Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6F9vhIKqe7.exe

Overview

General Information

Sample name:6F9vhIKqe7.exe
renamed because original name is a hash value
Original sample name:7d2f772654c74a57e6023338085dcb7d1aa3a811c109eb2706aa9b92eb644295.exe
Analysis ID:1632352
MD5:840b677c4addbdf7f20b8811ef85e42d
SHA1:d8454ad3c32633c46f21dc68175134ea3dc38fa8
SHA256:7d2f772654c74a57e6023338085dcb7d1aa3a811c109eb2706aa9b92eb644295
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Check if machine is in data center or colocation facility
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 6F9vhIKqe7.exe (PID: 8504 cmdline: "C:\Users\user\Desktop\6F9vhIKqe7.exe" MD5: 840B677C4ADDBDF7F20B8811EF85E42D)
    • MSBuild.exe (PID: 8636 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.controlfire.com.mx", "Username": "usufffaz@controlfire.com.mx", "Password": "0a4XlE=4t8mz"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2564411044.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.2564411044.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.1400567927.0000000003100000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000000.00000002.1432950815.0000000006D1A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.6F9vhIKqe7.exe.6a30498.16.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.6F9vhIKqe7.exe.69b0ca6.19.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.6F9vhIKqe7.exe.69b0ca6.19.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.2.6F9vhIKqe7.exe.3100000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    0.2.6F9vhIKqe7.exe.3100000.0.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                      Click to see the 15 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Silenttrinity Stager Msbuild Activity
                      Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 208.95.112.1, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 8636, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49695

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 6F9vhIKqe7.exeAvira: detected
                      Found malware configuration
                      Source: 0.2.6F9vhIKqe7.exe.6d30138.15.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.controlfire.com.mx", "Username": "usufffaz@controlfire.com.mx", "Password": "0a4XlE=4t8mz"}
                      Multi AV Scanner detection for submitted file
                      Source: 6F9vhIKqe7.exeVirustotal: Detection: 52%Perma Link
                      Source: 6F9vhIKqe7.exeReversingLabs: Detection: 57%
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.1% probability
                      Source: 6F9vhIKqe7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 150.171.28.254:443 -> 192.168.2.5:49696 version: TLS 1.2
                      Source: 6F9vhIKqe7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 6F9vhIKqe7.exe, 00000000.00000002.1443095881.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006CA4000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006C2C000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 6F9vhIKqe7.exe, 00000000.00000002.1443095881.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006CA4000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006C2C000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1429390441.0000000005EA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006B0D000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1429390441.0000000005EA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006B0D000.00000004.00000800.00020000.00000000.sdmp
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 142.250.184.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.16.100.168
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.16.100.168
                      Source: unknownTCP traffic detected without corresponding DNS query: 142.250.184.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.16.100.168
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.16.100.168
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com
                      Source: MSBuild.exe, 00000001.00000002.2566778564.0000000002E73000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2566778564.0000000002E58000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2566778564.0000000002D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1416633460.00000000050F8000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006D1A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2566778564.0000000002E58000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2564411044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2566778564.0000000002D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1401108257.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2566778564.0000000002E58000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2566778564.0000000002D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1416633460.00000000050F8000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006D1A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2564411044.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1429390441.0000000005EA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1429390441.0000000005EA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1429390441.0000000005EA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1429390441.0000000005EA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1429390441.0000000005EA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006B0D000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1401108257.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1429390441.0000000005EA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49675
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
                      Source: unknownHTTPS traffic detected: 150.171.28.254:443 -> 192.168.2.5:49696 version: TLS 1.2

