Edit tour

Windows Analysis Report
ZWyrFp7WBM.exe

Overview

General Information

Sample name:	ZWyrFp7WBM.exe renamed because original name is a hash value
Original sample name:	70cb20742efa1fe2892fa0a30e7f2f9473230c16373c258221ddc81117d99d16.exe
Analysis ID:	1632364
MD5:	22b61880f78223f18df46e6ca6421da0
SHA1:	8dda507e9ede9bbbca57ff9d9e613478f8afe3f7
SHA256:	70cb20742efa1fe2892fa0a30e7f2f9473230c16373c258221ddc81117d99d16
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ZWyrFp7WBM.exe (PID: 7096 cmdline: "C:\Users\user\Desktop\ZWyrFp7WBM.exe" MD5: 22B61880F78223F18DF46E6CA6421DA0)

InstallUtil.exe (PID: 6680 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

wscript.exe (PID: 6992 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iulue.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

iulue.exe (PID: 3844 cmdline: "C:\Users\user\AppData\Roaming\iulue.exe" MD5: 22B61880F78223F18DF46E6CA6421DA0)

InstallUtil.exe (PID: 1316 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxambro@educt.shop", "Password": "ABwuRZS5Mjh5"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.2105135894.0000000003274000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2105135894.000000000326C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1588947463.000000000251C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1588947463.0000000002524000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1620032141.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1142508415.000000000349C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1149953119.0000000004554000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.1588947463.00000000024F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1588947463.00000000024F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2105135894.0000000003241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2105135894.0000000003241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1160814666.0000000007060000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.1578645893.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.1576277029.0000000000192000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1576277029.0000000000192000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1620032141.0000000003CE8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1149953119.000000000456D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1149953119.000000000456D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1149953119.0000000004797000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1149953119.0000000004797000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1620032141.0000000004061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1620032141.0000000004061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1620032141.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1620032141.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ZWyrFp7WBM.exe PID: 7096	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: ZWyrFp7WBM.exe PID: 7096	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ZWyrFp7WBM.exe PID: 7096	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ZWyrFp7WBM.exe PID: 7096	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 6680	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 6680	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: iulue.exe PID: 3844	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: iulue.exe PID: 3844	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: iulue.exe PID: 3844	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: iulue.exe PID: 3844	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 1316	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 1316	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.iulue.exe.3fc9340.6.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
5.2.iulue.exe.3f09b28.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
5.2.iulue.exe.44d4100.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.iulue.exe.44d4100.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.iulue.exe.44d4100.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3167b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x316ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31777:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31809:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31873:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x318e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3197b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.iulue.exe.3ea1ee0.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.ZWyrFp7WBM.exe.7060000.12.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
5.2.iulue.exe.3fc9340.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
2.2.InstallUtil.exe.190000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.InstallUtil.exe.190000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.InstallUtil.exe.190000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3347b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x334ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33577:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33609:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33673:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3377b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3380b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.ZWyrFp7WBM.exe.7060000.12.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
5.2.iulue.exe.44d4100.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.iulue.exe.44d4100.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.iulue.exe.44d4100.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3347b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x334ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33577:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33609:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33673:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3377b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3380b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.iulue.exe.3d50988.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.ZWyrFp7WBM.exe.45aa430.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ZWyrFp7WBM.exe.45aa430.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.ZWyrFp7WBM.exe.45aa430.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3167b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x316ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31777:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31809:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31873:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x318e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3197b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.iulue.exe.42922e8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.iulue.exe.42922e8.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.iulue.exe.42922e8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x275293:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x275305:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x27538f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x275421:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x27548b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x2754fd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x275593:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x275623:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.ZWyrFp7WBM.exe.4582410.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ZWyrFp7WBM.exe.4582410.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.ZWyrFp7WBM.exe.4582410.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x5b49b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x5b50d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x5b597:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x5b629:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x5b693:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x5b705:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x5b79b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x5b82b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.ZWyrFp7WBM.exe.45aa430.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ZWyrFp7WBM.exe.45aa430.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.ZWyrFp7WBM.exe.45aa430.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3347b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x334ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33577:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33609:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33673:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3377b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3380b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iulue.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iulue.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iulue.vbs" , ProcessId: 6992, ProcessName: wscript.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 162.254.34.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 6680, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49688

