Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Transferencia - BBVA 20250312.pdf(45KB).com.exe

Overview

General Information

Sample name:Transferencia - BBVA 20250312.pdf(45KB).com.exe
Analysis ID:1639319
MD5:4ea000d1cb10be5603ba17b2bf8586b5
SHA1:0addb4903078927279ea243239781dd6bf85f441
SHA256:99f7676a797ffaecdc6150d731f1a5093372dc68f132522364cefaddc352ab67
Tags:BBVAcomexeXWormuser-abuse_ch
Infos:

Detection

DarkTortilla, XWorm
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Transferencia - BBVA 20250312.pdf(45KB).com.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exe" MD5: 4EA000D1CB10BE5603BA17B2BF8586B5)
    • InstallUtil.exe (PID: 7624 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • InstallUtil.exe (PID: 7960 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["wqo9.firewall-gateway.de", "rency.ydns.eu", "code1.ydns.eu"], "Port": 59012, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1627114005.0000000005000000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
    00000003.00000002.1285625116.00000000001D2000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000003.00000002.1285625116.00000000001D2000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xba9f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xbb3c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xbc51:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xb881:$cnc4: POST / HTTP/1.1
      00000001.00000002.1626181440.0000000003899000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
        00000009.00000002.3686559501.0000000002751000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          Click to see the 8 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.38bf0e0.1.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
            3.2.InstallUtil.exe.1d0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              3.2.InstallUtil.exe.1d0000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
              • 0x9a7a:$str01: $VB$Local_Port
              • 0x9a9e:$str02: $VB$Local_Host
              • 0x83d8:$str03: get_Jpeg
              • 0x897e:$str04: get_ServicePack
              • 0xa729:$str05: Select * from AntivirusProduct
              • 0xb4b7:$str06: PCRestart
              • 0xb4cb:$str07: shutdown.exe /f /r /t 0
              • 0xb57d:$str08: StopReport
              • 0xb553:$str09: StopDDos
              • 0xb649:$str10: sendPlugin
              • 0xb6c9:$str11: OfflineKeylogger Not Enabled
              • 0xb821:$str12: -ExecutionPolicy Bypass -File "
              • 0xbb66:$str13: Content-length: 5235
              3.2.InstallUtil.exe.1d0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xbc9f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xbd3c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xbe51:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xba81:$cnc4: POST / HTTP/1.1
              1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.5000000.3.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                Click to see the 10 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Startup Folder File Write
                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ProcessId: 7960, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroSoft Edges.lnk

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-15T09:37:02.158256+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:37:11.576724+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:37:21.819162+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:37:32.066725+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:37:32.251421+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:37:42.317131+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:37:52.563291+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:38:02.171663+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:38:02.815165+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:38:07.611606+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:38:15.036227+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:38:17.081408+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:38:20.882116+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:38:21.029550+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:38:26.195488+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:38:26.345117+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:38:31.459355+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:38:31.608410+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:38:32.183395+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:38:41.765596+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:38:52.007341+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:38:52.241393+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:39:02.193237+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:39:02.378771+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:39:04.552930+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:39:05.208340+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:39:15.460100+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:39:22.769829+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:39:22.920080+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:39:23.079535+