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.6F9vhIKqe7.exe.6d30138.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.6F9vhIKqe7.exe.6d30138.15.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                      Source: 0.2.6F9vhIKqe7.exe.6d30138.15.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.6F9vhIKqe7.exe.6d30138.15.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                      Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeCode function: 0_2_0178D1700_2_0178D170
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeCode function: 0_2_031847EE0_2_031847EE
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeCode function: 0_2_0318BA300_2_0318BA30
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeCode function: 0_2_03189C380_2_03189C38
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeCode function: 0_2_031830180_2_03183018
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeCode function: 0_2_0318C7580_2_0318C758
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeCode function: 0_2_0318C7680_2_0318C768
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeCode function: 0_2_03189C280_2_03189C28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0148A0E81_2_0148A0E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0148A5481_2_0148A548
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0148D9801_2_0148D980
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01484A801_2_01484A80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01489D6C1_2_01489D6C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01483E681_2_01483E68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014841B01_2_014841B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0148197C1_2_0148197C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_066B12E01_2_066B12E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_066B3C301_2_066B3C30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_066B35481_2_066B3548
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0148DD301_2_0148DD30
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1427657832.0000000005C30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOjgrxvup.dll" vs 6F9vhIKqe7.exe
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1443095881.0000000007CA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 6F9vhIKqe7.exe
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006CA4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 6F9vhIKqe7.exe
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs 6F9vhIKqe7.exe
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006C2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 6F9vhIKqe7.exe
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1401108257.00000000032F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename924b0ba6-e74e-4c09-aebe-86b4db498070.exe4 vs 6F9vhIKqe7.exe
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1429390441.0000000005EA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs 6F9vhIKqe7.exe
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1416633460.0000000004A5E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOjgrxvup.dll" vs 6F9vhIKqe7.exe
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1399328721.000000000140E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 6F9vhIKqe7.exe
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006B0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs 6F9vhIKqe7.exe
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1416633460.0000000004FE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOjgrxvup.dll" vs 6F9vhIKqe7.exe
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1401108257.00000000031D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 6F9vhIKqe7.exe
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006D1A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename924b0ba6-e74e-4c09-aebe-86b4db498070.exe4 vs 6F9vhIKqe7.exe
                      Source: 6F9vhIKqe7.exeBinary or memory string: OriginalFilenameVxgqk.exed" vs 6F9vhIKqe7.exe
                      Source: 6F9vhIKqe7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 0.2.6F9vhIKqe7.exe.6d30138.15.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.6F9vhIKqe7.exe.6d30138.15.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                      Source: 0.2.6F9vhIKqe7.exe.6d30138.15.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.6F9vhIKqe7.exe.6d30138.15.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                      Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                      Source: 6F9vhIKqe7.exe, -.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 6F9vhIKqe7.exe, -.csCryptographic APIs: 'CreateDecryptor'
                      Source: 6F9vhIKqe7.exe, -.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.6F9vhIKqe7.exe.6ca4408.13.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 0.2.6F9vhIKqe7.exe.6ca4408.13.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.6F9vhIKqe7.exe.6ca4408.13.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                      Source: 0.2.6F9vhIKqe7.exe.6ca4408.13.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                      Source: 0.2.6F9vhIKqe7.exe.7ca0000.22.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 0.2.6F9vhIKqe7.exe.7ca0000.22.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.6F9vhIKqe7.exe.6ca4408.13.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.6F9vhIKqe7.exe.6ca4408.13.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 0.2.6F9vhIKqe7.exe.6ca4408.13.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: 0.2.6F9vhIKqe7.exe.6ca4408.13.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.6F9vhIKqe7.exe.6ca4408.13.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.6F9vhIKqe7.exe.7ca0000.22.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 0.2.6F9vhIKqe7.exe.7ca0000.22.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: 0.2.6F9vhIKqe7.exe.7ca0000.22.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.6F9vhIKqe7.exe.7ca0000.22.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.6F9vhIKqe7.exe.6ca4408.13.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: 0.2.6F9vhIKqe7.exe.7ca0000.22.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.6F9vhIKqe7.exe.7ca0000.22.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@2/1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                      Source: 6F9vhIKqe7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 6F9vhIKqe7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: MSBuild.exe, 00000001.00000002.2566778564.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2566778564.0000000002E91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: 6F9vhIKqe7.exeVirustotal: Detection: 52%
                      Source: 6F9vhIKqe7.exeReversingLabs: Detection: 57%
                      Source: unknownProcess created: C:\Users\user\Desktop\6F9vhIKqe7.exe "C:\Users\user\Desktop\6F9vhIKqe7.exe"
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: 6F9vhIKqe7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 6F9vhIKqe7.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: 6F9vhIKqe7.exeStatic file information: File size 79691776 > 1048576
                      Source: 6F9vhIKqe7.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x252000
                      Source: 6F9vhIKqe7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 6F9vhIKqe7.exe, 00000000.00000002.1443095881.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006CA4000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006C2C000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 6F9vhIKqe7.exe, 00000000.00000002.1443095881.0000000007CA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006CA4000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006C2C000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1429390441.0000000005EA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006B0D000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1429390441.0000000005EA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006B0D000.00000004.00000800.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: 6F9vhIKqe7.exe, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
                      Source: 6F9vhIKqe7.exe, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.6F9vhIKqe7.exe.6ca4408.13.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.6F9vhIKqe7.exe.6ca4408.13.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.6F9vhIKqe7.exe.6ca4408.13.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Source: 0.2.6F9vhIKqe7.exe.7ca0000.22.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.6F9vhIKqe7.exe.7ca0000.22.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.6F9vhIKqe7.exe.7ca0000.22.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Source: 0.2.6F9vhIKqe7.exe.6abd0d8.20.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                      Source: 0.2.6F9vhIKqe7.exe.6abd0d8.20.raw.unpack, ListDecorator.cs.Net Code: Read
                      Source: 0.2.6F9vhIKqe7.exe.6abd0d8.20.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                      Source: 0.2.6F9vhIKqe7.exe.6abd0d8.20.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                      Source: 0.2.6F9vhIKqe7.exe.6abd0d8.20.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                      Yara detected Costura Assembly Loader
                      Source: Yara matchFile source: 0.2.6F9vhIKqe7.exe.6a30498.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6F9vhIKqe7.exe.69b0ca6.19.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6F9vhIKqe7.exe.69b0ca6.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6F9vhIKqe7.exe.3100000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6F9vhIKqe7.exe.3100000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6F9vhIKqe7.exe.6970c86.21.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6F9vhIKqe7.exe.6a30498.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6F9vhIKqe7.exe.6908a38.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1400567927.0000000003100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1432950815.00000000068A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1401108257.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 6F9vhIKqe7.exe PID: 8504, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeCode function: 0_2_0318C470 push esp; retf 0_2_0318C471
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeCode function: 0_2_0318C4C8 pushfd ; retf 0_2_0318C4C9
                      Source: 0.2.6F9vhIKqe7.exe.5c30000.8.raw.unpack, kADGChkmPPHm8aIZdLi.csHigh entropy of concatenated method names: 'JUaksGW0Me', 'cq2kWe0YWJ', 'MQEkgPZY9J', 'dEhkVsDfPx', 'MC3kfQqptl', 'yZjkxGrTPq', 'afjkLVqnt2', 'rfBkDgng9b', 'wFkkuAxKp7', 'jtJkHmiUBM'
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: 6F9vhIKqe7.exe PID: 8504, type: MEMORYSTR
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1416633460.00000000050F8000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1401108257.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006D1A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2566778564.0000000002E73000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2566778564.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2564411044.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeMemory allocated: 1740000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeMemory allocated: 31D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeMemory allocated: 3100000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeMemory allocated: 68A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeMemory allocated: 6000000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1480000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2D90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4D90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: MSBuild.exe, 00000001.00000002.2566778564.0000000002DC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                      Source: MSBuild.exe, 00000001.00000002.2564411044.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1401108257.00000000031D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q 1:en-CH:Microsoft|VMWare|Virtual
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1401108257.00000000031D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1401108257.00000000031D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q 1:en-CH:VMware|VIRTUAL|A M I|Xen
                      Source: 6F9vhIKqe7.exe, 00000000.00000002.1401108257.00000000031D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                      Source: MSBuild.exe, 00000001.00000002.2564411044.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                      Source: MSBuild.exe, 00000001.00000002.2564946004.00000000010FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeQueries volume information: C:\Users\user\Desktop\6F9vhIKqe7.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6F9vhIKqe7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 0.2.6F9vhIKqe7.exe.6d30138.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6F9vhIKqe7.exe.6d30138.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.2564411044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1432950815.0000000006D1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1416633460.00000000050F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 6F9vhIKqe7.exe PID: 8504, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8636, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 0.2.6F9vhIKqe7.exe.6d30138.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6F9vhIKqe7.exe.6d30138.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.2564411044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1432950815.0000000006D1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2566778564.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1416633460.00000000050F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 6F9vhIKqe7.exe PID: 8504, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8636, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 0.2.6F9vhIKqe7.exe.6d30138.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6F9vhIKqe7.exe.6d30138.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.2564411044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1432950815.0000000006D1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1416633460.00000000050F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 6F9vhIKqe7.exe PID: 8504, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8636, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                      Windows Management Instrumentation                      		1
                      Scheduled Task/Job                      		11
                      Process Injection                      		24
                      Virtualization/Sandbox Evasion                      		1
                      OS Credential Dumping                      		431
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		12
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      DLL Side-Loading                      		1
                      Scheduled Task/Job                      		1
                      Disable or Modify Tools                      		LSASS Memory24
                      Virtualization/Sandbox Evasion                      		Remote Desktop Protocol11
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		11
                      Process Injection                      		Security Account Manager1
                      Process Discovery                      		SMB/Windows Admin Shares1
                      Data from Local System                      		2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Deobfuscate/Decode Files or Information                      		NTDS1
                      System Network Configuration Discovery                      		Distributed Component Object ModelInput Capture3
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Obfuscated Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Software Packing                      		Cached Domain Credentials34
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      6F9vhIKqe7.exe53%VirustotalBrowse
                      6F9vhIKqe7.exe58%ReversingLabsWin32.Trojan.CrypterX
                      6F9vhIKqe7.exe100%AviraTR/AVI.Crypt.dzcps

