314294226205
Encrypted:	false
SSDEEP:	768:F20/1cyCPJmQcsmC2+vdiS8hYo8gk4nFYiBIuSWC93hxb/xeFe746FCi:F2s1bwJt2Lj8gfii3hC93hX4E4K
MD5:	D4BA5E2982463378357486B8D7F656C1
SHA1:	DD0502D38AD2BB63E57BB71956BB02B38F825C86
SHA-256:	D13BEBABC4063D86102CEF3BDAED105D826EE3F604986EEBEFA2E8BE3620F29D
SHA-512:	CC617EBEA4B67E85FC02C56D9099649D88F88D8463E62DC3D78B139BAA0C32E3B7B346C584EE4C1DFD3D8D97121E6C39EA4D91BEE91FDA5D05EB437930A06E37
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...I.ze................................. ....@...... ....................................`...@......@............... .................................. ............................................................................................ ..H............text........ ...................... ..`.rsrc... ...........................@..@........................................H............>......9.......?...............................................(.......(....*.0..>....... ........8........E&...f...................T...Y.......................x...........\...............k...................Z.......Y..."...E.......+...1...........6...............8a....... 8...X..X..Xa.. ....8A..... ..7a..Xffefeefeffe.. p...X

Source: unknown	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\customer.exe "C:\Users\user\AppData\Roaming\customer.exe"
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\customer.exe "C:\Users\user\AppData\Roaming\customer.exe"
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe	Jump to behavior
Source: C:\Users\user\Desktop\Sysiq.exe	Process created: C:\Users\user\Desktop\Sysiq.exe C:\Users\user\Desktop\Sysiq.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\customer.exe	Process created: C:\Users\user\AppData\Roaming\customer.exe C:\Users\user\AppData\Roaming\customer.exe	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Sysiq.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Sysiq.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\customer.exe.log

C:\Users\user\AppData\Roaming\customer.exe

Windows Analysis Report
Sysiq.exe