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:39:32.210971+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:39:33.399742+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:39:43.648051+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:39:43.794985+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:39:46.708056+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:39:54.832813+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:39:54.983716+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:40:02.237394+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:40:03.164361+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:40:04.962385+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:40:05.392122+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:40:05.584237+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:40:10.319571+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:40:15.769839+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:40:15.917603+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:40:17.888312+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:40:18.829634+010028528701Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-15T09:37:11.594567+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:37:21.821838+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:37:32.069749+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:37:42.321313+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:37:52.565910+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:38:02.817196+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:38:07.613320+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:38:15.037944+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:38:17.089396+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:38:20.883874+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:38:21.030984+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:38:26.197012+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:38:26.346841+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:38:31.460935+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:38:31.613522+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:38:41.767355+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:38:52.009259+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:38:52.243123+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:39:02.380568+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:39:04.555041+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:39:05.211565+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:39:15.461844+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:39:22.772200+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:39:22.922093+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:39:23.083312+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:39:23.225962+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:39:23.230735+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:39:23.366440+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:39:33.402066+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:39:43.650515+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:39:43.796800+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:39:46.709914+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:39:54.834285+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:39:54.985115+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:40:03.167324+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:40:04.963965+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:40:05.396322+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:40:05.588699+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:40:10.321517+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:40:15.771312+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:40:15.920089+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:40:18.401706+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                2025-03-15T09:40:18.830402+010028529231Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-15T09:37:02.158256+010028528741Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:37:32.251421+010028528741Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:38:02.171663+010028528741Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:38:32.183395+010028528741Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:39:02.193237+010028528741Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:39:32.210971+010028528741Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                2025-03-15T09:40:02.237394+010028528741Malware Command and Control Activity Detected104.245.240.12359012192.168.2.649698TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-15T09:38:31.214924+010028531931Malware Command and Control Activity Detected192.168.2.649698104.245.240.12359012TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exeAvira: detected
                Antivirus detection for URL or domain
                Source: code1.ydns.euAvira URL Cloud: Label: phishing
                Found malware configuration
                Source: 00000001.00000002.1613249448.0000000002838000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["wqo9.firewall-gateway.de", "rency.ydns.eu", "code1.ydns.eu"], "Port": 59012, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                Multi AV Scanner detection for submitted file