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ax-9999.ax-msedge.net
                      		150.171.28.254
                      		truefalse
                        		high
                        ip-api.com
                        		208.95.112.1
                        		truefalse
                          		high
                          ax-0001.ax-msedge.net
                          		150.171.28.10
                          		truefalse
                            		high
                            c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com
                            		unknown
                            		unknownfalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://ip-api.com/line/?fields=hostingfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://github.com/mgravell/protobuf-net6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1429390441.0000000005EA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/mgravell/protobuf-neti6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1429390441.0000000005EA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://stackoverflow.com/q/14436606/233546F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1429390441.0000000005EA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006B0D000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1401108257.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://account.dyn.com/6F9vhIKqe7.exe, 00000000.00000002.1416633460.00000000050F8000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006D1A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2564411044.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/mgravell/protobuf-netJ6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1429390441.0000000005EA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name6F9vhIKqe7.exe, 00000000.00000002.1401108257.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2566778564.0000000002E58000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2566778564.0000000002D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://stackoverflow.com/q/11564914/23354;6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1429390441.0000000005EA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://stackoverflow.com/q/2152978/233546F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1429390441.0000000005EA0000.00000004.08000000.00040000.00000000.sdmp, 6F9vhIKqe7.exe, 00000000.00000002.1432950815.0000000006B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://ip-api.comMSBuild.exe, 00000001.00000002.2566778564.0000000002E73000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2566778564.0000000002E58000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2566778564.0000000002D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  208.95.112.1
                                                  		ip-api.comUnited States
                                                  		53334TUT-ASUSfalse

