Windows Analysis Report
Gcerti Quote.exe

Overview

General Information

Sample name: Gcerti Quote.exe
Analysis ID: 1428412
MD5: 9a6474186b145552217cf4d421309733
SHA1: b21733889432abe65233736ce0e0289f8f3bddc4
SHA256: 3815bc3a78dc96a0af4aca4446b3afa741d3910530ae69b06895b0e499d49aa6
Tags: exe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.italiacanda-it.com", "Username": "snpss@italiacanda-it.com", "Password": "dsrociz1 "}
Multi AV Scanner detection for submitted file
Source: Gcerti Quote.exe ReversingLabs: Detection: 65%
Machine Learning detection for sample
Source: Gcerti Quote.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Gcerti Quote.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: Gcerti Quote.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 4x nop then jmp 05798C07h 0_2_05798D0D

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.Gcerti Quote.exe.37d7690.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.9:49708 -> 208.91.198.143:587
Source: global traffic TCP traffic: 192.168.2.9:49708 -> 208.91.199.223:587
Source: global traffic TCP traffic: 192.168.2.9:49708 -> 208.91.199.224:587
Source: global traffic TCP traffic: 192.168.2.9:49708 -> 208.91.199.225:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View IP Address: 208.91.199.225 208.91.199.225
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.9:49708 -> 208.91.198.143:587
Source: global traffic TCP traffic: 192.168.2.9:49708 -> 208.91.199.223:587
Source: global traffic TCP traffic: 192.168.2.9:49708 -> 208.91.199.224:587
Source: global traffic TCP traffic: 192.168.2.9:49708 -> 208.91.199.225:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: api.ipify.org
Source: Gcerti Quote.exe, 00000002.00000002.2577396201.0000000003251000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Gcerti Quote.exe, 00000002.00000002.2577396201.00000000032CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://smtp.italiacanda-it.com
Source: Gcerti Quote.exe, 00000002.00000002.2577396201.00000000032CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Gcerti Quote.exe, 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmp, Gcerti Quote.exe, 00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: Gcerti Quote.exe, 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmp, Gcerti Quote.exe, 00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Gcerti Quote.exe, 00000002.00000002.2577396201.0000000003251000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: Gcerti Quote.exe, 00000002.00000002.2577396201.0000000003251000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: Gcerti Quote.exe, 00000002.00000002.2577396201.0000000003251000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:49707 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, K6raBsUk6.cs .Net Code: _1kx
Source: 0.2.Gcerti Quote.exe.37d7690.3.raw.unpack, K6raBsUk6.cs .Net Code: _1kx

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.Gcerti Quote.exe.37d7690.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.Gcerti Quote.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Gcerti Quote.exe.379cc70.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Gcerti Quote.exe.37d7690.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: Gcerti Quote.exe, ExceptionMessage.cs Large array initialization: : array initializer size 616592
Source: 0.2.Gcerti Quote.exe.258a3e4.0.raw.unpack, .cs Large array initialization: : array initializer size 13798
Detected potential crypto function
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 0_2_00D0E240 0_2_00D0E240
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 0_2_0579A8D8 0_2_0579A8D8
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 0_2_05798AA0 0_2_05798AA0
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 0_2_05794360 0_2_05794360
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 0_2_05794BD0 0_2_05794BD0
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 0_2_05798A90 0_2_05798A90
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_015A8D88 2_2_015A8D88
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_015AD6F7 2_2_015AD6F7
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_015A8C30 2_2_015A8C30
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_015AB8B8 2_2_015AB8B8
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_018CE1C1 2_2_018CE1C1
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_018C4A98 2_2_018C4A98
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_018CAA1B 2_2_018CAA1B
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_018C3E80 2_2_018C3E80
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_018C41C8 2_2_018C41C8
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_018C0D77 2_2_018C0D77
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_06DD65E8 2_2_06DD65E8
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_06DD55A8 2_2_06DD55A8
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_06DD7D78 2_2_06DD7D78
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_06DDB220 2_2_06DDB220
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_06DD3060 2_2_06DD3060
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_06DDC170 2_2_06DDC170
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_06DD7698 2_2_06DD7698
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_06DD5CDB 2_2_06DD5CDB
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_06DD05A8 2_2_06DD05A8
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_06DDE388 2_2_06DDE388
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_06DD2370 2_2_06DD2370
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_06DD0007 2_2_06DD0007
Sample file is different than original file name gathered from version info
Source: Gcerti Quote.exe, 00000000.00000002.1345046966.00000000006BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Gcerti Quote.exe
Source: Gcerti Quote.exe, 00000000.00000002.1350157359.00000000050C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs Gcerti Quote.exe
Source: Gcerti Quote.exe, 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamed1d0086e-f958-473c-b56d-1a9de9dc0359.exe4 vs Gcerti Quote.exe
Source: Gcerti Quote.exe, 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Gcerti Quote.exe
Source: Gcerti Quote.exe, 00000000.00000002.1350519021.00000000059B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Gcerti Quote.exe
Source: Gcerti Quote.exe, 00000000.00000002.1345999029.00000000025B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamed1d0086e-f958-473c-b56d-1a9de9dc0359.exe4 vs Gcerti Quote.exe
Source: Gcerti Quote.exe, 00000000.00000002.1345999029.0000000002561000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs Gcerti Quote.exe
Source: Gcerti Quote.exe, 00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamed1d0086e-f958-473c-b56d-1a9de9dc0359.exe4 vs Gcerti Quote.exe
Source: Gcerti Quote.exe, 00000002.00000002.2574622576.00000000012F9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Gcerti Quote.exe
Source: Gcerti Quote.exe Binary or memory string: OriginalFilenameNsUw.exe4 vs Gcerti Quote.exe
Uses 32bit PE files
Source: Gcerti Quote.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.Gcerti Quote.exe.37d7690.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.Gcerti Quote.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Gcerti Quote.exe.379cc70.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Gcerti Quote.exe.37d7690.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Gcerti Quote.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, c2bZQnG.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, c2bZQnG.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, Q1L0K.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, Q1L0K.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, uo1UBaEHa.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, uo1UBaEHa.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, uo1UBaEHa.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, uo1UBaEHa.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, pdY2feOEB7Q4P75scM.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, pdY2feOEB7Q4P75scM.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, biCNQP8BONLoNEeqIF.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, biCNQP8BONLoNEeqIF.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, biCNQP8BONLoNEeqIF.cs Security API names: _0020.AddAccessRule
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, biCNQP8BONLoNEeqIF.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, biCNQP8BONLoNEeqIF.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, biCNQP8BONLoNEeqIF.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/5
Source: C:\Users\user\Desktop\Gcerti Quote.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Gcerti Quote.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Gcerti Quote.exe Mutant created: \Sessions\1\BaseNamedObjects\ahhuFzThKm
Source: Gcerti Quote.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Gcerti Quote.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Gcerti Quote.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Gcerti Quote.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Gcerti Quote.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Gcerti Quote.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\Gcerti Quote.exe File read: C:\Users\user\Desktop\Gcerti Quote.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Gcerti Quote.exe "C:\Users\user\Desktop\Gcerti Quote.exe"
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process created: C:\Users\user\Desktop\Gcerti Quote.exe "C:\Users\user\Desktop\Gcerti Quote.exe"
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process created: C:\Users\user\Desktop\Gcerti Quote.exe "C:\Users\user\Desktop\Gcerti Quote.exe" Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Gcerti Quote.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Gcerti Quote.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, biCNQP8BONLoNEeqIF.cs .Net Code: Lh2YaPILsp System.Reflection.Assembly.Load(byte[])
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, biCNQP8BONLoNEeqIF.cs .Net Code: Lh2YaPILsp System.Reflection.Assembly.Load(byte[])
Source: 0.2.Gcerti Quote.exe.258a3e4.0.raw.unpack, LoginForm.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 0_2_00D06230 push esp; ret 0_2_00D06239
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 0_2_057904E6 push esi; ret 0_2_057904E7
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 0_2_05798700 push ebp; iretd 0_2_05798725
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 0_2_05798681 push ebp; iretd 0_2_057986A5
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 0_2_05795192 push E8FFFFFFh; iretd 0_2_0579519D
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 0_2_057903D2 push FFFFFFC4h; iretd 0_2_057903D4
Source: C:\Users\user\Desktop\Gcerti Quote.exe Code function: 2_2_018C0CB5 push edi; ret 2_2_018C0CC2
Source: Gcerti Quote.exe Static PE information: section name: .text entropy: 7.927894078342841
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, a29hdazao4dduN4f76.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'v1jA7IHm5Y', 'EmWApkPJBZ', 'yGQAGVrX0G', 't77AitcT1N', 'fV5AxoNb3D', 'y1rAAchnQE', 'Ij1AVOQyAP'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, qr6IqWHA39delcefpUo.cs High entropy of concatenated method names: 'SEWAfEnm3A', 'OodAPo9E16', 'bjHAafZq4S', 'Uo8AClEps4', 'NpNA6mhtbR', 'X9hAdlWDjQ', 'Mq3AMwZT8T', 'KS9ARY2BBg', 'LwnALT2CuZ', 'BhoAjF5nky'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, PTTuyVMcmfFe0NCfK2.cs High entropy of concatenated method names: 'MxBxtTZEHm', 'L3axmSc1kv', 'GvDxbx32dN', 'Pc1xyk5VYc', 'ffExvyT8TO', 'vLgxKM1d5k', 'rZBxq1qL9K', 'DOvx1ZaxLE', 'xeyxhh0KX9', 'dQLxEobWZm'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, cJHxb8HlRmHiGWECoTQ.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T1OVO4JXK9', 'm6bVuGlZUU', 'pvpVBYCdIf', 'O9SV21sw1g', 'VVtVHPhJ00', 'i9vVZLMxp0', 'V37VgEac8G'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, a3Mh7yCaXvKwHiXv4S.cs High entropy of concatenated method names: 'Dispose', 'tCnonLZsEa', 'bDv5FiFcwH', 'FlUQQ8xS0W', 'uedo9LfDWE', 'rMkozjhXD0', 'ProcessDialogKey', 'PRv5l2iBQj', 'fVk5odW5fu', 'ymy55fVNQv'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, UXCjChnYhaI7UNr4qS.cs High entropy of concatenated method names: 'WKr7RJIfpe', 'TO17LFh0WW', 'GqV7kwBA4U', 'Gip7F9ApvX', 'tkW7e9VGxx', 'OFR78mE8aI', 'jCW73SgYQh', 'HaF7srenMa', 'qUm74w5TQP', 'Sdr7IogTwK'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, biCNQP8BONLoNEeqIF.cs High entropy of concatenated method names: 'Q97D0mDPAi', 'gmwDtlk7Bp', 'm77DmZkOnX', 'UlkDboGfvZ', 'zERDytFrP0', 'oPADvjUNwu', 'Ge8DKYnNeK', 'DqFDqoVqm2', 'nnmD1LChCn', 'WcvDhtPFXp'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, pyiYrm0BKK73XikD28.cs High entropy of concatenated method names: 'Xnhy670egr', 'GCgyMehNHE', 'i8NbXc6AgE', 'M2Nbe4NacV', 'UiZb88NbDl', 'LeCbSFGLDO', 'LjWb3ViKTd', 'kJubsgJ2ba', 'VSPbwVDvEn', 'DLnb4DpKl2'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, gFdexHFaaD4cEJcs8p.cs High entropy of concatenated method names: 'JMVAwqE8i3T539TSGhR', 'HWsK2fE1CLtDyJop4j4', 'gAmvxFZkx7', 'aGkvAFQqAA', 'flsvV30S6n', 'XIyla6E0PBjqgjjmiG8', 'KdTYtAElD6Y6hXYEDYM'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, pdY2feOEB7Q4P75scM.cs High entropy of concatenated method names: 'BfLmOZHLem', 'h2KmuKgsuc', 'MaWmBxcXjN', 'NJCm2ZU90m', 'CnmmHUOcJU', 'dGMmZSn0pE', 'Opnmgas0MR', 'aSimcReBLs', 'rhlmnia7tb', 'Yhmm9NB974'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, wJq0MfDIUfaouA28xv.cs High entropy of concatenated method names: 'ToString', 'umHGIpWM0m', 'ceFGFtd7On', 'cCOGX9iqfL', 'li8Ge5sc7v', 'dDjG8sqZJV', 'SIZGSjLmRe', 'o1EG3YljPl', 'g65GseR9Ks', 'kKBGw3JdjV'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, Ixoro1td292Qgwk5VC.cs High entropy of concatenated method names: 'qerv0YKErY', 'c4Xvm0dKTZ', 'f1yvyAXq40', 'mVlvKLN5kA', 'twPvqj7kwK', 'ASbyHyNPqQ', 'Rs4yZLBTkt', 'HmpygKoetV', 