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iulue.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iulue.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iulue.vbs" , ProcessId: 6992, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ZWyrFp7WBM.exe, ProcessId: 7096, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iulue.vbs

Suricata Signatures

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:50:34.750469+0100	2030171	1	A Network Trojan was detected	192.168.2.8	49698	162.254.34.31	587	TCP
2025-03-07T22:51:53.306496+0100	2030171	1	A Network Trojan was detected	192.168.2.8	49688	162.254.34.31	587	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:51:14.729266+0100	2855542	1	A Network Trojan was detected	192.168.2.8	49688	162.254.34.31	587	TCP
2025-03-07T22:51:55.846943+0100	2855542	1	A Network Trojan was detected	192.168.2.8	49698	162.254.34.31	587	TCP

ETPRO MALWARE Agent Tesla Exfil via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:51:14.729266+0100	2855245	1	A Network Trojan was detected	192.168.2.8	49688	162.254.34.31	587	TCP
2025-03-07T22:51:55.846943+0100	2855245	1	A Network Trojan was detected	192.168.2.8	49698	162.254.34.31	587	TCP

ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:50:34.750469+0100	2840032	1	A Network Trojan was detected	192.168.2.8	49698	162.254.34.31	587	TCP
2025-03-07T22:51:53.306496+0100	2840032	1	A Network Trojan was detected	192.168.2.8	49688	162.254.34.31	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ZWyrFp7WBM.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\iulue.exe

Avira: detection malicious, Label: TR/AVI.PWS.Agent.wahsz

Found malware configuration

Source: 0.2.ZWyrFp7WBM.exe.45aa430.4.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxambro@educt.shop", "Password": "ABwuRZS5Mjh5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\iulue.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: ZWyrFp7WBM.exe	Virustotal: Detection: 65%			Perma Link
Source: ZWyrFp7WBM.exe	ReversingLabs: Detection: 65%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: ZWyrFp7WBM.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 194.15.112.248:443 -> 192.168.2.8:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.15.112.248:443 -> 192.168.2.8:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49697 version: TLS 1.2

Source: ZWyrFp7WBM.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.0000000004459000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1149953119.00000000044A9000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1155790695.00000000060A0000.00000004.08000000.00040000.00000000.sdmp, iulue.exe, 00000005.00000002.1620032141.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp, iulue.exe, 00000005.00000002.1620032141.0000000003B87000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: ZWyrFp7WBM.exe, ZWyrFp7WBM.exe, 00000000.00000002.1149953119.0000000004459000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1149953119.00000000044A9000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1155790695.00000000060A0000.00000004.08000000.00040000.00000000.sdmp, iulue.exe, 00000005.00000002.1620032141.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp, iulue.exe, 00000005.00000002.1620032141.0000000003B87000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1149953119.0000000004797000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1162758154.0000000007250000.00000004.08000000.00040000.00000000.sdmp, iulue.exe, 00000005.00000002.1620032141.0000000003B19000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1149953119.0000000004797000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1162758154.0000000007250000.00000004.08000000.00040000.00000000.sdmp, iulue.exe, 00000005.00000002.1620032141.0000000003B19000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.8:49688 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.8:49688 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.8:49698 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.8:49698 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.8:49688 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.8:49688 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.8:49698 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.8:49698 -> 162.254.34.31:587

Source: global traffic

TCP traffic: 192.168.2.8:49688 -> 162.254.34.31:587

Source: global traffic	HTTP traffic detected: GET /xvXf HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xvXf HTTP/1.1Host: oshi.atConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 194.15.112.248 194.15.112.248
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

ASN Name: VIVIDHOSTINGUS VIVIDHOSTINGUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.8:49688 -> 162.254.34.31:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xvXf HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xvXf HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: oshi.at
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org

Source: ZWyrFp7WBM.exe, iulue.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: ZWyrFp7WBM.exe, iulue.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: ZWyrFp7WBM.exe, iulue.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: ZWyrFp7WBM.exe, iulue.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: ZWyrFp7WBM.exe, iulue.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: ZWyrFp7WBM.exe, iulue.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: ZWyrFp7WBM.exe, iulue.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: ZWyrFp7WBM.exe, iulue.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: ZWyrFp7WBM.exe, 00000000.00000002.1142508415.0000000003451000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1588947463.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, iulue.exe, 00000005.00000002.1578645893.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.2105135894.00000000031FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ZWyrFp7WBM.exe, iulue.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: ZWyrFp7WBM.exe, iulue.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: ZWyrFp7WBM.exe, iulue.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.000000000456D000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1149953119.0000000004797000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1576277029.0000000000192000.00000040.00000400.00020000.00000000.sdmp, iulue.exe, 00000005.00000002.1620032141.0000000004061000.00000004.00000800.00020000.00000000.sdmp, iulue.exe, 00000005.00000002.1620032141.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.000000000456D000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1149953119.0000000004797000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1588947463.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1576277029.0000000000192000.00000040.00000400.00020000.00000000.sdmp, iulue.exe, 00000005.00000002.1620032141.0000000004061000.00000004.00000800.00020000.00000000.sdmp, iulue.exe, 00000005.00000002.1620032141.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.2105135894.00000000031FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: InstallUtil.exe, 00000002.00000002.1588947463.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.2105135894.00000000031FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: InstallUtil.exe, 00000002.00000002.1588947463.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000C.00000002.2105135894.00000000031FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1149953119.0000000004797000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1162758154.0000000007250000.00000004.08000000.00040000.00000000.sdmp, iulue.exe, 00000005.00000002.1620032141.0000000003B19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1149953119.0000000004797000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1162758154.0000000007250000.00000004.08000000.00040000.00000000.sdmp, iulue.exe, 00000005.00000002.1620032141.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, iulue.exe, 00000005.00000002.1620032141.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1149953119.0000000004797000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1162758154.0000000007250000.00000004.08000000.00040000.00000000.sdmp, iulue.exe, 00000005.00000002.1620032141.0000000003B19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: ZWyrFp7WBM.exe, 00000000.00000002.1142508415.0000000003451000.00000004.00000800.00020000.00000000.sdmp, iulue.exe, 00000005.00000002.1578645893.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at
Source: ZWyrFp7WBM.exe, iulue.exe.0.dr	String found in binary or memory: https://oshi.at/xvXf
Source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1149953119.0000000004797000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1162758154.0000000007250000.00000004.08000000.00040000.00000000.sdmp, iulue.exe, 00000005.00000002.1620032141.0000000003B19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: ZWyrFp7WBM.exe, 00000000.00000002.1142508415.000000000349C000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1149953119.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1149953119.0000000004797000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1162758154.0000000007250000.00000004.08000000.00040000.00000000.sdmp, iulue.exe, 00000005.00000002.1620032141.0000000003B19000.00000004.00000800.00020000.00000000.sdmp, iulue.exe, 00000005.00000002.1578645893.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1149953119.0000000004797000.00000004.00000800.00020000.00000000.sdmp, ZWyrFp7WBM.exe, 00000000.00000002.1162758154.0000000007250000.00000004.08000000.00040000.00000000.sdmp, iulue.exe, 00000005.00000002.1620032141.0000000003B19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: ZWyrFp7WBM.exe, iulue.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443

Source: unknown	HTTPS traffic detected: 194.15.112.248:443 -> 192.168.2.8:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.15.112.248:443 -> 192.168.2.8:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49697 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.ZWyrFp7WBM.exe.45aa430.4.raw.unpack, SKTzxzsJw.cs