                                                  General Information

                                                  Joe Sandbox version:42.0.0 Malachite
                                                  Analysis ID:1632352
                                                  Start date and time:2025-03-07 22:45:27 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 6m 30s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:11
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:6F9vhIKqe7.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:7d2f772654c74a57e6023338085dcb7d1aa3a811c109eb2706aa9b92eb644295.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@3/0@2/1
                                                  EGA Information:
                                                  • Successful, ratio: 50%
                                                  HCA Information:
                                                  • Successful, ratio: 99%
                                                  • Number of executed functions: 189
                                                  • Number of non-executed functions: 5
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe
                                                  • Excluded IPs from analysis (whitelisted): 23.60.203.209, 150.171.28.10
                                                  • Excluded domains from analysis (whitelisted): ax-ring.msedge.net, fs.microsoft.com, e16604.f.akamaiedge.net, g.bing.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
                                                  • Execution Graph export aborted for target 6F9vhIKqe7.exe, PID 8504 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  No simulations

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  208.95.112.1DTDIQeKJCa.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  3mak9EFhpc.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  4Rw4BiuuHw.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                  • ip-api.com/json/
                                                  Tq83mUI1kN.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  X0Ac1AslUL.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  U6llI4APmm.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  uolmaTGkHh.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  VoaY6Clwfh.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  TMAPF0DIuM.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  file.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                  • ip-api.com/json/?fields=225545

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  ax-9999.ax-msedge.netOmPzU0Hl9J.exeGet hashmaliciousUnknownBrowse
                                                  • 150.171.27.254
                                                  ip-api.comDTDIQeKJCa.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  https://www.dottedsign.com/task?code=eyJhbGciOiJIUzUxMiJ9.eyJ0YXNrX2lkIjozNDU1ODM1LCJmaWxlX2lkIjoyMjU3NDQ4Mywic2lnbl9maWxlX2lkIjoyMzE3NTY1OCwic3RhZ2VfaWQiOjQ3MjQ2MTcsImVtYWlsIjoidmZhcmlhc0B3ZXN0bGFrZS5jb20iLCJleHBpcmVkX2F0IjoxNzQxNTUzNDgzfQ.HzZLgMMxAZSV_iVgO--XdcSNVOvVCdiCg8S3aUWMChplsdtgyqOWKyJi3vwVbeBh99sm9EHWsNwj41IZdYNjWAGet hashmaliciousUnknownBrowse
                                                  • 51.77.64.70
                                                  3mak9EFhpc.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  4Rw4BiuuHw.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                  • 208.95.112.1
                                                  Tq83mUI1kN.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  X0Ac1AslUL.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  U6llI4APmm.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  uolmaTGkHh.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  VoaY6Clwfh.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  TMAPF0DIuM.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  ax-0001.ax-msedge.netjki-dragon-release-online-setup.exeGet hashmaliciousUnknownBrowse
                                                  • 150.171.27.10
                                                  https://www.dottedsign.com/task?code=eyJhbGciOiJIUzUxMiJ9.eyJ0YXNrX2lkIjozNDU1ODM1LCJmaWxlX2lkIjoyMjU3NDQ4Mywic2lnbl9maWxlX2lkIjoyMzE3NTY1OCwic3RhZ2VfaWQiOjQ3MjQ2MTcsImVtYWlsIjoidmZhcmlhc0B3ZXN0bGFrZS5jb20iLCJleHBpcmVkX2F0IjoxNzQxNTUzNDgzfQ.HzZLgMMxAZSV_iVgO--XdcSNVOvVCdiCg8S3aUWMChplsdtgyqOWKyJi3vwVbeBh99sm9EHWsNwj41IZdYNjWAGet hashmaliciousUnknownBrowse
                                                  • 150.171.28.10
                                                  3mak9EFhpc.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 150.171.27.10
                                                  AyciQgru1X.exeGet hashmaliciousRemcosBrowse
                                                  • 150.171.27.10
                                                  RRnrA9tJoD.exeGet hashmaliciousGuLoaderBrowse
                                                  • 150.171.28.10
                                                  file.exeGet hashmaliciousVidarBrowse
                                                  • 150.171.28.10
                                                  ADFoyxP.exeGet hashmaliciousUnknownBrowse
                                                  • 150.171.28.10
                                                  https://www.cake.me/s--6UFs8h4LqTXxVNSd0lsitA--/jay-staffordGet hashmaliciousUnknownBrowse
                                                  • 150.171.27.10
                                                  ADFoyxP.exeGet hashmaliciousKeyLogger, StormKitty, VenomRATBrowse
                                                  • 150.171.28.10
                                                  MouseSpeedSetup64.exeGet hashmaliciousUnknownBrowse
                                                  • 150.171.27.10

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  TUT-ASUSDTDIQeKJCa.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  3mak9EFhpc.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  4Rw4BiuuHw.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                  • 208.95.112.1
                                                  Tq83mUI1kN.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  X0Ac1AslUL.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  U6llI4APmm.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  uolmaTGkHh.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  VoaY6Clwfh.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  TMAPF0DIuM.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  file.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                  • 208.95.112.1