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exeVirustotal: Detection: 71%Perma Link
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exeReversingLabs: Detection: 66%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Sample uses string decryption to hide its real strings
                Source: 00000003.00000002.1285625116.00000000001D2000.00000040.00000400.00020000.00000000.sdmpString decryptor: wqo9.firewall-gateway.de,rency.ydns.eu,code1.ydns.eu
                Source: 00000003.00000002.1285625116.00000000001D2000.00000040.00000400.00020000.00000000.sdmpString decryptor: 59012
                Source: 00000003.00000002.1285625116.00000000001D2000.00000040.00000400.00020000.00000000.sdmpString decryptor: <123456789>
                Source: 00000003.00000002.1285625116.00000000001D2000.00000040.00000400.00020000.00000000.sdmpString decryptor: <Xwormmm>
                Source: 00000003.00000002.1285625116.00000000001D2000.00000040.00000400.00020000.00000000.sdmpString decryptor: CLITH & KEL
                Source: 00000003.00000002.1285625116.00000000001D2000.00000040.00000400.00020000.00000000.sdmpString decryptor: USB.exe
                Source: 00000003.00000002.1285625116.00000000001D2000.00000040.00000400.00020000.00000000.sdmpString decryptor: %AppData%
                Source: 00000003.00000002.1285625116.00000000001D2000.00000040.00000400.00020000.00000000.sdmpString decryptor: MicroSoft Edges.exe
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: MicroSoft Edges.exe.9.dr
                Source: Binary string: InstallUtil.pdb source: MicroSoft Edges.exe.9.dr

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 104.245.240.123:59012 -> 192.168.2.6:49698
                Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 104.245.240.123:59012 -> 192.168.2.6:49698
                Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49698 -> 104.245.240.123:59012
                Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49698 -> 104.245.240.123:59012
                Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49698 -> 104.245.240.123:59012
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: wqo9.firewall-gateway.de
                Source: Malware configuration extractorURLs: rency.ydns.eu
                Source: Malware configuration extractorURLs: code1.ydns.eu
                Connects to many ports of the same IP (likely port scanning)
                Source: global trafficTCP traffic: 104.245.240.123 ports 59012,0,1,2,5,9
                Source: global trafficTCP traffic: 192.168.2.6:49698 -> 104.245.240.123:59012
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: wqo9.firewall-gateway.de
                Source: global trafficDNS traffic detected: DNS query: rency.ydns.eu
                Source: InstallUtil.exe, 00000009.00000002.3686559501.0000000002751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exeString found in binary or memory: https://api.openweathermap.org/data/2.5/weather?q=

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 3.2.InstallUtil.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 3.2.InstallUtil.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000003.00000002.1285625116.00000000001D2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000001.00000002.1613249448.0000000002838000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Transferencia - BBVA 20250312.pdf(45KB).com.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_027935B0 CreateProcessAsUserW,1_2_027935B0
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_025EC8E01_2_025EC8E0
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_025E8D601_2_025E8D60
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_025E7F881_2_025E7F88
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_025EB2801_2_025EB280
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_025E59181_2_025E5918
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_02793B701_2_02793B70
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_027923681_2_02792368
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_027900401_2_02790040
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_02793E681_2_02793E68
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_027964681_2_02796468
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_02793B631_2_02793B63
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_027903F91_2_027903F9
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_02798BF81_2_02798BF8
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_027900071_2_02790007
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_027916001_2_02791600
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_027917DF1_2_027917DF
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_027904081_2_02790408
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_02791D681_2_02791D68
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_02791D581_2_02791D58
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_027945011_2_02794501
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_027915F01_2_027915F0
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_05C566681_2_05C56668
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_05C566581_2_05C56658
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_05C767A01_2_05C767A0
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_05C780A81_2_05C780A8
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_05C78C101_2_05C78C10
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_05C767901_2_05C76790
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_05C707A81_2_05C707A8
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_05C7A1801_2_05C7A180
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_05C7A1901_2_05C7A190
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F57981_2_074F5798
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F66481_2_074F6648
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F45581_2_074F4558
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F8D021_2_074F8D02
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F39391_2_074F3939
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F4DD11_2_074F4DD1
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F28A21_2_074F28A2
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F8B581_2_074F8B58
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F8B681_2_074F8B68
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F83011_2_074F8301
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F37D51_2_074F37D5
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F02201_2_074F0220
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F86A91_2_074F86A9
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F86B81_2_074F86B8
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F656D1_2_074F656D
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F75201_2_074F7520
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F75301_2_074F7530
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F65CD1_2_074F65CD
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F659D1_2_074F659D
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074FD4601_2_074FD460
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F80011_2_074F8001
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F80101_2_074F8010
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F44D71_2_074F44D7
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F88E01_2_074F88E0
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F88F01_2_074F88F0
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_074F98B21_2_074F98B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_025742B89_2_025742B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0257E0689_2_0257E068
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_025710309_2_02571030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_025796F09_2_025796F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0257DA409_2_0257DA40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_02579FC09_2_02579FC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_02573C689_2_02573C68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_025793A89_2_025793A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_025716109_2_02571610
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0257BBE19_2_0257BBE1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_060823BD9_2_060823BD
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exe, 00000001.00000002.1627114005.0000000005000000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFalimotin.dll4 vs Transferencia - BBVA 20250312.pdf(45KB).com.exe
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exe, 00000001.00000002.1613249448.0000000002838000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWindow Session Manager.exe4 vs Transferencia - BBVA 20250312.pdf(45KB).com.exe
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exe, 00000001.00000002.1612015847.000000000091E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Transferencia - BBVA 20250312.pdf(45KB).com.exe
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exe, 00000001.00000000.1206669043.000000000047D000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenameW3E.exeP vs Transferencia - BBVA 20250312.pdf(45KB).com.exe
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exe, 00000001.00000002.1613249448.0000000002BF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWindow Session Manager.exe4 vs Transferencia - BBVA 20250312.pdf(45KB).com.exe
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exe, 00000001.00000002.1629268259.0000000007BF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRP8SH.dll6 vs Transferencia - BBVA 20250312.pdf(45KB).com.exe
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exe, 00000001.00000002.1626181440.0000000003899000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFalimotin.dll4 vs Transferencia - BBVA 20250312.pdf(45KB).com.exe
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exeBinary or memory string: OriginalFilenameW3E.exeP vs Transferencia - BBVA 20250312.pdf(45KB).com.exe
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 3.2.InstallUtil.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 3.2.InstallUtil.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000003.00000002.1285625116.00000000001D2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000001.00000002.1613249448.0000000002838000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exe, Fe60ExH.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, 2uSXTzuCbv3dJ70IaPLC5EIiVDP8UpoOEfGYTX5Gx90rGHLQyfChzzGRF.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, ibqnpr9a2s9TtsVNFsmzXQ00uVGSBae9C0MnLXVGKR9ZOC8HXNfuthxCZ.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, ibqnpr9a2s9TtsVNFsmzXQ00uVGSBae9C0MnLXVGKR9ZOC8HXNfuthxCZ.csCryptographic APIs: 'TransformFinalBlock'
                Source: classification engineClassification label: mal100.troj.evad.winEXE@5/3@2/2
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Transferencia - BBVA 20250312.pdf(45KB).com.exe.logJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\UM7rFYAybCy0xVXi
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exeVirustotal: Detection: 71%
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exeReversingLabs: Detection: 66%
                Source: unknownProcess created: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exe "C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exe"
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: MicroSoft Edges.lnk.9.drLNK file: ..\..\..\..\..\MicroSoft Edges.exe
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: MicroSoft Edges.exe.9.dr
                Source: Binary string: InstallUtil.pdb source: MicroSoft Edges.exe.9.dr

                Data Obfuscation

                barindex
                Yara detected DarkTortilla Crypter
                Source: Yara matchFile source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.38bf0e0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.5000000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.38e4c30.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.5000000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.38e4c30.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.38bf0e0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.1627114005.0000000005000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1626181440.0000000003899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1613249448.0000000002838000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Transferencia - BBVA 20250312.pdf(45KB).com.exe PID: 7416, type: MEMORYSTR
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, ej0IqDHp1vhYbpLO8yMfHxWUW.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{tV5PDU1xTjqWr9ynxVsyWsE7V.me7sVpsWjIwzQBQgYxxTx7T1h,tV5PDU1xTjqWr9ynxVsyWsE7V.YaPYILAK9hVPFsUoWuemh65xS,tV5PDU1xTjqWr9ynxVsyWsE7V.iUU1yutvJ6Kb91eyqmwWJpkPL,tV5PDU1xTjqWr9ynxVsyWsE7V._0p3bDpYXuWiI7wVevq5isKV1N,ibqnpr9a2s9TtsVNFsmzXQ00uVGSBae9C0MnLXVGKR9ZOC8HXNfuthxCZ.UZTNEdNpmxlZWoHYhb42C24c8b1jgTwfYWROicvgC0DOy7WeHzNAu9Z9F()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, ej0IqDHp1vhYbpLO8yMfHxWUW.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_1rnJD5Ww9yJulmAb0B8uhjSMYa8I0msgVyxdAtIUoI7NcCz9OBMYN5FAX[2],ibqnpr9a2s9TtsVNFsmzXQ00uVGSBae9C0MnLXVGKR9ZOC8HXNfuthxCZ.C5aR8bxgFRdKRdouSFv7gEfY4v8x7JJ6Zgh8Pif9q3El1HhrKhGHetbZy(Convert.FromBase64String(_1rnJD5Ww9yJulmAb0B8uhjSMYa8I0msgVyxdAtIUoI7NcCz9OBMYN5FAX[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                .NET source code contains potential unpacker
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, ej0IqDHp1vhYbpLO8yMfHxWUW.cs.Net Code: oTVmyCMiYmqodqDbBrI5pkIhH System.AppDomain.Load(byte[])
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, ej0IqDHp1vhYbpLO8yMfHxWUW.cs.Net Code: w6N1ltaWR3vWnbcAva63m090A System.AppDomain.Load(byte[])
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, ej0IqDHp1vhYbpLO8yMfHxWUW.cs.Net Code: w6N1ltaWR3vWnbcAva63m090A
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_05C7E1D0 pushad ; ret 1_2_05C7E1E3
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeCode function: 1_2_05C7E210 push ecx; ret 1_2_05C7E222
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_0257A700 push eax; retf 0004h9_2_0257A729
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_02576B97 push es; retf 0004h9_2_02576BA2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_02576C57 push cs; retf 0004h9_2_02576C62
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exeStatic PE information: section name: .text entropy: 6.92952093328194
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exe, j6C0LkD.csHigh entropy of concatenated method names: 'Kb8r4FP', 'n2Y5Fxr', 'n6J1Smy', 'Wk5g3A7', 'o6F9Tcx', 'e2X7QgT', 'Xm3q7E6', 'Bx9p8C0', 'd3PMy86', 'a5N4Apm'
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exe, Re3p9CP.csHigh entropy of concatenated method names: 'p2A7Cdr', 'Dd86RkM', 'Ba35DoL', 'Hr1t6Z5', 'Ky3w2YG', 't5FWn2g', 'x3J0GgZ', 'g7HWc9j', 'Na1s9SY', 'Dw6k2QH'
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exe, d1X0Zyq.csHigh entropy of concatenated method names: 'Kw0k8TF', 'Ef9m7F6', 'y5FGj19', 'z1E7Ykj', 'Xx18Epd', 'Yi4q8KA', 'Ys4f5G0', 'j8M2Cax', 'c2E4PzC', 'Qq2z6FK'
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exe, x8SKp3q.csHigh entropy of concatenated method names: 'Wt47TcL', 'MoveNext', 'r9YRq56', 'SetStateMachine', 'Jo1x8HM', 'Wq8s5A9', 'g9K1PeF', 'r8WBi6y', 'w5X0QbK', 'm8NWd9z'
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exe, Fe60ExH.csHigh entropy of concatenated method names: 'w7QMq5j', 'a8D1ApB', 'Az2g3ZL', 'Wy8b7T2', 'Gd29Scr', 'Aw45Ytr', 'm8TJy70', 'f9S4Jna', 'Kc8f6HX', 'c2QEj5e'
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, tV5PDU1xTjqWr9ynxVsyWsE7V.csHigh entropy of concatenated method names: '_0zNMLSQbynhoT4qxQ5a10YclBLCMVz4xGBiUM5CkoV', 'NCMM9mRZDgulAVYFx9asEWynljLTCN6jznwLZfb3Ny', 'gO3qG6YNudSCQDlMQxhDbegLEmZCapWYr2A2DZaBH4', 'RcAv9sgKfdaPk1FG8QVGZANzIXq8LLwg5j18zQV58Z'
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, qgT2GvIgsR0Ldp3lGoRqtTdcIkAdkb6mvkZU6gDiof.csHigh entropy of concatenated method names: 'obHVmxqFmJ9WSwsmvTY8dCotv9raYpUgVyaC0HpYuW', 'nLYNtzy4A7T2u81Um4Oyyk8uSH3PvBLOyEvnYwC5pi', '_4PCHFztGkfbsz9JrRmpIWWQUedbul2qM8KDkrA5os4', '_0gzZwhqT40AObIsKt', 'm0B09r5oiDXpxGouI', 'CnGreHbfSvIzKUPyQ', 'WF2b12e8ncXY78psg', 'BpbPJGiaAiPTk19ui', '_53Vjw6mHBLxSBdWt3', 'A5zm5IafBwLXQbpOs'
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, aPJyNzsVvfmZPUR3a8yAHN4SR.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'ZVEq8f5vmpxPOMgdAhpKqGIZt5vkWfMOhNpsni5HH7', 'rbO4crb7VaKm9WGLNytEzKxCANdWjIPKzEYa7Ntv6t', 'b9GZuTiQPcklXlACHUcotl8NBxZJL6ynwm6peFr5AL', '_3ioCYZREHE4k9A5HIjaeOd7clRvwCxxZuCcxwxyeeD'
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, pFOMVfIpDXpJzgsSQZS2ifrKqH4jMvLGdHFBKACpjQ2yRHuelUouBxs41.csHigh entropy of concatenated method names: 'nHEV8ZkI5TxmtTae1J6dADNyW6RTTNl7np9emHL0n56qYqlzcYgLJXKoj', 'QkYQEbrzNSdVrF1Sn', '_05U3jYi1ocaTX8frd', 'F0Zf6HmArn9L2BFxF', 'hL1p7ewVG6ZruBYEs'
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, kIjWI22NiDKj1WY722QeLvRud.csHigh entropy of concatenated method names: 'irdyuEmUyR0J0NG063EsIzGSO', 'buEWmM3mHTD2jjovdPARSKNyh', 'LIgwbJ2VAmUEaTT1nTuTqHy0G', 'VGX5vXC2qbJzsrd6ml7US5IVl', '_6PfYcncqD8rCuajAmLKilk7Jx', 'EBgWapqF9S9rbTi7OqqH9CvXn', '_5RNYfp9ux9klYvNoJuapsTI9S', 'S35ij15hoyL08tOJCUMEHrdOv', 'nR8o01ZxjlnNeVWO1KpyU5pnc', '_3EBd0kflfkhbPioZjPM2NXQFb'
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, qFBMebozvEnnFRuNr6afTvuhz.csHigh entropy of concatenated method names: 'w4tI34N7HisbTPmRbNlzNRoW0', 'zFLlNOKN18AKrDqDoA6uB3sah', 'D1zr5HUcR30KJzYKMRfaQ0rMC', 'tLbWlJoAdmc14JlDEP9kHeOK9Wlwjs5R4TdcZ9zBgV', 'sXPzDvJMc2bhQAPLiKiwK1YJb4vqiJaTX0ltVPTfOR', '_3EwgNJvOHQOtvo5YfkmHIj11DCYoSKApPnDFwkUtC8', 'JhF5St1WQNND5PngKkAcJSjNmLa63iDscUpO2Rpt9C', 'jxdiL8OIc6tyCVtVLmSrtqcWTCHwdG7ulI9a4tDLFC', 'SQsMmUYa9Hp6q2dRFwB0f5ToGBSgUGzyHtS7erYeSE', '_8RpAZEN25f9P4jkhZnK0LaV0sxQXqr6dZY00ALpYM7'
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, ibqnpr9a2s9TtsVNFsmzXQ00uVGSBae9C0MnLXVGKR9ZOC8HXNfuthxCZ.csHigh entropy of concatenated method names: 'fDCH4d2cUQgd7VPb1F9OKPXsrUL6YRyCr6IHkgwsr7Kuszhv10BVbsSUx', 'I2MQHKbpItyLSSwEbdp4DrNzeMH8NPdu98nO8QdOZoNeKiy6LjJHAzyiL', 'YUf4mlI3vXVvW3izrlUIau9vcVmGv3ynm4SnE7H1RDHWdJrw0J0vXACBi', 'w77OwwaiXxt5FqdvaUU7TdlbBX64OMWfeS0U1vLpRPz6rexqoTNgqDKKJ', 'An3J5vDnfUla707ZlAU0NuYvmn4HXCxjywDY0Quv5ibzPILkVquPx9e0B', 'R1dcGjzNR6Z9tJIj5wPmUQs1Kf6xbd7RvYthgI46TxVelxK8F66rRXspX', 'RKpA3quo4ydvCrbggpTUXYanrBwQqQvO9QUGk247HQcWCywtwzDNO9IKi', '_6gCq0kXygFxQiIDALHTMKenCRe4kSzS8RPKoYwf0HTj98FGLFABUIdqzZ', 'otBCMPK5HSWdDSxkY9SoFdbsGLy6oSGvyajvzlj5vjiOJ9GVoYU4MlsH8', 'uS9wfP7Q17vMfiITR7qOOYqV9Fn8mfwyhcHcavN6PVHMVo4ouHs1798VS'
                Source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, ej0IqDHp1vhYbpLO8yMfHxWUW.csHigh entropy of concatenated method names: 'KOz2mFUbwIgRytSpQpfgFTzNp', 'oTVmyCMiYmqodqDbBrI5pkIhH', 'SLdpWLKwqX1qkMgjvfvRDrjeB', 'fBmta6IllUG7sOmVfbhDrGtrl', 'noh4qkUK6hYdzQdXH3Gxvisih', '_85ZoE6FFIh7Jo3v14R6J2WQjo', '_9A3B7xqBCEl6JKDodBqmHPdkB', 'GQTnKjOUdVg3sEj7f1LCTieyC', '_4J4EGlTRgESedLcEtt9kEPxdE', 'GlCchviw13BQjWynqiy344s87'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\MicroSoft Edges.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroSoft Edges.lnkJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroSoft Edges.lnkJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeFile opened: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exe\:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Transferencia - BBVA 20250312.pdf(45KB).com.exe PID: 7416, type: MEMORYSTR
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory allocated: 25A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory allocated: 2830000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory allocated: 2730000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory allocated: 7D50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory allocated: 8D50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory allocated: 8F20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory allocated: 9F20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory allocated: A2B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory allocated: B2B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2550000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2750000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 4750000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 495Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 9339Jump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exe TID: 7536Thread sleep time: -67000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exe TID: 7556Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exe TID: 7620Thread sleep time: -67000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exe TID: 7440Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1020Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5880Thread sleep count: 495 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5880Thread sleep count: 9339 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exe, 00000001.00000002.1627114005.0000000005000000.00000004.08000000.00040000.00000000.sdmp, Transferencia - BBVA 20250312.pdf(45KB).com.exe, 00000001.00000002.1626181440.0000000003899000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
                Source: Transferencia - BBVA 20250312.pdf(45KB).com.exe, 00000001.00000002.1626181440.0000000003899000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
                Source: InstallUtil.exe, 00000009.00000002.3684941369.0000000000A5F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1D0000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1D0000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1D0000Jump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1D2000Jump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1E0000Jump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1E2000Jump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 3D3008Jump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 410000Jump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 412000Jump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 72E008Jump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                Source: InstallUtil.exe, 00000009.00000002.3686559501.00000000028D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
                Source: InstallUtil.exe, 00000009.00000002.3686559501.00000000028D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
                Source: InstallUtil.exe, 00000009.00000002.3686559501.00000000028D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: InstallUtil.exe, 00000009.00000002.3686559501.00000000028D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                Source: InstallUtil.exe, 00000009.00000002.3686559501.00000000028D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeQueries volume information: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Transferencia - BBVA 20250312.pdf(45KB).com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: InstallUtil.exe, 00000009.00000002.3684941369.0000000000A0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 3.2.InstallUtil.exe.1d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1285625116.00000000001D2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3686559501.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1613249448.0000000002838000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Transferencia - BBVA 20250312.pdf(45KB).com.exe PID: 7416, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7624, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7960, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 3.2.InstallUtil.exe.1d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Transferencia - BBVA 20250312.pdf(45KB).com.exe.28aa554.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1285625116.00000000001D2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3686559501.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1613249448.0000000002838000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Transferencia - BBVA 20250312.pdf(45KB).com.exe PID: 7416, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7624, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7960, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure1
                Valid Accounts                		11
                Windows Management Instrumentation                		1
                Valid Accounts                		1
                Valid Accounts                		1
                Masquerading                		OS Credential Dumping131
                Security Software Discovery                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Registry Run Keys / Startup Folder                		1
                Access Token Manipulation                		1
                Valid Accounts                		LSASS Memory2
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt1
                DLL Side-Loading                		312
                Process Injection                		1
                Access Token Manipulation                		Security Account Manager141
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Registry Run Keys / Startup Folder                		1
                Disable or Modify Tools                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture11
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                DLL Side-Loading                		141
                Virtualization/Sandbox Evasion                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts312
                Process Injection                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Deobfuscate/Decode Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Hidden Files and Directories                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
                Obfuscated Files or Information                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron22
                Software Packing                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                DLL Side-Loading                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.