.Net Code: nUAqbab

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.iulue.exe.44d4100.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.InstallUtil.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.iulue.exe.44d4100.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.ZWyrFp7WBM.exe.45aa430.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.iulue.exe.42922e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.ZWyrFp7WBM.exe.4582410.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.ZWyrFp7WBM.exe.45aa430.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Users\user\AppData\Roaming\iulue.exe	Code function: 5_2_05A6DD80 NtResumeThread,	5_2_05A6DD80
Source: C:\Users\user\AppData\Roaming\iulue.exe	Code function: 5_2_05A6A2A0 NtProtectVirtualMemory,	5_2_05A6A2A0
Source: C:\Users\user\AppData\Roaming\iulue.exe	Code function: 5_2_05A6DD7A NtResumeThread,	5_2_05A6DD7A
Source: C:\Users\user\AppData\Roaming\iulue.exe	Code function: 5_2_05A6A299 NtProtectVirtualMemory,	5_2_05A6A299

Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Code function: 0_2_060F1CA0	0_2_060F1CA0
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Code function: 0_2_060F1038	0_2_060F1038
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Code function: 0_2_060A6E5B	0_2_060A6E5B
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Code function: 0_2_016FEDE8	0_2_016FEDE8
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Code function: 0_2_016FB030	0_2_016FB030
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Code function: 0_2_0798FB90	0_2_0798FB90
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Code function: 0_2_0798EAD8	0_2_0798EAD8
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Code function: 0_2_0798E4F0	0_2_0798E4F0
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Code function: 0_2_07970006	0_2_07970006
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Code function: 0_2_07970040	0_2_07970040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0086E500	2_2_0086E500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00864A90	2_2_00864A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0086DC98	2_2_0086DC98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00863E78	2_2_00863E78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0086AF85	2_2_0086AF85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_008641C0	2_2_008641C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05E5A198	2_2_05E5A198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05E5BC48	2_2_05E5BC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05E67DF0	2_2_05E67DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05E66668	2_2_05E66668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05E65640	2_2_05E65640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05E63100	2_2_05E63100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05E6B2AB	2_2_05E6B2AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05E6C200	2_2_05E6C200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05E65D5F	2_2_05E65D5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05E6240A	2_2_05E6240A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05E6E418	2_2_05E6E418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05E67710	2_2_05E67710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05E60040	2_2_05E60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_05E60019	2_2_05E60019
Source: C:\Users\user\AppData\Roaming\iulue.exe	Code function: 5_2_00E9EDE8	5_2_00E9EDE8
Source: C:\Users\user\AppData\Roaming\iulue.exe	Code function: 5_2_00E9B030	5_2_00E9B030
Source: C:\Users\user\AppData\Roaming\iulue.exe	Code function: 5_2_05A6BC38	5_2_05A6BC38
Source: C:\Users\user\AppData\Roaming\iulue.exe	Code function: 5_2_05A66F08	5_2_05A66F08
Source: C:\Users\user\AppData\Roaming\iulue.exe	Code function: 5_2_05A6BBE9	5_2_05A6BBE9
Source: C:\Users\user\AppData\Roaming\iulue.exe	Code function: 5_2_05A6BC28	5_2_05A6BC28
Source: C:\Users\user\AppData\Roaming\iulue.exe	Code function: 5_2_05A66EF9	5_2_05A66EF9
Source: C:\Users\user\AppData\Roaming\iulue.exe	Code function: 5_2_05A6C38A	5_2_05A6C38A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0199E670	12_2_0199E670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_01994A98	12_2_01994A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_0199AA18	12_2_0199AA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_01993E80	12_2_01993E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_019941C8	12_2_019941C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06C1A194	12_2_06C1A194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06C1BB58	12_2_06C1BB58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06C25640	12_2_06C25640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06C26668	12_2_06C26668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06C22418	12_2_06C22418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06C2B2B0	12_2_06C2B2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06C2C200	12_2_06C2C200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06C27DF0	12_2_06C27DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06C27710	12_2_06C27710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06C2E418	12_2_06C2E418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06C20040	12_2_06C20040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06C25D70	12_2_06C25D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06C20021	12_2_06C20021

Source: ZWyrFp7WBM.exe	Binary or memory string: OriginalFilename vs ZWyrFp7WBM.exe
Source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.0000000004459000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs ZWyrFp7WBM.exe
Source: ZWyrFp7WBM.exe, 00000000.00000002.1142508415.000000000349C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs ZWyrFp7WBM.exe
Source: ZWyrFp7WBM.exe, 00000000.00000002.1142508415.00000000037F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs ZWyrFp7WBM.exe
Source: ZWyrFp7WBM.exe, 00000000.00000002.1142124894.000000000175E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ZWyrFp7WBM.exe
Source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.00000000044A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs ZWyrFp7WBM.exe
Source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.00000000049F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHmfllr.dll" vs ZWyrFp7WBM.exe
Source: ZWyrFp7WBM.exe, 00000000.00000002.1157717722.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameHmfllr.dll" vs ZWyrFp7WBM.exe
Source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.000000000481E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs ZWyrFp7WBM.exe
Source: ZWyrFp7WBM.exe, 00000000.00000002.1155790695.00000000060A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs ZWyrFp7WBM.exe
Source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.000000000456D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs ZWyrFp7WBM.exe
Source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.000000000456D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLkzpbozzvs.exe, vs ZWyrFp7WBM.exe
Source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.000000000488C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHmfllr.dll" vs ZWyrFp7WBM.exe
Source: ZWyrFp7WBM.exe, 00000000.00000002.1149953119.0000000004797000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs ZWyrFp7WBM.exe
Source: ZWyrFp7WBM.exe, 00000000.00000002.1162758154.0000000007250000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs ZWyrFp7WBM.exe
Source: ZWyrFp7WBM.exe	Binary or memory string: OriginalFilenameLkzpbozzvs.exe, vs ZWyrFp7WBM.exe

Source: 5.2.iulue.exe.44d4100.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.InstallUtil.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.iulue.exe.44d4100.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.ZWyrFp7WBM.exe.45aa430.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.iulue.exe.42922e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.ZWyrFp7WBM.exe.4582410.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.ZWyrFp7WBM.exe.45aa430.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: ZWyrFp7WBM.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: iulue.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ZWyrFp7WBM.exe, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ZWyrFp7WBM.exe, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ZWyrFp7WBM.exe, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: iulue.exe.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: iulue.exe.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: iulue.exe.0.dr, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.ZWyrFp7WBM.exe.45aa430.4.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ZWyrFp7WBM.exe.45aa430.4.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ZWyrFp7WBM.exe.45aa430.4.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ZWyrFp7WBM.exe.45aa430.4.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ZWyrFp7WBM.exe.45aa430.4.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ZWyrFp7WBM.exe.45aa430.4.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: unknown	Process created: C:\Users\user\Desktop\ZWyrFp7WBM.exe "C:\Users\user\Desktop\ZWyrFp7WBM.exe"
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iulue.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\iulue.exe "C:\Users\user\AppData\Roaming\iulue.exe"
Source: C:\Users\user\AppData\Roaming\iulue.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\iulue.exe "C:\Users\user\AppData\Roaming\iulue.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior

Source: ZWyrFp7WBM.exe, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: ZWyrFp7WBM.exe, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: iulue.exe.0.dr, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: iulue.exe.0.dr, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.ZWyrFp7WBM.exe.46094d0.2.raw.unpack, -.cs	.Net Code: _0001 System.AppDomain.Load(byte[])
Source: 0.2.ZWyrFp7WBM.exe.46094d0.2.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])

Source: Yara match	File source: 5.2.iulue.exe.3fc9340.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.iulue.exe.3f09b28.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.iulue.exe.3ea1ee0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZWyrFp7WBM.exe.7060000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.iulue.exe.3fc9340.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZWyrFp7WBM.exe.7060000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.iulue.exe.3d50988.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1620032141.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1142508415.000000000349C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1149953119.0000000004554000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1160814666.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1578645893.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1620032141.0000000003CE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZWyrFp7WBM.exe PID: 7096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iulue.exe PID: 3844, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00860C45 push ebx; retf	2_2_00860C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00860C6D push edi; retf	2_2_00860C7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_01997B10 push ebp; retf	12_2_01997A32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_01990C53 push ebx; retf	12_2_01990C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_01990C45 push ebx; retf	12_2_01990C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_01990C6D push edi; retf	12_2_01990C7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 12_2_06C1FCC7 push es; retf	12_2_06C1FCC8

