Windows Analysis Report
FVN001-230824.exe

Overview

General Information

Sample name:	FVN001-230824.exe
Analysis ID:	1410991
MD5:	f9a102868bcd7a4c6779c73d678b50e4
SHA1:	5116f1b9a635c7c884ce558177ebe34fa5d992b0
SHA256:	959d491cbde6323dc2bf7c377a9c1e0940b988f51a3efcc0f1bd526cc0d210b4
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Signatures

AV Detection

Found malware configuration

Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.pcpatelinfra.com", "Username": "barmer.store@pcpatelinfra.com", "Password": "sB)H)b!K8"}

Multi AV Scanner detection for submitted file

Source: FVN001-230824.exe

ReversingLabs: Detection: 71%

Machine Learning detection for sample

Source: FVN001-230824.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: FVN001-230824.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49711 version: TLS 1.2

Source: FVN001-230824.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: GTmz.pdb source: FVN001-230824.exe
Source:	Binary string: GTmz.pdbSHA256 source: FVN001-230824.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\FVN001-230824.exe

Code function: 4x nop then jmp 04815F0Ch

2_2_048157A2

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.9:49713 -> 208.91.198.143:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.9:49713 -> 208.91.198.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.9:49713 -> 208.91.198.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.9:49713 -> 208.91.198.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.9:49713 -> 208.91.198.143:587

Yara detected Generic Downloader

Source: Yara match

File source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.9:49713 -> 208.91.198.143:587

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.9:49713 -> 208.91.198.143:587

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: FVN001-230824.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: FVN001-230824.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: FVN001-230824.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: FVN001-230824.exe, 00000005.00000002.2559950919.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: FVN001-230824.exe, 00000005.00000002.2559950919.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.pcpatelinfra.com
Source: FVN001-230824.exe, 00000005.00000002.2559950919.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://support.mailhostbox.com/email-administrators-guide-error-codes/
Source: FVN001-230824.exe, 00000005.00000002.2559950919.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: FVN001-230824.exe, 00000002.00000002.1352521735.0000000003A35000.00000004.00000800.00020000.00000000.sdmp, FVN001-230824.exe, 00000002.00000002.1352521735.0000000003AAF000.00000004.00000800.00020000.00000000.sdmp, FVN001-230824.exe, 00000005.00000002.2557513424.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: FVN001-230824.exe, 00000002.00000002.1352521735.0000000003A35000.00000004.00000800.00020000.00000000.sdmp, FVN001-230824.exe, 00000002.00000002.1352521735.0000000003AAF000.00000004.00000800.00020000.00000000.sdmp, FVN001-230824.exe, 00000005.00000002.2557513424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, FVN001-230824.exe, 00000005.00000002.2559950919.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: FVN001-230824.exe, 00000005.00000002.2559950919.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: FVN001-230824.exe, 00000005.00000002.2559950919.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: FVN001-230824.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49711 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, NmHr1WHWKO.cs	.Net Code: xoM6
Source: 2.2.FVN001-230824.exe.3a35448.4.raw.unpack, NmHr1WHWKO.cs	.Net Code: xoM6

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.FVN001-230824.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.FVN001-230824.exe.3aaf240.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.FVN001-230824.exe.3a35448.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.FVN001-230824.exe.3a35448.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 2_2_00ADE22C	2_2_00ADE22C
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 2_2_00AD4AE0	2_2_00AD4AE0
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 2_2_048167C0	2_2_048167C0
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 2_2_04810C68	2_2_04810C68
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 2_2_04810C78	2_2_04810C78
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 2_2_04816FF0	2_2_04816FF0
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 2_2_04812758	2_2_04812758
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 2_2_048110B0	2_2_048110B0
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 2_2_04813108	2_2_04813108
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_02E74A98	5_2_02E74A98
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_02E7C94D	5_2_02E7C94D
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_02E73E80	5_2_02E73E80
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_02E7DCE1	5_2_02E7DCE1
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_02E741C8	5_2_02E741C8
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_02E7DFA0	5_2_02E7DFA0
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06990FF0	5_2_06990FF0
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06995CF8	5_2_06995CF8
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06993528	5_2_06993528
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06994570	5_2_06994570
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_0699E0A9	5_2_0699E0A9
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_0699919F	5_2_0699919F
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_0699A108	5_2_0699A108
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06995618	5_2_06995618
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06993C67	5_2_06993C67
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_0699C338	5_2_0699C338
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06AEA178	5_2_06AEA178
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06AEBC58	5_2_06AEBC58