'GtZyckAROu', 'c0WynmGJRT'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, znf9XtUuUtKixFr9mg.cs High entropy of concatenated method names: 'QNAaZE9Hr', 'dwfCKvjO5', 'I40du2VIf', 'stEMyrxfk', 'g1WLAmbvQ', 'jkwjMJGdu', 'H8osRTXDo3IBiKAxyi', 'B5ed36u6DgXo7FU9oF', 'HvdxvjEdD', 'J9hVenFWl'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, nnuegImrahOMABdQ4W.cs High entropy of concatenated method names: 'pBpp4ZSrKT', 'vvxpTWtWFv', 'LFSpOZs0ED', 'pxkpuUhJfX', 'FdSpFlWhsn', 'UD8pXUm2m9', 'H94peaye9L', 'guhp8fDTML', 'nABpSWehc0', 'hVbp3T3oH5'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, uTAC5xb39sKkx4FDuH.cs High entropy of concatenated method names: 'K6uAoDLUCL', 'q4oADeLhFw', 'owmAYW7Drv', 'YV8AtUaetQ', 'AObAme2vCT', 'SipAyiXRuo', 'OACAvfsJH1', 'UnpxgyKgQi', 'OlixcsaR3D', 'AHdxnkxYpG'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, RMYX84IMaUr9MYjOPo.cs High entropy of concatenated method names: 'MnQicRkKWc', 'Lndi9Ba55J', 'vSMxlKJ5PD', 'DYxxokhR8b', 'noCiI4CPLd', 'msIiTfngLd', 'InYiUpSaUq', 'zU9iOeCNyi', 'xtciu7KSZJ', 'tNRiBasn7u'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, hdFvDjkss96iwQgJW4.cs High entropy of concatenated method names: 'HjaKf7YF6V', 'V1nKPcdeaw', 'iKvKaia1p9', 'gIiKCCEfES', 'hVoK6Os80v', 'BXxKdfKkDv', 'XTXKMCfFYy', 'ynhKRcn9FX', 'qcOKLXOLfh', 'LZaKjcxF7p'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, PRSON4XLlc79GlsfC0.cs High entropy of concatenated method names: 'lbLKtbfZfS', 'KVFKbMoKqH', 'A1WKvMusgu', 'qvnv9TfyTE', 'jivvzY9Vpr', 'oyIKlmN9Xu', 'C6NKoh4tBB', 'Q6OK5iJDSn', 'yUYKD4QRTb', 'ODbKYRYUnp'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, o8P50JT6AyrEU9YL5X.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'o6w5ntI4p3', 'DZp59QFAlo', 'Yee5zJs56m', 'o7CDlYuGmZ', 'XsXDo1nyME', 'NhYD5JJ91J', 'TRoDDm0wro', 'I3m5r5PPH57y5Vnkpyj'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, xX3kTQ6DmFsDnV1E8k.cs High entropy of concatenated method names: 'zZwbCIboQV', 'VfMbdNfVE3', 'pAvbRIEFd8', 'mcjbLNYqhv', 'X1cbpg1ad1', 'gZ0bGjgAO1', 'WhWbiOtBWs', 'H1vbxFi4BN', 'CFnbAgBNBW', 'tDQbVB3YTy'
Source: 0.2.Gcerti Quote.exe.59b0000.8.raw.unpack, TIEOMsKaTE6wXAYRRl.cs High entropy of concatenated method names: 'pKNoKZop2a', 'faOoqS2RRv', 'i2dohLEbYy', 'dAEoE6ZTKC', 'EANoptIfwk', 'bVvoGRQV4X', 'KNl6qYOV0KeWdvOOsA', 'df9KhvyG4gp4qjZHuD', 'hq3ooKamPE', 'Q4boD8r7j6'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, a29hdazao4dduN4f76.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'v1jA7IHm5Y', 'EmWApkPJBZ', 'yGQAGVrX0G', 't77AitcT1N', 'fV5AxoNb3D', 'y1rAAchnQE', 'Ij1AVOQyAP'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, qr6IqWHA39delcefpUo.cs High entropy of concatenated method names: 'SEWAfEnm3A', 'OodAPo9E16', 'bjHAafZq4S', 'Uo8AClEps4', 'NpNA6mhtbR', 'X9hAdlWDjQ', 'Mq3AMwZT8T', 'KS9ARY2BBg', 'LwnALT2CuZ', 'BhoAjF5nky'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, PTTuyVMcmfFe0NCfK2.cs High entropy of concatenated method names: 'MxBxtTZEHm', 'L3axmSc1kv', 'GvDxbx32dN', 'Pc1xyk5VYc', 'ffExvyT8TO', 'vLgxKM1d5k', 'rZBxq1qL9K', 'DOvx1ZaxLE', 'xeyxhh0KX9', 'dQLxEobWZm'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, cJHxb8HlRmHiGWECoTQ.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T1OVO4JXK9', 'm6bVuGlZUU', 'pvpVBYCdIf', 'O9SV21sw1g', 'VVtVHPhJ00', 'i9vVZLMxp0', 'V37VgEac8G'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, a3Mh7yCaXvKwHiXv4S.cs High entropy of concatenated method names: 'Dispose', 'tCnonLZsEa', 'bDv5FiFcwH', 'FlUQQ8xS0W', 'uedo9LfDWE', 'rMkozjhXD0', 'ProcessDialogKey', 'PRv5l2iBQj', 'fVk5odW5fu', 'ymy55fVNQv'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, UXCjChnYhaI7UNr4qS.cs High entropy of concatenated method names: 'WKr7RJIfpe', 'TO17LFh0WW', 'GqV7kwBA4U', 'Gip7F9ApvX', 'tkW7e9VGxx', 'OFR78mE8aI', 'jCW73SgYQh', 'HaF7srenMa', 'qUm74w5TQP', 'Sdr7IogTwK'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, biCNQP8BONLoNEeqIF.cs High entropy of concatenated method names: 'Q97D0mDPAi', 'gmwDtlk7Bp', 'm77DmZkOnX', 'UlkDboGfvZ', 'zERDytFrP0', 'oPADvjUNwu', 'Ge8DKYnNeK', 'DqFDqoVqm2', 'nnmD1LChCn', 'WcvDhtPFXp'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, pyiYrm0BKK73XikD28.cs High entropy of concatenated method names: 'Xnhy670egr', 'GCgyMehNHE', 'i8NbXc6AgE', 'M2Nbe4NacV', 'UiZb88NbDl', 'LeCbSFGLDO', 'LjWb3ViKTd', 'kJubsgJ2ba', 'VSPbwVDvEn', 'DLnb4DpKl2'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, gFdexHFaaD4cEJcs8p.cs High entropy of concatenated method names: 'JMVAwqE8i3T539TSGhR', 'HWsK2fE1CLtDyJop4j4', 'gAmvxFZkx7', 'aGkvAFQqAA', 'flsvV30S6n', 'XIyla6E0PBjqgjjmiG8', 'KdTYtAElD6Y6hXYEDYM'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, pdY2feOEB7Q4P75scM.cs High entropy of concatenated method names: 'BfLmOZHLem', 'h2KmuKgsuc', 'MaWmBxcXjN', 'NJCm2ZU90m', 'CnmmHUOcJU', 'dGMmZSn0pE', 'Opnmgas0MR', 'aSimcReBLs', 'rhlmnia7tb', 'Yhmm9NB974'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, wJq0MfDIUfaouA28xv.cs High entropy of concatenated method names: 'ToString', 'umHGIpWM0m', 'ceFGFtd7On', 'cCOGX9iqfL', 'li8Ge5sc7v', 'dDjG8sqZJV', 'SIZGSjLmRe', 'o1EG3YljPl', 'g65GseR9Ks', 'kKBGw3JdjV'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, Ixoro1td292Qgwk5VC.cs High entropy of concatenated method names: 'qerv0YKErY', 'c4Xvm0dKTZ', 'f1yvyAXq40', 'mVlvKLN5kA', 'twPvqj7kwK', 'ASbyHyNPqQ', 'Rs4yZLBTkt', 'HmpygKoetV', 'GtZyckAROu', 'c0WynmGJRT'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, znf9XtUuUtKixFr9mg.cs High entropy of concatenated method names: 'QNAaZE9Hr', 'dwfCKvjO5', 'I40du2VIf', 'stEMyrxfk', 'g1WLAmbvQ', 'jkwjMJGdu', 'H8osRTXDo3IBiKAxyi', 'B5ed36u6DgXo7FU9oF', 'HvdxvjEdD', 'J9hVenFWl'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, nnuegImrahOMABdQ4W.cs High entropy of concatenated method names: 'pBpp4ZSrKT', 'vvxpTWtWFv', 'LFSpOZs0ED', 'pxkpuUhJfX', 'FdSpFlWhsn', 'UD8pXUm2m9', 'H94peaye9L', 'guhp8fDTML', 'nABpSWehc0', 'hVbp3T3oH5'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, uTAC5xb39sKkx4FDuH.cs High entropy of concatenated method names: 'K6uAoDLUCL', 'q4oADeLhFw', 'owmAYW7Drv', 'YV8AtUaetQ', 'AObAme2vCT', 'SipAyiXRuo', 'OACAvfsJH1', 'UnpxgyKgQi', 'OlixcsaR3D', 'AHdxnkxYpG'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, RMYX84IMaUr9MYjOPo.cs High entropy of concatenated method names: 'MnQicRkKWc', 'Lndi9Ba55J', 'vSMxlKJ5PD', 'DYxxokhR8b', 'noCiI4CPLd', 'msIiTfngLd', 'InYiUpSaUq', 'zU9iOeCNyi', 'xtciu7KSZJ', 'tNRiBasn7u'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, hdFvDjkss96iwQgJW4.cs High entropy of concatenated method names: 'HjaKf7YF6V', 'V1nKPcdeaw', 'iKvKaia1p9', 'gIiKCCEfES', 'hVoK6Os80v', 'BXxKdfKkDv', 'XTXKMCfFYy', 'ynhKRcn9FX', 'qcOKLXOLfh', 'LZaKjcxF7p'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, PRSON4XLlc79GlsfC0.cs High entropy of concatenated method names: 'lbLKtbfZfS', 'KVFKbMoKqH', 'A1WKvMusgu', 'qvnv9TfyTE', 'jivvzY9Vpr', 'oyIKlmN9Xu', 'C6NKoh4tBB', 'Q6OK5iJDSn', 'yUYKD4QRTb', 'ODbKYRYUnp'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, o8P50JT6AyrEU9YL5X.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'o6w5ntI4p3', 'DZp59QFAlo', 'Yee5zJs56m', 'o7CDlYuGmZ', 'XsXDo1nyME', 'NhYD5JJ91J', 'TRoDDm0wro', 'I3m5r5PPH57y5Vnkpyj'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, xX3kTQ6DmFsDnV1E8k.cs High entropy of concatenated method names: 'zZwbCIboQV', 'VfMbdNfVE3', 'pAvbRIEFd8', 'mcjbLNYqhv', 'X1cbpg1ad1', 'gZ0bGjgAO1', 'WhWbiOtBWs', 'H1vbxFi4BN', 'CFnbAgBNBW', 'tDQbVB3YTy'
Source: 0.2.Gcerti Quote.exe.38c8340.2.raw.unpack, TIEOMsKaTE6wXAYRRl.cs High entropy of concatenated method names: 'pKNoKZop2a', 'faOoqS2RRv', 'i2dohLEbYy', 'dAEoE6ZTKC', 'EANoptIfwk', 'bVvoGRQV4X', 'KNl6qYOV0KeWdvOOsA', 'df9KhvyG4gp4qjZHuD', 'hq3ooKamPE', 'Q4boD8r7j6'
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Gcerti Quote.exe PID: 968, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Gcerti Quote.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Gcerti Quote.exe Memory allocated: D00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Memory allocated: 2560000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Memory allocated: 24B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Memory allocated: 5A30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Memory allocated: 6A30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Memory allocated: 6C70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Memory allocated: 7C70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Memory allocated: 18C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Memory allocated: 3250000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Memory allocated: 31A0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Gcerti Quote.exe Window / User API: threadDelayed 1311 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Window / User API: threadDelayed 8550 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 3304 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -29514790517935264s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 6388 Thread sleep count: 1311 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -99865s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 6388 Thread sleep count: 8550 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -99750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -99640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -99531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -99422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -99308s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -99170s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -99031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -98922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -98812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -98703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -98594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -98469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -98359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -98250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -98140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -98031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -97922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -97812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -97703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -97594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -97470s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -97344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -97234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -97125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -97015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -96905s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -96790s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -96687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -96578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -96468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -96359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -96250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -96140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -96031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -95922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -95812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -95703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -95594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -95484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -95374s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -95265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -95156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -95047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -94937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -94828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -94719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -94594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe TID: 7084 Thread sleep time: -94469s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Gcerti Quote.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Gcerti Quote.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Gcerti Quote.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 99865 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 99750 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 99640 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 99531 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 99422 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 99308 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 99170 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 99031 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 98922 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 98812 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 98703 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 98594 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 98469 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 98359 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 98250 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 98140 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 98031 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 97922 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 97812 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 97703 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 97594 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 97470 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 97344 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 97234 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 97125 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 97015 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 96905 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 96790 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 96687 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 96578 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 96468 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 96359 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 96250 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 96140 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 96031 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 95922 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 95812 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 95703 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 95594 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 95484 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 95374 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 95265 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 95156 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 95047 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 94937 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 94828 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 94719 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 94594 Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Thread delayed: delay time: 94469 Jump to behavior
Source: Gcerti Quote.exe, 00000002.00000002.2574684975.0000000001456000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll||
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Gcerti Quote.exe Memory written: C:\Users\user\Desktop\Gcerti Quote.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Gcerti Quote.exe Process created: C:\Users\user\Desktop\Gcerti Quote.exe "C:\Users\user\Desktop\Gcerti Quote.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Gcerti Quote.exe Queries volume information: C:\Users\user\Desktop\Gcerti Quote.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Queries volume information: C:\Users\user\Desktop\Gcerti Quote.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Gcerti Quote.exe.37d7690.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Gcerti Quote.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gcerti Quote.exe.379cc70.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gcerti Quote.exe.37d7690.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2577396201.00000000032CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2577396201.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Gcerti Quote.exe PID: 968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Gcerti Quote.exe PID: 7140, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Gcerti Quote.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Gcerti Quote.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Gcerti Quote.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Gcerti Quote.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\Gcerti Quote.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.Gcerti Quote.exe.37d7690.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Gcerti Quote.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gcerti Quote.exe.379cc70.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gcerti Quote.exe.37d7690.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2577396201.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Gcerti Quote.exe PID: 968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Gcerti Quote.exe PID: 7140, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Gcerti Quote.exe.37d7690.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Gcerti Quote.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gcerti Quote.exe.379cc70.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gcerti Quote.exe.37d7690.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Gcerti Quote.exe.379cc70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2574408572.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2577396201.00000000032CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2577396201.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1346501403.000000000379C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Gcerti Quote.exe PID: 968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Gcerti Quote.exe PID: 7140, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.91.198.143
 us2.smtp.mailhostbox.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
208.91.199.225
 unknown United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
208.91.199.223
 unknown United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
208.91.199.224
 unknown United States
394695 PUBLIC-DOMAIN-REGISTRYUS false

Contacted Domains

Name IP Active
us2.smtp.mailhostbox.com 208.91.198.143 true
api.ipify.org 104.26.12.205 true
smtp.italiacanda-it.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high