Source: ZWyrFp7WBM.exe	Static PE information: section name: .text entropy: 7.872886244754763
Source: iulue.exe.0.dr	Static PE information: section name: .text entropy: 7.872886244754763

Source: 0.2.ZWyrFp7WBM.exe.6ca0000.10.raw.unpack, B4qciP9OQvsC2jhItCO.cs	High entropy of concatenated method names: 'M8H9yareKY', 'UuT9Qicq64', 'iaI9kZ5rlV', 'sid9rgRPDT', 'KsW90CytGY', 'T0R9qwdc3b', 'JgF9AH9b1f', 'fm39NvGR98', 'cMd9XejFJo', 'MhD9e3mOp6'
Source: 0.2.ZWyrFp7WBM.exe.48b16b0.3.raw.unpack, iMRH60QYtoF2NVHOtog.cs	High entropy of concatenated method names: 'cE7dW9TNd2', 'M2KdzIFSr4', 'XrSqa7s6Fm', 'XD9q9A53HY', 'gw1qC0Kbk5', 'mCSqnU66YZ', 'Tkgq823N8M', 'xSj5qhc0Uq', 'ldLqjvDdKC', 'iPJqwR5Seg'
Source: 0.2.ZWyrFp7WBM.exe.48b16b0.3.raw.unpack, B4qciP9OQvsC2jhItCO.cs	High entropy of concatenated method names: 'M8H9yareKY', 'UuT9Qicq64', 'iaI9kZ5rlV', 'sid9rgRPDT', 'KsW90CytGY', 'T0R9qwdc3b', 'JgF9AH9b1f', 'fm39NvGR98', 'cMd9XejFJo', 'MhD9e3mOp6'
Source: 0.2.ZWyrFp7WBM.exe.48b16b0.3.raw.unpack, adRM5AOl1g6mWbwLpMi.cs	High entropy of concatenated method names: 'LeZ4rXVhrc', 'kZm4xTiEQh', 'c6I40fCEwW', 'MSELul6XNCpaNYWoCYT', 'IsImXI6TiIJt6BIRHN4', 'catOZiYFAi', 'YpAOYi1aVM', 'bUSOWJByhd', 'KUEOzDIrgC', 'FyI4aRc8XX'
Source: 0.2.ZWyrFp7WBM.exe.48b16b0.3.raw.unpack, cVZ1qQy1xbs0RNPiMDs.cs	High entropy of concatenated method names: 'PRt3couwItcG12RSAZQ', 'IV8N5fuP4w4hhPbS1id', 'mIqQSol99Q', 'vh0ry9Sq2v', 'ys3QkwiCvn', 'MddQG8hbFk', 'BL8Qr6EhfD', 'jFJQxEIwOs', 'jjfLMnrAZw', 'znWy2JCCj1'
Source: 0.2.ZWyrFp7WBM.exe.48b16b0.3.raw.unpack, O57Oy9QiJbOiRO1pS6y.cs	High entropy of concatenated method names: 'fqUQmtOF5t', 'CioQ6xR4QO', 'AkrQuZkRIb', 'D1aQIpB08S', 'Y76QUxhQYv', 'oVGQLffvbb', 't5dQKhXd2Y', 'GX0QlF65fl', 'AhDQDsXLup', 'sHOQZkYr1n'
Source: 0.2.ZWyrFp7WBM.exe.48b16b0.3.raw.unpack, MMMes8wuLPGhH2DZtdZ.cs	High entropy of concatenated method names: 'qMMwUDrHF6', 'RI5wKgKgDI', 'sJbwD1GvK8', 'spJwY66xO9', 'cDZwW1Hbkb', 'dYrwzimWnT', 'Sm9PanvWA1', 'FipP9h6r5f', 'uKkPCupdeL', 'GlMPnLAYAi'
Source: 0.2.ZWyrFp7WBM.exe.48b16b0.3.raw.unpack, NgQj9l4ma6uDoqraICi.cs	High entropy of concatenated method names: 'blX4Lo2D4V', 'iKD4Ku8aAn', 'Na64liaS2b', 'ppJ4D1M5II', 'MXu4Z1DDWW', 'K4p4YS9IDY', 'oMA4WEm8pv', 'M5L4zRYCSA', 'FQTya6dvKf', 'YxOy9HkMHD'

Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Memory allocated: 16F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Memory allocated: 3450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Memory allocated: 33A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 24A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Memory allocated: E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Memory allocated: 4AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 31F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Window / User API: threadDelayed 1292	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Window / User API: threadDelayed 6081	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 1093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2873	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Window / User API: threadDelayed 3188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Window / User API: threadDelayed 5883	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2321	Jump to behavior

Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7144	Thread sleep count: 1292 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7144	Thread sleep count: 6081 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -98938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -98813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -98688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -98569s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -98344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -98191s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -98063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -97950s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -97702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -97565s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -97375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -97266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -97153s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -97047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -96938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -96719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -96610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -96485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -96360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -96235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -96110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -95985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -95860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -95735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe TID: 7128	Thread sleep time: -95610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5256	Thread sleep count: 1093 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -99744s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -99627s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -99516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5256	Thread sleep count: 2873 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -99319s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -98969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -98750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -98531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -98422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -98313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -98188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -98063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -97843s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2916	Thread sleep time: -97734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 6348	Thread sleep count: 3188 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 6348	Thread sleep count: 5883 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -99782s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -99563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -99032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -98889s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -98658s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -98547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -98422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -98313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -98188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -98078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -97969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -97844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -97734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -97625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -97516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -97407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -97282s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -97157s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -97032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -96922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -96813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -96688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -96563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -96438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -96313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -96192s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -96078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -95964s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -95859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -95700s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -95593s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -95482s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -95375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -95266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -95156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe TID: 7020	Thread sleep time: -95047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1492	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1492	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1464	Thread sleep count: 308 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1492	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1464	Thread sleep count: 2321 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1492	Thread sleep time: -99782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1492	Thread sleep time: -99625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1492	Thread sleep time: -99516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1492	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1492	Thread sleep time: -98964s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1492	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1492	Thread sleep time: -98750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1492	Thread sleep time: -98638s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1492	Thread sleep time: -98532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1492	Thread sleep time: -98422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1492	Thread sleep time: -98308s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1492	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1492	Thread sleep time: -98094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1492	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: wscript.exe, 00000004.00000002.1246133659.00000196DE775000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: iulue.exe, 00000005.00000002.1576963538.0000000000F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: iulue.exe, 00000005.00000002.1578645893.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: iulue.exe, 00000005.00000002.1578645893.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: InstallUtil.exe, 0000000C.00000002.2116390434.0000000006493000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: ZWyrFp7WBM.exe, 00000000.00000002.1142124894.00000000017CB000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1597366179.0000000005614000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Process token adjusted: Debug			Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZWyrFp7WBM.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
ZWyrFp7WBM.exe

Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 190000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Queries volume information: C:\Users\user\Desktop\ZWyrFp7WBM.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ZWyrFp7WBM.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Queries volume information: C:\Users\user\AppData\Roaming\iulue.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iulue.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.iulue.exe.44d4100.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.InstallUtil.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.iulue.exe.44d4100.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZWyrFp7WBM.exe.45aa430.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.iulue.exe.42922e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZWyrFp7WBM.exe.4582410.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZWyrFp7WBM.exe.45aa430.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2105135894.0000000003274000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2105135894.000000000326C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1588947463.000000000251C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1588947463.0000000002524000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1588947463.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2105135894.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1576277029.0000000000192000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1149953119.000000000456D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1149953119.0000000004797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1620032141.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1620032141.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZWyrFp7WBM.exe PID: 7096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iulue.exe PID: 3844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1316, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	121 Windows Management Instrumentation	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	211 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	1 Credentials in Registry	311 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement