Windows Analysis Report
rTDN001-180424_PDF.scr.exe

Overview

General Information

Sample name: rTDN001-180424_PDF.scr.exe
Analysis ID: 1428898
MD5: 8590b71f1a27b4e68eb861cce9c9d013
SHA1: e5c1ca200401c5c4c217b284bb0d5657952a0a8b
SHA256: 3b21b03225102a26014f6c81ad24ae6d8f7d31ebeee24dc898b606d38df2ae76
Tags: exescr
Infos:

Detection

AgentTesla, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 6.2.MSBuild.exe.410000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "chyna@elemacuae.com", "Password": "qIFYdaUG8"}
Multi AV Scanner detection for submitted file
Source: rTDN001-180424_PDF.scr.exe ReversingLabs: Detection: 65%
Machine Learning detection for sample
Source: rTDN001-180424_PDF.scr.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: rTDN001-180424_PDF.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49720 version: TLS 1.0
Source: unknown HTTPS traffic detected: 94.154.117.223:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: rTDN001-180424_PDF.scr.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2314314712.000000000516C000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2323481881.0000000006A00000.00000004.08000000.00040000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2314314712.000000000516C000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2323481881.0000000006A00000.00000004.08000000.00040000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2314314712.000000000516C000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295537311.0000000003190000.00000004.08000000.00040000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2324238249.0000000007441000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2314314712.000000000516C000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295537311.0000000003190000.00000004.08000000.00040000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2324238249.0000000007441000.00000004.00000800.00020000.00000000.sdmp
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49714 -> 208.91.198.143:587
Source: global traffic TCP traffic: 192.168.2.6:49714 -> 208.91.199.223:587
Source: global traffic TCP traffic: 192.168.2.6:49714 -> 208.91.199.224:587
Source: global traffic TCP traffic: 192.168.2.6:49714 -> 208.91.199.225:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ab/wp-admin/Ztmwr.vdf HTTP/1.1Host: fotohari.kylos.plConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View IP Address: 208.91.199.225 208.91.199.225
Source: Joe Sandbox View IP Address: 208.91.199.223 208.91.199.223
Source: Joe Sandbox View IP Address: 208.91.199.224 208.91.199.224
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:49714 -> 208.91.198.143:587
Source: global traffic TCP traffic: 192.168.2.6:49714 -> 208.91.199.223:587
Source: global traffic TCP traffic: 192.168.2.6:49714 -> 208.91.199.224:587
Source: global traffic TCP traffic: 192.168.2.6:49714 -> 208.91.199.225:587
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49720 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 23.40.205.49
Source: unknown TCP traffic detected without corresponding DNS query: 23.40.205.49
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /ab/wp-admin/Ztmwr.vdf HTTP/1.1Host: fotohari.kylos.plConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: fotohari.kylos.pl
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.0000000003451000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MSBuild.exe, 00000006.00000002.3397111057.0000000002241000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2324238249.0000000007351000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3394408045.0000000000412000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.0000000003451000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fotohari.kylos.pl
Source: rTDN001-180424_PDF.scr.exe String found in binary or memory: https://fotohari.kylos.pl/ab/wp-admin/Ztmwr.vdf
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2314314712.000000000516C000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295537311.0000000003190000.00000004.08000000.00040000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2324238249.0000000007441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2314314712.000000000516C000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295537311.0000000003190000.00000004.08000000.00040000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2324238249.0000000007441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2314314712.000000000516C000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295537311.0000000003190000.00000004.08000000.00040000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2324238249.0000000007441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2314314712.000000000516C000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295537311.0000000003190000.00000004.08000000.00040000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2324238249.0000000007441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2324238249.0000000007441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2314314712.000000000516C000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295537311.0000000003190000.00000004.08000000.00040000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2324238249.0000000007441000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown HTTPS traffic detected: 94.154.117.223:443 -> 192.168.2.6:49710 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.rTDN001-180424_PDF.scr.exe.36bde84.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.MSBuild.exe.410000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rTDN001-180424_PDF.scr.exe.36bde84.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: rTDN001-180424_PDF.scr.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Code function: 0_2_0731DAB0 0_2_0731DAB0
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Code function: 0_2_0730003F 0_2_0730003F
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Code function: 0_2_07300040 0_2_07300040
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Code function: 0_2_0731CF48 0_2_0731CF48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_0072CC6C 6_2_0072CC6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_0072A068 6_2_0072A068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_0072CC60 6_2_0072CC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_0072BB58 6_2_0072BB58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_008A9388 6_2_008A9388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_008A4A98 6_2_008A4A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_008A9C08 6_2_008A9C08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_008A3E80 6_2_008A3E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_008ACEE8 6_2_008ACEE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_008A41C8 6_2_008A41C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_0589BD08 6_2_0589BD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_0589DD18 6_2_0589DD18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_05893F48 6_2_05893F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_058956E0 6_2_058956E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_05890040 6_2_05890040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_05898B98 6_2_05898B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_05899AE0 6_2_05899AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_05892AF0 6_2_05892AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_05895000 6_2_05895000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_05893248 6_2_05893248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_008AD298 6_2_008AD298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_008A9C00 6_2_008A9C00
Sample file is different than original file name gathered from version info