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  28a2c9bd18a11de089ef85a160da29e4Play_Voicemail_Transcription._(387.KB).svgGet hashmaliciousHTMLPhisherBrowse
                                                  • 150.171.28.254
                                                  SecuriteInfo.com.FileRepMalware.23820.12149.exeGet hashmaliciousStrela StealerBrowse
                                                  • 150.171.28.254
                                                  Launcher.exeGet hashmaliciousGrowtopia, Phoenix StealerBrowse
                                                  • 150.171.28.254
                                                  http://questdagnostics.com/billGet hashmaliciousUnknownBrowse
                                                  • 150.171.28.254
                                                  SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exeGet hashmaliciousVidarBrowse
                                                  • 150.171.28.254
                                                  https://securefile395.outgrow.us/securefile395-9Get hashmaliciousHTMLPhisherBrowse
                                                  • 150.171.28.254
                                                  capt1cha.exeGet hashmaliciousUnknownBrowse
                                                  • 150.171.28.254
                                                  NEW__Review_202591760.svgGet hashmaliciousInvisible JSBrowse
                                                  • 150.171.28.254
                                                  SecuriteInfo.com.Win32.RATX-gen.5196.22979.exeGet hashmaliciousXWormBrowse
                                                  • 150.171.28.254
                                                  https://www.logisticsacp.com/Get hashmaliciousUnknownBrowse
                                                  • 150.171.28.254

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  No created / dropped files found

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):0.45260238722757307
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:6F9vhIKqe7.exe
                                                  File size:79'691'776 bytes
                                                  MD5:840b677c4addbdf7f20b8811ef85e42d
                                                  SHA1:d8454ad3c32633c46f21dc68175134ea3dc38fa8
                                                  SHA256:7d2f772654c74a57e6023338085dcb7d1aa3a811c109eb2706aa9b92eb644295
                                                  SHA512:f488ade156a00c245b4921800cdbed70816ea13f1e5159bad7d84745717351aca821bdcf89368cd2424e719676a48af05400bb91576cdc31782e5a5a2925d1f4
                                                  SSDEEP:49152:+WHelJ336kt19Poicrocj2NncUGFV36Cggx3/R/dlFoq3qK4fO53ge3x:IJn6ktLPijjEnZJuvRFDNqVfewe
                                                  TLSH:CC081282E6C5B15FCC5E4634E75BDBB64B389AC27F82879E0B443A285C23B0944D6DC7
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................. %..........?%.. ...@%...@.. ....................... (...........`................................

                                                  File Icon

                                                  Icon Hash:39199c4e42c9d93c

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x653f92
                                                  Entrypoint Section:.text
                                                  Digitally signed:true
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x67ABCC9E [Tue Feb 11 22:18:06 2025 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:v4.0.30319
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Authenticode Signature

                                                  Signature Valid:
                                                  Signature Issuer:
                                                  Signature Validation Error:
                                                  Error Number:
                                                  Not Before, Not After
                                                    Subject Chain
                                                      Version:
                                                      Thumbprint MD5:
                                                      Thumbprint SHA-1:
                                                      Thumbprint SHA-256:
                                                      Serial:

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add al, 00h
                                                      add eax, dword ptr [eax]
                                                      add byte ptr [eax], al
                                                      xor byte ptr [eax], al
                                                      add byte ptr [eax+0000000Eh], al
                                                      add ebp, dword ptr [edx+00108002h]
                                                      add byte ptr [eax], al
                                                      in eax, dx
                                                      stosb
                                                      add al, byte ptr [eax+00000018h]
                                                      cmp eax, 008002AFh
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax+eax], cl
                                                      add dword ptr [eax], eax
                                                      add byte ptr [eax], al
                                                      mov al, byte ptr [02800000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [edi+03800075h], cl
                                                      add byte ptr [eax], al
                                                      add byte ptr [ebx+0Ah], bl
                                                      add dword ptr [eax+00000004h], eax