PE / OLE file has an invalid certificate

Source: FVN001-230824.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: FVN001-230824.exe, 00000002.00000002.1354708928.0000000006F20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs FVN001-230824.exe
Source: FVN001-230824.exe, 00000002.00000002.1350866532.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs FVN001-230824.exe
Source: FVN001-230824.exe, 00000002.00000002.1351935296.0000000002814000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename29f7614c-ec9f-4464-a726-127a5c85976b.exe4 vs FVN001-230824.exe
Source: FVN001-230824.exe, 00000002.00000002.1352521735.0000000003A35000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename29f7614c-ec9f-4464-a726-127a5c85976b.exe4 vs FVN001-230824.exe
Source: FVN001-230824.exe, 00000002.00000002.1352521735.0000000003AAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename29f7614c-ec9f-4464-a726-127a5c85976b.exe4 vs FVN001-230824.exe
Source: FVN001-230824.exe, 00000002.00000002.1352521735.0000000003AAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs FVN001-230824.exe
Source: FVN001-230824.exe, 00000005.00000002.2557513424.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename29f7614c-ec9f-4464-a726-127a5c85976b.exe4 vs FVN001-230824.exe
Source: FVN001-230824.exe, 00000005.00000002.2557776881.0000000000F39000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs FVN001-230824.exe
Source: FVN001-230824.exe	Binary or memory string: OriginalFilenameGTmz.exeB vs FVN001-230824.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Section loaded: wintypes.dll	Jump to behavior

Uses 32bit PE files

Source: FVN001-230824.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 5.2.FVN001-230824.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.FVN001-230824.exe.3aaf240.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.FVN001-230824.exe.3a35448.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.FVN001-230824.exe.3a35448.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: FVN001-230824.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, ISZbPXDvPz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, ISZbPXDvPz.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, YpS.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, YpS.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, N34ZcyVrqOfmOWTrfa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, XLyhyySTmK4ffAQfRP.cs	Security API names: _0020.SetAccessControl
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, XLyhyySTmK4ffAQfRP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, XLyhyySTmK4ffAQfRP.cs	Security API names: _0020.AddAccessRule
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, N34ZcyVrqOfmOWTrfa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, XLyhyySTmK4ffAQfRP.cs	Security API names: _0020.SetAccessControl
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, XLyhyySTmK4ffAQfRP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, XLyhyySTmK4ffAQfRP.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\FVN001-230824.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FVN001-230824.exe.log

Source: C:\Users\user\Desktop\FVN001-230824.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\FVN001-230824.exe	Mutant created: \Sessions\1\BaseNamedObjects\YGoHVD

Source: C:\Users\user\Desktop\FVN001-230824.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\FVN001-230824.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: unknown	Process created: C:\Users\user\Desktop\FVN001-230824.exe C:\Users\user\Desktop\FVN001-230824.exe
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process created: C:\Users\user\Desktop\FVN001-230824.exe C:\Users\user\Desktop\FVN001-230824.exe
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process created: C:\Users\user\Desktop\FVN001-230824.exe C:\Users\user\Desktop\FVN001-230824.exe	Jump to behavior

Source: FVN001-230824.exe, MainForm.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: FVN001-230824.exe, MainForm.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, XLyhyySTmK4ffAQfRP.cs	.Net Code: R76tsrTkjC System.Reflection.Assembly.Load(byte[])
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, XLyhyySTmK4ffAQfRP.cs	.Net Code: R76tsrTkjC System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 2_2_04810671 push edx; ret	2_2_04810680
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 2_2_04816188 push eax; ret	2_2_04816189
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_02E70CB5 push edi; ret	5_2_02E70CC2
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_02E70C95 push edi; retf	5_2_02E70C3A
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_0699FEC0 push es; ret	5_2_0699FED0
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06AE5170 push es; ret	5_2_06AE5160
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06AE5150 push es; ret	5_2_06AE5160
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06AEFB99 push es; iretd	5_2_06AEFBC8
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06AEFBCD push es; iretd	5_2_06AEFBDC
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06AEFBC9 push es; iretd	5_2_06AEFBCC
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06AEFBDD push es; iretd	5_2_06AEFBE0
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06AEFB21 push es; iretd	5_2_06AEFB24
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06AEFB10 push es; iretd	5_2_06AEFB20
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06AEFB6D push es; iretd	5_2_06AEFB70
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06AEFB7D push es; iretd	5_2_06AEFB88
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06AEFB71 push es; iretd	5_2_06AEFB7C
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06AEFB44 push es; iretd	5_2_06AEFB54
Source: C:\Users\user\Desktop\FVN001-230824.exe	Code function: 5_2_06AEFB55 push es; iretd	5_2_06AEFB5C

Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, hOL09Lfr1bK7NSIFg2.cs	High entropy of concatenated method names: 'JHaP5HZPn8', 'BdMPxTLqZy', 'SogP7DyZ49', 'wLEPT4oE3X', 'N8uPIMnGWH', 'yqRPGtx3FS', 'p1YPaAocbh', 'I9TPmPnTBG', 'zuBPEwUhjb', 'A61PCTaFRK'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, DvMpNZAgK2Isvs1CEm.cs	High entropy of concatenated method names: 'Dispose', 'xsTJUSWIb8', 'rt13TWNIMk', 'ar7ggqI0J5', 'aLyJZ9H2Gn', 'V0uJz07WZ4', 'ProcessDialogKey', 'A433N8SkjV', 'KyA3Jepiw0', 'Rxf336dgmy'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, XLyhyySTmK4ffAQfRP.cs	High entropy of concatenated method names: 'I7Qv8rj2Mx', 'e7HvY2jjJA', 'vejvLWDMm3', 'jCvvXaSmN9', 'eowvjfl11w', 'KnXv1uoGuu', 'eSGvnewqjk', 'X7hvOrT3cZ', 'P8XvAMTeAv', 'NU8v4Y55dK'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, EoaQ3YrWSj4xVu9mSx.cs	High entropy of concatenated method names: 'koWkEf9B89', 'F6YkR94iR1', 'd2Kk6WNp3p', 'xNlkFOTIkX', 'Ls7kTDeWjF', 'CltkM76YZr', 'lxjkI87Exq', 'xfwkGv1pGa', 'XsTk0s0Rxe', 'VfFkaudO56'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, Xn4GP52jQsLFHNejSw.cs	High entropy of concatenated method names: 'spFXSn3c2A', 'SWZXWBXGoZ', 'x6jX5og4BU', 'JADXxRw01l', 'Cn2XkW9h3q', 'VH7XHYwCBt', 'CuJXf8XOPh', 'satXQ4lCAl', 'Ui5XlhuvPA', 'EsMXi8REy5'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, SG4F5vTGsYf2KfYXCu.cs	High entropy of concatenated method names: 'GgOsM9I7V', 'xpaSMZGcC', 'eHKWesAMp', 'nBWwpIFqT', 'ChWxuyoGV', 'kQWBuvpS1', 'aKDJbk3NkiiIVY4OYS', 'OCvboUdM6ZsG3Dd68p', 'ExSQjp1YE', 'MgHiE70BR'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, IZn3i3Gk1n4iYx0vy0i.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bCki6QRNM8', 'NiDiFA9wmq', 'So5iDdXJrE', 'adqiKKurVZ', 'KSDiVd8nap', 'yL1ihCWdWB', 'siAiePhdJ7'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, n6N0ry1UwKZTDF1W7o.cs	High entropy of concatenated method names: 'tOOQ7Y3gIy', 'loIQTS4tvD', 'RkSQMFS4cR', 'k7cQIILyED', 'pUZQ6ZcLjb', 'oybQGagK3q', 'Next', 'Next', 'Next', 'NextBytes'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, CqLFsODm2pZGhrJBy6.cs	High entropy of concatenated method names: 'fO3no9cj4S', 'iLunr3leN0', 'Tq1nsfiTH6', 'LRqnS4Djtw', 'zk1n9dJCLP', 'F5PnWrTycY', 'VREnwuoF1p', 'JcSn5oyXK3', 'vjbnxBV6TS', 'kJjnBMsVK2'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, WUDBeKXW5DwYN7QhDQ.cs	High entropy of concatenated method names: 'Q70fcMLyAW', 'VHpfZ1FYuJ', 'rOvQNMXUHg', 'YjKQJoA3oj', 'NBWfCOCcY0', 'X6ufRLqJjf', 'RmyfqJd9WR', 'k9Pf6fcWWF', 'jetfFBU8cH', 'fIZfDWooJK'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, TYjxgRGBcnj4N3bl4Qk.cs	High entropy of concatenated method names: 'vYFlor7Qkp', 'aWnlrJX5cB', 'tmelshcB3E', 'TILlST9aOW', 'hLal9FsRvd', 'y1RlWjdwKi', 'y7Mlwu6xbD', 'kY8l5hZJXN', 'sJ0lxiWaKH', 'WlJlBDwLHh'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, SekI0imFQCXOq8VsmR.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'xxN3Um2Xa3', 'xBW3ZIAsis', 'w6J3zopyt0', 'VAgvNuG0uy', 'ARwvJS9miq', 'HJjv32ofHH', 'WmAvvH4EWN', 'dFYadHRGliwwvYud5mR'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, Vts58fHrCHZT20dRu9.cs	High entropy of concatenated method names: 'r6TQYUdby1', 'sF8QLYrBC0', 'ih3QXl8dCw', 'bNKQj1wmSh', 'H7YQ19Jtdt', 'RaaQnxI7hJ', 'vhqQOG6e32', 'b1DQAgZH0J', 'AS6Q42AdN4', 'CJAQpvKS3e'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, OE11K0zLUfoCqyq2xS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dXBlPbRRr4', 'IdXlkbsOYo', 'RlnlHga9NG', 'eDflftRUoy', 'OH5lQ6xRsx', 'AoVllQCMJt', 'PUYliLSKno'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, EMRX9ejm9MK7bCmTS1.cs	High entropy of concatenated method names: 'E1d18WC3Ey', 'y5C1LyVhtj', 'dBB1jVx7gV', 'gMa1nJHtwP', 'ijp1OhA6GW', 'gYDjVUnsh4', 'wlhjhDSGDd', 'f2WjeCN9cD', 'v4FjcZ9DvL', 's5ojUXUC2X'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, N34ZcyVrqOfmOWTrfa.cs	High entropy of concatenated method names: 'yfwL67mZU3', 'WxGLFtMs0s', 'JEnLDv6x7t', 'MyNLKqDpDc', 'XciLV4PMMa', 'zLfLhq6srU', 'tyPLeVdKLO', 'xxVLcPSpo6', 'GdHLUwPjuo', 's1LLZLZ8eV'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, b2Sm9vL4O9uFZXl1qI.cs	High entropy of concatenated method names: 'qubJnJb6PA', 'wdWJOJ3QRy', 'he4J4pFIU7', 'YYKJpB6sHi', 'Ot7JkregbV', 'D5aJHy1OA6', 'SOw3tyYgg4GPke8umT', 'lGfd9E4DJBchLJSA2c', 'pOKJJG05TH', 'RHmJv7kOxw'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, TuuJmTvFVeV5mu7o3Z.cs	High entropy of concatenated method names: 'ejt1yQyC1B', 'Bm41oFVAAL', 'HrV1sDNF1V', 'tkO1S4laP7', 'NI81W3pWAw', 'gYQ1w9O65V', 'KqI1xIHSXO', 'X4J1BfM9J0', 'ldiR4XG7ARMQIAAieoc', 'zcUP3ZGQ7HfLi0NZqXJ'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, iZV0pMM4Dts6tBSOQP.cs	High entropy of concatenated method names: 'ToString', 'GXbHCrcmV3', 'YGkHTUH01B', 'tqcHM8amYg', 'BZyHI9WyrZ', 'fWXHG7m9hR', 'M52H0vAUNe', 'ySIHaJQZEo', 'xc6HmTD2Jd', 'qY6HbCmH1K'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, z74bjNPfWJrQUxpqQT.cs	High entropy of concatenated method names: 'dVplJXgTjR', 'jxKlvECBZk', 'P74lt1W1nQ', 'vtMlYIeokD', 'FRNlLDiFOf', 'zdEljquJyX', 'QV4l1PWPKK', 'w3iQer2Tfm', 'kVTQcdBePH', 'ycnQUvsY7E'
Source: 2.2.FVN001-230824.exe.3b95940.2.raw.unpack, ip1viPnI8reVhE0pgB.cs	High entropy of concatenated method names: 'WQ8nYh931Y', 'iu9nXwwIAl', 'euhn1joKk5', 'oaD1ZPx44R', 'G7W1zIvsJK', 'n72nNqVEsV', 'TrtnJn2aMO', 'pf3n3GkJUD', 'AnInvN5HLI', 'uK4ntxy0AD'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, hOL09Lfr1bK7NSIFg2.cs	High entropy of concatenated method names: 'JHaP5HZPn8', 'BdMPxTLqZy', 'SogP7DyZ49', 'wLEPT4oE3X', 'N8uPIMnGWH', 'yqRPGtx3FS', 'p1YPaAocbh', 'I9TPmPnTBG', 'zuBPEwUhjb', 'A61PCTaFRK'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, DvMpNZAgK2Isvs1CEm.cs	High entropy of concatenated method names: 'Dispose', 'xsTJUSWIb8', 'rt13TWNIMk', 'ar7ggqI0J5', 'aLyJZ9H2Gn', 'V0uJz07WZ4', 'ProcessDialogKey', 'A433N8SkjV', 'KyA3Jepiw0', 'Rxf336dgmy'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, XLyhyySTmK4ffAQfRP.cs	High entropy of concatenated method names: 'I7Qv8rj2Mx', 'e7HvY2jjJA', 'vejvLWDMm3', 'jCvvXaSmN9', 'eowvjfl11w', 'KnXv1uoGuu', 'eSGvnewqjk', 'X7hvOrT3cZ', 'P8XvAMTeAv', 'NU8v4Y55dK'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, EoaQ3YrWSj4xVu9mSx.cs	High entropy of concatenated method names: 'koWkEf9B89', 'F6YkR94iR1', 'd2Kk6WNp3p', 'xNlkFOTIkX', 'Ls7kTDeWjF', 'CltkM76YZr', 'lxjkI87Exq', 'xfwkGv1pGa', 'XsTk0s0Rxe', 'VfFkaudO56'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, Xn4GP52jQsLFHNejSw.cs	High entropy of concatenated method names: 'spFXSn3c2A', 'SWZXWBXGoZ', 'x6jX5og4BU', 'JADXxRw01l', 'Cn2XkW9h3q', 'VH7XHYwCBt', 'CuJXf8XOPh', 'satXQ4lCAl', 'Ui5XlhuvPA', 'EsMXi8REy5'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, SG4F5vTGsYf2KfYXCu.cs	High entropy of concatenated method names: 'GgOsM9I7V', 'xpaSMZGcC', 'eHKWesAMp', 'nBWwpIFqT', 'ChWxuyoGV', 'kQWBuvpS1', 'aKDJbk3NkiiIVY4OYS', 'OCvboUdM6ZsG3Dd68p', 'ExSQjp1YE', 'MgHiE70BR'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, IZn3i3Gk1n4iYx0vy0i.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bCki6QRNM8', 'NiDiFA9wmq', 'So5iDdXJrE', 'adqiKKurVZ', 'KSDiVd8nap', 'yL1ihCWdWB', 'siAiePhdJ7'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, n6N0ry1UwKZTDF1W7o.cs	High entropy of concatenated method names: 'tOOQ7Y3gIy', 'loIQTS4tvD', 'RkSQMFS4cR', 'k7cQIILyED', 'pUZQ6ZcLjb', 'oybQGagK3q', 'Next', 'Next', 'Next', 'NextBytes'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, CqLFsODm2pZGhrJBy6.cs	High entropy of concatenated method names: 'fO3no9cj4S', 'iLunr3leN0', 'Tq1nsfiTH6', 'LRqnS4Djtw', 'zk1n9dJCLP', 'F5PnWrTycY', 'VREnwuoF1p', 'JcSn5oyXK3', 'vjbnxBV6TS', 'kJjnBMsVK2'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, WUDBeKXW5DwYN7QhDQ.cs	High entropy of concatenated method names: 'Q70fcMLyAW', 'VHpfZ1FYuJ', 'rOvQNMXUHg', 'YjKQJoA3oj', 'NBWfCOCcY0', 'X6ufRLqJjf', 'RmyfqJd9WR', 'k9Pf6fcWWF', 'jetfFBU8cH', 'fIZfDWooJK'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, TYjxgRGBcnj4N3bl4Qk.cs	High entropy of concatenated method names: 'vYFlor7Qkp', 'aWnlrJX5cB', 'tmelshcB3E', 'TILlST9aOW', 'hLal9FsRvd', 'y1RlWjdwKi', 'y7Mlwu6xbD', 'kY8l5hZJXN', 'sJ0lxiWaKH', 'WlJlBDwLHh'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, SekI0imFQCXOq8VsmR.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'xxN3Um2Xa3', 'xBW3ZIAsis', 'w6J3zopyt0', 'VAgvNuG0uy', 'ARwvJS9miq', 'HJjv32ofHH', 'WmAvvH4EWN', 'dFYadHRGliwwvYud5mR'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, Vts58fHrCHZT20dRu9.cs	High entropy of concatenated method names: 'r6TQYUdby1', 'sF8QLYrBC0', 'ih3QXl8dCw', 'bNKQj1wmSh', 'H7YQ19Jtdt', 'RaaQnxI7hJ', 'vhqQOG6e32', 'b1DQAgZH0J', 'AS6Q42AdN4', 'CJAQpvKS3e'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, OE11K0zLUfoCqyq2xS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dXBlPbRRr4', 'IdXlkbsOYo', 'RlnlHga9NG', 'eDflftRUoy', 'OH5lQ6xRsx', 'AoVllQCMJt', 'PUYliLSKno'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, EMRX9ejm9MK7bCmTS1.cs	High entropy of concatenated method names: 'E1d18WC3Ey', 'y5C1LyVhtj', 'dBB1jVx7gV', 'gMa1nJHtwP', 'ijp1OhA6GW', 'gYDjVUnsh4', 'wlhjhDSGDd', 'f2WjeCN9cD', 'v4FjcZ9DvL', 's5ojUXUC2X'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, N34ZcyVrqOfmOWTrfa.cs	High entropy of concatenated method names: 'yfwL67mZU3', 'WxGLFtMs0s', 'JEnLDv6x7t', 'MyNLKqDpDc', 'XciLV4PMMa', 'zLfLhq6srU', 'tyPLeVdKLO', 'xxVLcPSpo6', 'GdHLUwPjuo', 's1LLZLZ8eV'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, b2Sm9vL4O9uFZXl1qI.cs	High entropy of concatenated method names: 'qubJnJb6PA', 'wdWJOJ3QRy', 'he4J4pFIU7', 'YYKJpB6sHi', 'Ot7JkregbV', 'D5aJHy1OA6', 'SOw3tyYgg4GPke8umT', 'lGfd9E4DJBchLJSA2c', 'pOKJJG05TH', 'RHmJv7kOxw'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, TuuJmTvFVeV5mu7o3Z.cs	High entropy of concatenated method names: 'ejt1yQyC1B', 'Bm41oFVAAL', 'HrV1sDNF1V', 'tkO1S4laP7', 'NI81W3pWAw', 'gYQ1w9O65V', 'KqI1xIHSXO', 'X4J1BfM9J0', 'ldiR4XG7ARMQIAAieoc', 'zcUP3ZGQ7HfLi0NZqXJ'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, iZV0pMM4Dts6tBSOQP.cs	High entropy of concatenated method names: 'ToString', 'GXbHCrcmV3', 'YGkHTUH01B', 'tqcHM8amYg', 'BZyHI9WyrZ', 'fWXHG7m9hR', 'M52H0vAUNe', 'ySIHaJQZEo', 'xc6HmTD2Jd', 'qY6HbCmH1K'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, z74bjNPfWJrQUxpqQT.cs	High entropy of concatenated method names: 'dVplJXgTjR', 'jxKlvECBZk', 'P74lt1W1nQ', 'vtMlYIeokD', 'FRNlLDiFOf', 'zdEljquJyX', 'QV4l1PWPKK', 'w3iQer2Tfm', 'kVTQcdBePH', 'ycnQUvsY7E'
Source: 2.2.FVN001-230824.exe.6f20000.7.raw.unpack, ip1viPnI8reVhE0pgB.cs	High entropy of concatenated method names: 'WQ8nYh931Y', 'iu9nXwwIAl', 'euhn1joKk5', 'oaD1ZPx44R', 'G7W1zIvsJK', 'n72nNqVEsV', 'TrtnJn2aMO', 'pf3n3GkJUD', 'AnInvN5HLI', 'uK4ntxy0AD'

Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\FVN001-230824.exe	Memory allocated: AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Memory allocated: 47B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Memory allocated: 6FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Memory allocated: 7FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Memory allocated: 8230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Memory allocated: 9230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Memory allocated: 2C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Memory allocated: 2F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Memory allocated: 2C80000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\FVN001-230824.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\FVN001-230824.exe	Window / User API: threadDelayed 764			Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Window / User API: threadDelayed 3414			Jump to behavior

Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 1756	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7228	Thread sleep count: 764 > 30	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7228	Thread sleep count: 3414 > 30	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -99563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -99344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -99235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -99110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -98985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -98735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -98610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -98485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -98360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -97985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe TID: 7224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\FVN001-230824.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\FVN001-230824.exe	Queries volume information: C:\Users\user\Desktop\FVN001-230824.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Queries volume information: C:\Users\user\Desktop\FVN001-230824.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.FVN001-230824.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.FVN001-230824.exe.3aaf240.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.FVN001-230824.exe.3a35448.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.FVN001-230824.exe.3a35448.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.FVN001-230824.exe.3aaf240.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2557513424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2559950919.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2559950919.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1352521735.0000000003A35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1352521735.0000000003AAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FVN001-230824.exe PID: 1256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FVN001-230824.exe PID: 1968, type: MEMORYSTR

Source: C:\Users\user\Desktop\FVN001-230824.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\FVN001-230824.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.198.143	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

Name	IP	Active
us2.smtp.mailhostbox.com	208.91.198.143	true
api.ipify.org	172.67.74.152	true
smtp.pcpatelinfra.com	unknown	unknown

ID:	1410991
Product:	CloudBasic
Start time:	14:37:14
Start date:	18.03.2024
Sample:	FVN001-230824.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f9a102868bcd7a4c6779c73d678b50e4
SHA1:	5116f1b9a635c7c884ce558177ebe34fa5d992b0
SHA256:	959d491cbde6323dc2bf7c377a9c1e0940b988f51a3efcc0f1bd526cc0d210b4
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Windows Analysis Report FVN001-230824.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
FVN001-230824.exe

Malware Threat Intel
Provided by