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2320169160.0000000006410000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameYuzpxyja.dll" vs rTDN001-180424_PDF.scr.exe
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2314314712.000000000516C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs rTDN001-180424_PDF.scr.exe
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2314314712.000000000516C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs rTDN001-180424_PDF.scr.exe
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2323481881.0000000006A00000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs rTDN001-180424_PDF.scr.exe
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295249101.0000000001554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameYuzpxyja.dll" vs rTDN001-180424_PDF.scr.exe
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295249101.000000000151E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs rTDN001-180424_PDF.scr.exe
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295537311.0000000003190000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs rTDN001-180424_PDF.scr.exe
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs rTDN001-180424_PDF.scr.exe
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs rTDN001-180424_PDF.scr.exe
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamed8163914-fcd5-4b57-938b-7e2b1937f939.exe4 vs rTDN001-180424_PDF.scr.exe
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs rTDN001-180424_PDF.scr.exe
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2314314712.0000000004839000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameYuzpxyja.dll" vs rTDN001-180424_PDF.scr.exe
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2324238249.0000000007441000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs rTDN001-180424_PDF.scr.exe
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2324238249.0000000007351000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamed8163914-fcd5-4b57-938b-7e2b1937f939.exe4 vs rTDN001-180424_PDF.scr.exe
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2314314712.0000000004F3A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameYuzpxyja.dll" vs rTDN001-180424_PDF.scr.exe
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000000.2147923681.0000000000FC8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVhyltr.exe. vs rTDN001-180424_PDF.scr.exe
Source: rTDN001-180424_PDF.scr.exe Binary or memory string: OriginalFilenameVhyltr.exe. vs rTDN001-180424_PDF.scr.exe
Uses 32bit PE files
Source: rTDN001-180424_PDF.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.rTDN001-180424_PDF.scr.exe.36bde84.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.MSBuild.exe.410000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rTDN001-180424_PDF.scr.exe.36bde84.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rTDN001-180424_PDF.scr.exe.6a00000.13.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.rTDN001-180424_PDF.scr.exe.6a00000.13.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.rTDN001-180424_PDF.scr.exe.6a00000.13.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.rTDN001-180424_PDF.scr.exe.6a00000.13.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.rTDN001-180424_PDF.scr.exe.5219e80.7.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.rTDN001-180424_PDF.scr.exe.5219e80.7.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.rTDN001-180424_PDF.scr.exe.6a00000.13.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.rTDN001-180424_PDF.scr.exe.6a00000.13.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.rTDN001-180424_PDF.scr.exe.6a00000.13.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.rTDN001-180424_PDF.scr.exe.6a00000.13.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rTDN001-180424_PDF.scr.exe.5219e80.7.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rTDN001-180424_PDF.scr.exe.5219e80.7.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.rTDN001-180424_PDF.scr.exe.5219e80.7.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.rTDN001-180424_PDF.scr.exe.5219e80.7.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.rTDN001-180424_PDF.scr.exe.6a00000.13.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.rTDN001-180424_PDF.scr.exe.6a00000.13.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.rTDN001-180424_PDF.scr.exe.5219e80.7.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.rTDN001-180424_PDF.scr.exe.5219e80.7.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: classification engine Classification label: mal100.spre.troj.spyw.evad.winEXE@3/1@2/5
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rTDN001-180424_PDF.scr.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: rTDN001-180424_PDF.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rTDN001-180424_PDF.scr.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: rTDN001-180424_PDF.scr.exe ReversingLabs: Detection: 65%
Source: unknown Process created: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe "C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe"
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: rTDN001-180424_PDF.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: rTDN001-180424_PDF.scr.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2314314712.000000000516C000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2323481881.0000000006A00000.00000004.08000000.00040000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2314314712.000000000516C000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2323481881.0000000006A00000.00000004.08000000.00040000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2314314712.000000000516C000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295537311.0000000003190000.00000004.08000000.00040000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2324238249.0000000007441000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2314314712.000000000516C000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295537311.0000000003190000.00000004.08000000.00040000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp, rTDN001-180424_PDF.scr.exe, 00000000.00000002.2324238249.0000000007441000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: rTDN001-180424_PDF.scr.exe, Program.cs .Net Code: DisplayResult System.AppDomain.Load(byte[])
Source: rTDN001-180424_PDF.scr.exe, JSONParser.cs .Net Code: ParseValue
Source: 0.2.rTDN001-180424_PDF.scr.exe.6a00000.13.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.rTDN001-180424_PDF.scr.exe.6a00000.13.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.rTDN001-180424_PDF.scr.exe.6a00000.13.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.rTDN001-180424_PDF.scr.exe.74a8e78.14.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.rTDN001-180424_PDF.scr.exe.74a8e78.14.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.rTDN001-180424_PDF.scr.exe.74a8e78.14.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.rTDN001-180424_PDF.scr.exe.74a8e78.14.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.rTDN001-180424_PDF.scr.exe.74a8e78.14.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.rTDN001-180424_PDF.scr.exe.5219e80.7.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.rTDN001-180424_PDF.scr.exe.5219e80.7.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.rTDN001-180424_PDF.scr.exe.5219e80.7.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.6970000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.3722cac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.3722cac.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.36bde84.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2322987527.0000000006970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2324238249.0000000007441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rTDN001-180424_PDF.scr.exe PID: 6456, type: MEMORYSTR

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (22).png
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: rTDN001-180424_PDF.scr.exe PID: 6456, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Memory allocated: 1820000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Memory allocated: 3450000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Memory allocated: 3150000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Memory allocated: 7350000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Memory allocated: 8350000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 880000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2240000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 4240000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 1778 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 8074 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe TID: 2192 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe TID: 6928 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2096 Thread sleep count: 1778 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -99891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2096 Thread sleep count: 8074 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -99641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -99528s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -99420s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -99313s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -99188s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -99063s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -98953s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -98843s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -98734s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -98625s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -98516s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -98391s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -98279s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -98172s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -98061s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -97953s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -97844s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -97734s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -97625s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -97516s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -97391s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -97266s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -97156s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -97047s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -96938s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -96813s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -96688s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -96563s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -96453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -96343s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -96234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -96125s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -96016s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -95906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -95797s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -95688s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -95563s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -95438s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -95313s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -95203s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -95094s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -94969s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -94859s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -94750s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -94641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -94531s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2548 Thread sleep time: -94422s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99528 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99420 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98843 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98391 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98279 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98061 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97391 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97266 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 96016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 95906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 95797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 95688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 95563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 95438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 95313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 95203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 95094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 94969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 94859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 94750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 94641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 94531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 94422 Jump to behavior
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: rTDN001-180424_PDF.scr.exe, 00000000.00000002.2295249101.0000000001554000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3403466718.0000000005794000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Queries volume information: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rTDN001-180424_PDF.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.36bde84.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.MSBuild.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.36bde84.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3394408045.0000000000412000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2324238249.0000000007351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3397111057.0000000002241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rTDN001-180424_PDF.scr.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 5972, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.4a8ac38.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.4a62c18.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.4adac58.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.4f3acb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.6410000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.6410000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.4a8ac38.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.4f3acb8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.4a62c18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.4adac58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2320169160.0000000006410000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2314314712.0000000004F3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2314314712.0000000004839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.36bde84.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.MSBuild.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.36bde84.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3394408045.0000000000412000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2324238249.0000000007351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3397111057.0000000002241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rTDN001-180424_PDF.scr.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 5972, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.36bde84.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.MSBuild.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.36bde84.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3394408045.0000000000412000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2324238249.0000000007351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2295741953.000000000349A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3397111057.0000000002241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rTDN001-180424_PDF.scr.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 5972, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.4a8ac38.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.4a62c18.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.4adac58.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.4f3acb8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.6410000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.6410000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.4a8ac38.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.4f3acb8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.4a62c18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rTDN001-180424_PDF.scr.exe.4adac58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2320169160.0000000006410000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2314314712.0000000004F3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2314314712.0000000004839000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428898 Sample: rTDN001-180424_PDF.scr.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 15 us2.smtp.mailhostbox.com 2->15 17 fp2e7a.wpc.phicdn.net 2->17 19 3 other IPs or domains 2->19 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->33 35 9 other signatures 2->35 7 rTDN001-180424_PDF.scr.exe 15 3 2->7         started        signatures3 process4 dnsIp5 21 fotohari.kylos.pl 94.154.117.223, 443, 49710 SMNT-NETPL unknown 7->21 37 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->37 11 MSBuild.exe 2 7->11         started        signatures6 process7 dnsIp8 23 us2.smtp.mailhostbox.com 208.91.198.143, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->23 25 208.91.199.223, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->25 27 2 other IPs or domains 11->27 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->39 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->41 43 Tries to steal Mail credentials (via file / registry access) 11->43 45 2 other signatures 11->45 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.91.198.143
 us2.smtp.mailhostbox.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
94.154.117.223
 fotohari.kylos.pl unknown
197892 SMNT-NETPL false
208.91.199.225
 unknown United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
208.91.199.223
 unknown United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
208.91.199.224
 unknown United States
394695 PUBLIC-DOMAIN-REGISTRYUS false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
us2.smtp.mailhostbox.com 208.91.198.143 true
fp2e7a.wpc.phicdn.net 192.229.211.108 true
fotohari.kylos.pl 94.154.117.223 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://fotohari.kylos.pl/ab/wp-admin/Ztmwr.vdf false
    		high