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x253f480x4a.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2540000x2b163.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x27d6000x2f78
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2800000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x251f980x2520008e7138842861cfec3d265baded25c4f3unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x2540000x2b1630x2b2007ae81caa149e669d9f357849b957cdffFalse0.32939311594202897data5.633722861069778IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x2800000xc0x200142ea5ba59e755da87b5ed6803c96e3fFalse0.044921875MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "%"0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0x2540c40x74cbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9987290544834275
                                                      RT_ICON0x25b5b30x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 00.1602112676056338
                                                      RT_ICON0x264a7f0x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 00.1848872180451128
                                                      RT_ICON0x26b28b0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 00.1996765249537893
                                                      RT_ICON0x2707370x4228Device independent bitmap graphic, 64 x 128 x 32, image size 00.2081955597543694
                                                      RT_ICON0x2749830x3a48Device independent bitmap graphic, 60 x 120 x 32, image size 00.21648793565683647
                                                      RT_ICON0x2783ef0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.2550829875518672
                                                      RT_ICON0x27a9bb0x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 00.29659763313609466
                                                      RT_ICON0x27c4470x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.3405253283302064
                                                      RT_ICON0x27d5130x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.4385245901639344
                                                      RT_ICON0x27debf0x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 00.5337209302325582
                                                      RT_ICON0x27e59b0x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.625886524822695
                                                      RT_GROUP_ICON0x27ea3f0xaedata0.7298850574712644
                                                      RT_VERSION0x27eb290x414data0.40325670498084293
                                                      RT_MANIFEST0x27ef790x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Mar 7, 2025 22:46:17.075386047 CET49676443192.168.2.520.189.173.14
                                                      Mar 7, 2025 22:46:17.383723974 CET49676443192.168.2.520.189.173.14
                                                      Mar 7, 2025 22:46:17.993304968 CET49676443192.168.2.520.189.173.14
                                                      Mar 7, 2025 22:46:18.031102896 CET49672443192.168.2.5204.79.197.203
                                                      Mar 7, 2025 22:46:19.197962046 CET49676443192.168.2.520.189.173.14
                                                      Mar 7, 2025 22:46:21.602503061 CET49676443192.168.2.520.189.173.14
                                                      Mar 7, 2025 22:46:26.415003061 CET49676443192.168.2.520.189.173.14
                                                      Mar 7, 2025 22:46:27.633841038 CET49672443192.168.2.5204.79.197.203
                                                      Mar 7, 2025 22:46:30.536252022 CET4969580192.168.2.5208.95.112.1
                                                      Mar 7, 2025 22:46:30.541300058 CET8049695208.95.112.1192.168.2.5
                                                      Mar 7, 2025 22:46:30.541384935 CET4969580192.168.2.5208.95.112.1
                                                      Mar 7, 2025 22:46:30.542041063 CET4969580192.168.2.5208.95.112.1
                                                      Mar 7, 2025 22:46:30.547044992 CET8049695208.95.112.1192.168.2.5
                                                      Mar 7, 2025 22:46:31.013248920 CET8049695208.95.112.1192.168.2.5
                                                      Mar 7, 2025 22:46:31.055715084 CET4969580192.168.2.5208.95.112.1
                                                      Mar 7, 2025 22:46:35.177428961 CET49675443192.168.2.52.23.227.208
                                                      Mar 7, 2025 22:46:35.177490950 CET443496752.23.227.208192.168.2.5
                                                      Mar 7, 2025 22:46:35.225286007 CET49696443192.168.2.5150.171.28.254
                                                      Mar 7, 2025 22:46:35.225337982 CET44349696150.171.28.254192.168.2.5
                                                      Mar 7, 2025 22:46:35.225438118 CET49696443192.168.2.5150.171.28.254
                                                      Mar 7, 2025 22:46:35.226181984 CET49696443192.168.2.5150.171.28.254
                                                      Mar 7, 2025 22:46:35.226198912 CET44349696150.171.28.254192.168.2.5
                                                      Mar 7, 2025 22:46:36.024508953 CET49676443192.168.2.520.189.173.14
                                                      Mar 7, 2025 22:46:37.648504972 CET44349696150.171.28.254192.168.2.5
                                                      Mar 7, 2025 22:46:37.648574114 CET49696443192.168.2.5150.171.28.254
                                                      Mar 7, 2025 22:47:06.921910048 CET49684443192.168.2.52.23.227.208
                                                      Mar 7, 2025 22:47:09.149717093 CET4968980192.168.2.5142.250.184.195
                                                      Mar 7, 2025 22:47:09.150027990 CET4968780192.168.2.52.16.100.168
                                                      Mar 7, 2025 22:47:09.150197029 CET4968880192.168.2.52.16.100.168
                                                      Mar 7, 2025 22:47:09.155791998 CET8049689142.250.184.195192.168.2.5
                                                      Mar 7, 2025 22:47:09.155811071 CET80496872.16.100.168192.168.2.5
                                                      Mar 7, 2025 22:47:09.155823946 CET80496882.16.100.168192.168.2.5
                                                      Mar 7, 2025 22:47:09.155864000 CET4968980192.168.2.5142.250.184.195
                                                      Mar 7, 2025 22:47:09.155884981 CET4968780192.168.2.52.16.100.168
                                                      Mar 7, 2025 22:47:09.155921936 CET4968880192.168.2.52.16.100.168
                                                      Mar 7, 2025 22:47:47.648943901 CET8049695208.95.112.1192.168.2.5
                                                      Mar 7, 2025 22:47:47.649003983 CET4969580192.168.2.5208.95.112.1
                                                      Mar 7, 2025 22:48:11.025803089 CET4969580192.168.2.5208.95.112.1
                                                      Mar 7, 2025 22:48:11.031054020 CET8049695208.95.112.1192.168.2.5

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Mar 7, 2025 22:46:30.522623062 CET5559853192.168.2.51.1.1.1
                                                      Mar 7, 2025 22:46:30.530777931 CET53555981.1.1.1192.168.2.5
                                                      Mar 7, 2025 22:46:35.177781105 CET5787253192.168.2.51.1.1.1
                                                      Mar 7, 2025 22:46:35.196623087 CET53578721.1.1.1192.168.2.5

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Mar 7, 2025 22:46:30.522623062 CET192.168.2.51.1.1.10x4a52Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                      Mar 7, 2025 22:46:35.177781105 CET192.168.2.51.1.1.10xff9Standard query (0)c2a9c95e369881c67228a6591cac2686.clo.footprintdns.comA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Mar 7, 2025 22:46:30.530777931 CET1.1.1.1192.168.2.50x4a52No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                      Mar 7, 2025 22:46:35.196623087 CET1.1.1.1192.168.2.50xff9Name error (3)c2a9c95e369881c67228a6591cac2686.clo.footprintdns.comnonenoneA (IP address)IN (0x0001)false
                                                      Mar 7, 2025 22:46:35.224077940 CET1.1.1.1192.168.2.50x41b2No error (0)ax-ring.ax-9999.ax-msedge.netax-9999.ax-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                      Mar 7, 2025 22:46:35.224077940 CET1.1.1.1192.168.2.50x41b2No error (0)ax-9999.ax-msedge.net150.171.28.254A (IP address)IN (0x0001)false
                                                      Mar 7, 2025 22:46:35.224077940 CET1.1.1.1192.168.2.50x41b2No error (0)ax-9999.ax-msedge.net150.171.27.254A (IP address)IN (0x0001)false
                                                      Mar 7, 2025 22:46:38.384026051 CET1.1.1.1192.168.2.50x93a0No error (0)g-bing-com.ax-0001.ax-msedge.netax-0001.ax-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                      Mar 7, 2025 22:46:38.384026051 CET1.1.1.1192.168.2.50x93a0No error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false
                                                      Mar 7, 2025 22:46:38.384026051 CET1.1.1.1192.168.2.50x93a0No error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • ip-api.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.549695208.95.112.1808636C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      TimestampBytes transferredDirectionData
                                                      Mar 7, 2025 22:46:30.542041063 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                      Host: ip-api.com
                                                      Connection: Keep-Alive
                                                      Mar 7, 2025 22:46:31.013248920 CET175INHTTP/1.1 200 OK
                                                      Date: Fri, 07 Mar 2025 21:46:30 GMT
                                                      Content-Type: text/plain; charset=utf-8
                                                      Content-Length: 6
                                                      Access-Control-Allow-Origin: *
                                                      X-Ttl: 60
                                                      X-Rl: 44
                                                      Data Raw: 66 61 6c 73 65 0a
                                                      Data Ascii: false


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:16:46:19
                                                      Start date:07/03/2025
                                                      Path:C:\Users\user\Desktop\6F9vhIKqe7.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\6F9vhIKqe7.exe"
                                                      Imagebase:0xb50000
                                                      File size:79'691'776 bytes
                                                      MD5 hash:840B677C4ADDBDF7F20B8811EF85E42D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1400567927.0000000003100000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1432950815.0000000006A30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1432950815.0000000006D1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1432950815.0000000006D1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1416633460.00000000050F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1416633460.00000000050F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1432950815.00000000068A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1401108257.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:16:46:28
                                                      Start date:07/03/2025
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                      Imagebase:0xaf0000
                                                      File size:262'432 bytes
                                                      MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2564411044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2564411044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2566778564.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >