Edit tour

Windows Analysis Report
25EAU0258.pdf.bat.exe

Overview

General Information

Sample name:	25EAU0258.pdf.bat.exe
Analysis ID:	1665113
MD5:	186e06705824ad5a4f9e0724a398ced0
SHA1:	d15108eea877b8e0388349480af313ce8a2b6d51
SHA256:	73600e6b54e580004dca78e52645866240684408bf5cd85cfee002c4eb67b948
Tags:	exeRedLineStealeruser-threatcat_ch
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

25EAU0258.pdf.bat.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\25EAU0258.pdf.bat.exe" MD5: 186E06705824AD5A4F9E0724A398CED0)

RegSvcs.exe (PID: 7548 cmdline: "C:\Users\user\Desktop\25EAU0258.pdf.bat.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.3795830716.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.3798311890.0000000005310000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.3798311890.0000000005310000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.3798311890.0000000005310000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.3798311890.0000000005310000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3effb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f06d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f0f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f189:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f1f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f265:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f2fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f38b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000001.00000002.3798311890.0000000005310000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39135:$s2: GetPrivateProfileString 0x3c3a7:$s3: get_OSFullName 0x39742:$s5: remove_Key 0x39762:$s5: remove_Key 0x3c816:$s6: FtpWebRequest 0x3efdd:$s7: logins 0x3f54f:$s7: logins 0x42232:$s7: logins 0x42312:$s7: logins 0x452ce:$s7: logins 0x42eac:$s9: 1.85 (Hash, version 2, native byte-order)
00000000.00000002.1359634819.00000000038F0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BA 88 44 24 2B 88 44 24 2F B0 90 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000001.00000002.3794407394.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BA 88 44 24 2B 88 44 24 2F B0 90 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000001.00000002.3797407682.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.3797407682.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.3797407682.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.3797896216.0000000005280000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.3797896216.0000000005280000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.3797896216.0000000005280000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.3797896216.0000000005280000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fee3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3ff55:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ffdf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40071:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x400db:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4014d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x401e3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40273:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000001.00000002.3797896216.0000000005280000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a01d:$s2: GetPrivateProfileString 0x3d28f:$s3: get_OSFullName 0x3a62a:$s5: remove_Key 0x3a64a:$s5: remove_Key 0x3d6fe:$s6: FtpWebRequest 0x3fec5:$s7: logins 0x40437:$s7: logins 0x4311a:$s7: logins 0x431fa:$s7: logins 0x461b6:$s7: logins 0x43d94:$s9: 1.85 (Hash, version 2, native byte-order)
00000001.00000002.3795592744.00000000029FE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.3795592744.00000000029FE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.3795592744.00000000029FE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.3795830716.0000000002E24000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.3795830716.0000000002E24000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7548	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7548	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BA 88 44 24 2B 88 44 24 2F B0 90 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
1.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BA 88 44 24 2B 88 44 24 2F B0 90 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
1.2.RegSvcs.exe.5280ee8.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.5280ee8.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.5280ee8.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.5280ee8.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d1fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d26d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d2f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d389:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d3f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d465:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d4fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d58b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.5280ee8.6.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x37335:$s2: GetPrivateProfileString 0x3a5a7:$s3: get_OSFullName 0x37942:$s5: remove_Key 0x37962:$s5: remove_Key 0x3aa16:$s6: FtpWebRequest 0x3d1dd:$s7: logins 0x3d74f:$s7: logins 0x40432:$s7: logins 0x40512:$s7: logins 0x434ce:$s7: logins 0x410ac:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.RegSvcs.exe.5280000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.5280000.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.5280000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.5280000.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e0e3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e155:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e1df:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e271:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e2db:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e34d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e3e3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e473:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.5280000.7.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3821d:$s2: GetPrivateProfileString 0x3b48f:$s3: get_OSFullName 0x3882a:$s5: remove_Key 0x3884a:$s5: remove_Key 0x3b8fe:$s6: FtpWebRequest 0x3e0c5:$s7: logins 0x3e637:$s7: logins 0x4131a:$s7: logins 0x413fa:$s7: logins 0x443b6:$s7: logins 0x41f94:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.RegSvcs.exe.2a3ed6e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.2a3ed6e.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.2a3ed6e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.2a3ed6e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fee3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3ff55:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ffdf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40071:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x400db:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4014d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x401e3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40273:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.2a3ed6e.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a01d:$s2: GetPrivateProfileString 0x3d28f:$s3: get_OSFullName 0x3a62a:$s5: remove_Key 0x3a64a:$s5: remove_Key 0x3d6fe:$s6: FtpWebRequest 0x3fec5:$s7: logins 0x40437:$s7: logins 0x4311a:$s7: logins 0x431fa:$s7: logins 0x461b6:$s7: logins 0x43d94:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.RegSvcs.exe.3e22b90.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.3e22b90.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.3e22b90.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.3e22b90.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d1fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d26d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d2f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d389:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d3f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d465:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d4fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d58b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.3e22b90.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x37335:$s2: GetPrivateProfileString 0x3a5a7:$s3: get_OSFullName 0x37942:$s5: remove_Key 0x37962:$s5: remove_Key 0x3aa16:$s6: FtpWebRequest 0x3d1dd:$s7: logins 0x3d74f:$s7: logins 0x40432:$s7: logins 0x40512:$s7: logins 0x434ce:$s7: logins 0x410ac:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.RegSvcs.exe.5310000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.5310000.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.5310000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.5310000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3effb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f06d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f0f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f189:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f1f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f265:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f2fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f38b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.5310000.8.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39135:$s2: GetPrivateProfileString 0x3c3a7:$s3: get_OSFullName 0x39742:$s5: remove_Key 0x39762:$s5: remove_Key 0x3c816:$s6: FtpWebRequest 0x3efdd:$s7: logins 0x3f54f:$s7: logins 0x42232:$s7: logins 0x42312:$s7: logins 0x452ce:$s7: logins 0x42eac:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.RegSvcs.exe.3dd6458.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.3dd6458.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.3dd6458.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.3dd6458.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d1fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d26d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d2f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d389:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d3f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d465:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d4fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d58b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.3dd6458.4.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x37335:$s2: GetPrivateProfileString 0x3a5a7:$s3: get_OSFullName 0x37942:$s5: remove_Key 0x37962:$s5: remove_Key 0x3aa16:$s6: FtpWebRequest 0x3d1dd:$s7: logins 0x3d74f:$s7: logins 0x40432:$s7: logins 0x40512:$s7: logins 0x434ce:$s7: logins 0x410ac:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.RegSvcs.exe.5310000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.5310000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.5310000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.5310000.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d1fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d26d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d2f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d389:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d3f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d465:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d4fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d58b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.5310000.8.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x37335:$s2: GetPrivateProfileString 0x3a5a7:$s3: get_OSFullName 0x37942:$s5: remove_Key 0x37962:$s5: remove_Key 0x3aa16:$s6: FtpWebRequest 0x3d1dd:$s7: logins 0x3d74f:$s7: logins 0x40432:$s7: logins 0x40512:$s7: logins 0x434ce:$s7: logins 0x410ac:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.RegSvcs.exe.3e22b90.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.3e22b90.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.3e22b90.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.3e22b90.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3effb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f06d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f0f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f189:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f1f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f265:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f2fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f38b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.3e22b90.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39135:$s2: GetPrivateProfileString 0x3c3a7:$s3: get_OSFullName 0x39742:$s5: remove_Key 0x39762:$s5: remove_Key 0x3c816:$s6: FtpWebRequest 0x3efdd:$s7: logins 0x3f54f:$s7: logins 0x42232:$s7: logins 0x42312:$s7: logins 0x452ce:$s7: logins 0x42eac:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.RegSvcs.exe.2a3ed6e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.2a3ed6e.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.2a3ed6e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.2a3ed6e.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e0e3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e155:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e1df:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e271:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e2db:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e34d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e3e3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e473:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.2a3ed6e.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3821d:$s2: GetPrivateProfileString 0x3b48f:$s3: get_OSFullName 0x3882a:$s5: remove_Key 0x3884a:$s5: remove_Key 0x3b8fe:$s6: FtpWebRequest 0x3e0c5:$s7: logins 0x3e637:$s7: logins 0x4131a:$s7: logins 0x413fa:$s7: logins 0x443b6:$s7: logins 0x41f94:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.RegSvcs.exe.2a3fc56.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.2a3fc56.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.2a3fc56.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.2a3fc56.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d1fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d26d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d2f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d389:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d3f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d465:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d4fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d58b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.2a3fc56.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x37335:$s2: GetPrivateProfileString 0x3a5a7:$s3: get_OSFullName 0x37942:$s5: remove_Key 0x37962:$s5: remove_Key 0x3aa16:$s6: FtpWebRequest 0x3d1dd:$s7: logins 0x3d74f:$s7: logins 0x40432:$s7: logins 0x40512:$s7: logins 0x434ce:$s7: logins 0x410ac:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.RegSvcs.exe.2a3fc56.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.2a3fc56.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.2a3fc56.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.2a3fc56.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3effb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f06d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f0f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f189:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f1f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f265:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f2fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f38b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.2a3fc56.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39135:$s2: GetPrivateProfileString 0x3c3a7:$s3: get_OSFullName 0x39742:$s5: remove_Key 0x39762:$s5: remove_Key 0x3c816:$s6: FtpWebRequest 0x3efdd:$s7: logins 0x3f54f:$s7: logins 0x42232:$s7: logins 0x42312:$s7: logins 0x452ce:$s7: logins 0x42eac:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.RegSvcs.exe.3dd5570.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.3dd5570.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.3dd5570.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.3dd5570.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e0e3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e155:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e1df:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e271:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e2db:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e34d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e3e3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e473:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.3dd5570.5.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3821d:$s2: GetPrivateProfileString 0x3b48f:$s3: get_OSFullName 0x3882a:$s5: remove_Key 0x3884a:$s5: remove_Key 0x3b8fe:$s6: FtpWebRequest 0x3e0c5:$s7: logins 0x3e637:$s7: logins 0x4131a:$s7: logins 0x413fa:$s7: logins 0x443b6:$s7: logins 0x41f94:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.25EAU0258.pdf.bat.exe.38f0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BA 88 44 24 2B 88 44 24 2F B0 90 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
1.2.RegSvcs.exe.5280000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.5280000.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.5280000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.5280000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fee3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3ff55:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ffdf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40071:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x400db:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4014d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x401e3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40273:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.5280000.7.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a01d:$s2: GetPrivateProfileString 0x3d28f:$s3: get_OSFullName 0x3a62a:$s5: remove_Key 0x3a64a:$s5: remove_Key 0x3d6fe:$s6: FtpWebRequest 0x3fec5:$s7: logins 0x40437:$s7: logins 0x4311a:$s7: logins 0x431fa:$s7: logins 0x461b6:$s7: logins 0x43d94:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.RegSvcs.exe.5280ee8.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.5280ee8.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.5280ee8.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.5280ee8.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3effb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f06d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f0f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f189:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f1f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f265:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f2fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f38b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.5280ee8.6.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39135:$s2: GetPrivateProfileString 0x3c3a7:$s3: get_OSFullName 0x39742:$s5: remove_Key 0x39762:$s5: remove_Key 0x3c816:$s6: FtpWebRequest 0x3efdd:$s7: logins 0x3f54f:$s7: logins 0x42232:$s7: logins 0x42312:$s7: logins 0x452ce:$s7: logins 0x42eac:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.RegSvcs.exe.3dd6458.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.3dd6458.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.3dd6458.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.3dd6458.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3effb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8b733:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f06d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8b7a5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f0f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8b82f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f189:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8b8c1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f1f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8b92b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f265:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8b99d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f2fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8ba33:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f38b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8bac3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.3dd6458.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x39135:$s2: GetPrivateProfileString 0x8586d:$s2: GetPrivateProfileString 0x3c3a7:$s3: get_OSFullName 0x88adf:$s3: get_OSFullName 0x39742:$s5: remove_Key 0x39762:$s5: remove_Key 0x85e7a:$s5: remove_Key 0x85e9a:$s5: remove_Key 0x3c816:$s6: FtpWebRequest 0x88f4e:$s6: FtpWebRequest 0x3efdd:$s7: logins 0x3f54f:$s7: logins 0x42232:$s7: logins 0x42312:$s7: logins 0x452ce:$s7: logins 0x8b715:$s7: logins 0x8bc87:$s7: logins 0x8e96a:$s7: logins 0x8ea4a:$s7: logins 0x91a06:$s7: logins 0x42eac:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.RegSvcs.exe.3dd5570.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.3dd5570.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.3dd5570.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.3dd5570.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3fee3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8c61b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3ff55:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8c68d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3ffdf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8c717:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40071:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8c7a9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x400db:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8c813:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4014d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8c885:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x401e3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8c91b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40273:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8c9ab:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.3dd5570.5.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3a01d:$s2: GetPrivateProfileString 0x86755:$s2: GetPrivateProfileString 0x3d28f:$s3: get_OSFullName 0x899c7:$s3: get_OSFullName 0x3a62a:$s5: remove_Key 0x3a64a:$s5: remove_Key 0x86d62:$s5: remove_Key 0x86d82:$s5: remove_Key 0x3d6fe:$s6: FtpWebRequest 0x89e36:$s6: FtpWebRequest 0x3fec5:$s7: logins 0x40437:$s7: logins 0x4311a:$s7: logins 0x431fa:$s7: logins 0x461b6:$s7: logins 0x8c5fd:$s7: logins 0x8cb6f:$s7: logins 0x8f852:$s7: logins 0x8f932:$s7: logins 0x928ee:$s7: logins 0x43d94:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 78 entries

FTP traffic detected: 50.87.144.157:21 -> 192.168.2.5:49692 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 01:31. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 01:31. Server port: 21.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_001922EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_001922EE

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: c.pki.goog
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: beirutrest.com

Source: RegSvcs.exe, 00000001.00000002.3795830716.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://beirutrest.com
Source: RegSvcs.exe, 00000001.00000002.3795830716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000001.00000002.3797407682.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3798311890.0000000005310000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3795592744.00000000029FE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3797896216.0000000005280000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000001.00000002.3797407682.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3798311890.0000000005310000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3795592744.00000000029FE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3797896216.0000000005280000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3795830716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000001.00000002.3795830716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000001.00000002.3795830716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49691 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, n00.cs

.Net Code: lGCzgIzdr

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_00194164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00194164

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_00194164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00194164

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_00193F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00193F66

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_0018001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0018001C

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_001ACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_001ACABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.RegSvcs.exe.5280ee8.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.5280ee8.6.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.RegSvcs.exe.5280000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.5280000.7.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.RegSvcs.exe.2a3ed6e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.2a3ed6e.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.RegSvcs.exe.3e22b90.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.3e22b90.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.RegSvcs.exe.3dd6458.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.3dd6458.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.RegSvcs.exe.5310000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.5310000.8.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.RegSvcs.exe.3e22b90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.3e22b90.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.RegSvcs.exe.2a3ed6e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.2a3ed6e.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.RegSvcs.exe.2a3fc56.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.2a3fc56.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.RegSvcs.exe.2a3fc56.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.2a3fc56.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.RegSvcs.exe.3dd5570.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.3dd5570.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.25EAU0258.pdf.bat.exe.38f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.RegSvcs.exe.5280000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.5280000.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.RegSvcs.exe.5280ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.5280ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.RegSvcs.exe.3dd6458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.3dd6458.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.RegSvcs.exe.3dd5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.3dd5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000001.00000002.3798311890.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000001.00000002.3798311890.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.1359634819.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000001.00000002.3794407394.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000001.00000002.3797896216.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000001.00000002.3797896216.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00123B3A
Source: 25EAU0258.pdf.bat.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 25EAU0258.pdf.bat.exe, 00000000.00000002.1356466843.00000000001D4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b2a53e47-3
Source: 25EAU0258.pdf.bat.exe, 00000000.00000002.1356466843.00000000001D4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_58b88c8a-d
Source: 25EAU0258.pdf.bat.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e36594aa-d
Source: 25EAU0258.pdf.bat.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_6c2849c1-d

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 25EAU0258.pdf.bat.exe

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_0018A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0018A1EF

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_00178310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00178310

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_001851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_001851BD

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0012E6A0	0_2_0012E6A0
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0014D975	0_2_0014D975
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0012FCE0	0_2_0012FCE0
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_001421C5	0_2_001421C5
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_001562D2	0_2_001562D2
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_001A03DA	0_2_001A03DA
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0015242E	0_2_0015242E
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_001425FA	0_2_001425FA
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0017E616	0_2_0017E616
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_001366E1	0_2_001366E1
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0015878F	0_2_0015878F
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00138808	0_2_00138808
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_001A0857	0_2_001A0857
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00156844	0_2_00156844
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00188889	0_2_00188889
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0014CB21	0_2_0014CB21
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00156DB6	0_2_00156DB6
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00136F9E	0_2_00136F9E
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00133030	0_2_00133030
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00143187	0_2_00143187
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0014F1D9	0_2_0014F1D9
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00121287	0_2_00121287
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00141484	0_2_00141484
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00135520	0_2_00135520
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00147696	0_2_00147696
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00135760	0_2_00135760
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00141978	0_2_00141978
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00159AB5	0_2_00159AB5
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00141D90	0_2_00141D90
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0014BDA6	0_2_0014BDA6
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_001A7DDB	0_2_001A7DDB
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0012DF00	0_2_0012DF00
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00133FE0	0_2_00133FE0
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_01272490	0_2_01272490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00408C60	1_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040DC11	1_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00407C3F	1_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00418CCC	1_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00406CA0	1_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004028B0	1_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041A4BE	1_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00418244	1_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00401650	1_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00402F20	1_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004193C4	1_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00418788	1_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00402F89	1_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00402B90	1_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004073A0	1_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_027CCB68	1_2_027CCB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_027CD780	1_2_027CD780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_027CCEB0	1_2_027CCEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_027C1030	1_2_027C1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0619C780	1_2_0619C780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0619EA58	1_2_0619EA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06199318	1_2_06199318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06190007	1_2_06190007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06190040	1_2_06190040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0619F19B	1_2_0619F19B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_065B5222	1_2_065B5222
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_065B0040	1_2_065B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_065BA0D8	1_2_065BA0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_065B61A8	1_2_065B61A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_065B1130	1_2_065B1130

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: String function: 00127DE1 appears 35 times
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: String function: 00148900 appears 42 times
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: String function: 00140AE3 appears 70 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times

Source: 25EAU0258.pdf.bat.exe, 00000000.00000003.1350110608.000000000411D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 25EAU0258.pdf.bat.exe
Source: 25EAU0258.pdf.bat.exe, 00000000.00000003.1351677618.0000000003F73000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 25EAU0258.pdf.bat.exe
Source: 25EAU0258.pdf.bat.exe, 00000000.00000002.1359634819.00000000038F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs 25EAU0258.pdf.bat.exe

Source: 25EAU0258.pdf.bat.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.RegSvcs.exe.5280ee8.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.5280ee8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.RegSvcs.exe.5280000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.5280000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.RegSvcs.exe.2a3ed6e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.2a3ed6e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.RegSvcs.exe.3e22b90.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.3e22b90.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.RegSvcs.exe.3dd6458.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.3dd6458.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.RegSvcs.exe.5310000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.5310000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.RegSvcs.exe.3e22b90.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.3e22b90.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.RegSvcs.exe.2a3ed6e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.2a3ed6e.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.RegSvcs.exe.2a3fc56.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.2a3fc56.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.RegSvcs.exe.2a3fc56.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.2a3fc56.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.RegSvcs.exe.3dd5570.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.3dd5570.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.25EAU0258.pdf.bat.exe.38f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.RegSvcs.exe.5280000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.5280000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.RegSvcs.exe.5280ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.5280ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.RegSvcs.exe.3dd6458.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.3dd6458.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.RegSvcs.exe.3dd5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.3dd5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000001.00000002.3798311890.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000001.00000002.3798311890.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.1359634819.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000001.00000002.3794407394.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000001.00000002.3797896216.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000001.00000002.3797896216.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 1.2.RegSvcs.exe.3e22b90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.3e22b90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, gyfrCFT5x9I.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, fpnV0Qjz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, fpnV0Qjz.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@3/2

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_0018A06A GetLastError,FormatMessageW,

0_2_0018A06A

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_001781CB AdjustTokenPrivileges,CloseHandle,		0_2_001781CB
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_001787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001787E1

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_0018B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0018B333

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_0019EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0019EE0D

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_0018C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0018C397

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_00124E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00124E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

File created: C:\Users\user\AppData\Local\Temp\aut399C.tmp

Jump to behavior

Source: 25EAU0258.pdf.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 25EAU0258.pdf.bat.exe	ReversingLabs: Detection: 25%
Source: 25EAU0258.pdf.bat.exe	Virustotal: Detection: 29%

Source: unknown	Process created: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe "C:\Users\user\Desktop\25EAU0258.pdf.bat.exe"
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\25EAU0258.pdf.bat.exe"
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\25EAU0258.pdf.bat.exe"	Jump to behavior

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 25EAU0258.pdf.bat.exe

Static file information: File size 1170432 > 1048576

Source: 25EAU0258.pdf.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 25EAU0258.pdf.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 25EAU0258.pdf.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 25EAU0258.pdf.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 25EAU0258.pdf.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 25EAU0258.pdf.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 25EAU0258.pdf.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000001.00000002.3797407682.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3795592744.00000000029FE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3797896216.0000000005280000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 25EAU0258.pdf.bat.exe, 00000000.00000003.1347636100.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 25EAU0258.pdf.bat.exe, 00000000.00000003.1353877479.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 25EAU0258.pdf.bat.exe, 00000000.00000003.1347636100.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, 25EAU0258.pdf.bat.exe, 00000000.00000003.1353877479.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp

Source: 25EAU0258.pdf.bat.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 25EAU0258.pdf.bat.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 25EAU0258.pdf.bat.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 25EAU0258.pdf.bat.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 25EAU0258.pdf.bat.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1.2.RegSvcs.exe.3e22b90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.RegSvcs.exe.2a3fc56.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.RegSvcs.exe.3dd6458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.RegSvcs.exe.5280ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 1.2.RegSvcs.exe.2a3ed6e.1.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 1.2.RegSvcs.exe.5280000.7.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 1.2.RegSvcs.exe.3dd5570.5.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_00124B37 LoadLibraryA,GetProcAddress,

0_2_00124B37

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00148945 push ecx; ret	0_2_00148958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041C40C push cs; iretd	1_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00423149 push eax; ret	1_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041C50E push cs; iretd	1_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004231C8 push eax; ret	1_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040E21D push ecx; ret	1_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041C6BE push ebx; ret	1_2_0041C6BF

Source: 1.2.RegSvcs.exe.3e22b90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'G8pT3SrD47iNL', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'G8pT3SrD47iNL', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 1.2.RegSvcs.exe.2a3fc56.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'G8pT3SrD47iNL', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 1.2.RegSvcs.exe.3dd6458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'G8pT3SrD47iNL', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 1.2.RegSvcs.exe.5280ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'G8pT3SrD47iNL', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.bat

Static PE information: 25EAU0258.pdf.bat.exe

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_001248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_001248D7
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_001A5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_001A5376

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_00143187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00143187

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

API/Special instruction interceptor: Address: 12720B4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

1_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599542	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598873	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598762	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598643	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596295	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596117	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595955	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594297	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7455			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2397			Jump to behavior

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

API coverage: 4.9 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0018445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0018445A
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0018C6D1 FindFirstFileW,FindClose,	0_2_0018C6D1
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0018C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0018C75C
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0018EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0018EF95
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0018F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0018F0F2
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0018F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0018F3F3
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_001837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001837EF
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00183B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00183B12
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0018BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0018BCBC

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_001249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001249A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599542	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598873	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598762	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598643	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596295	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596117	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595955	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594297	Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.3798560119.0000000005602000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	API call chain: ExitProcess graph end node			graph_0-101272
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_00193F09 BlockInput,

0_2_00193F09

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_00123B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00123B3A

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_00155A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00155A7C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

1_2_004019F0

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_00124B37 LoadLibraryA,GetProcAddress,

0_2_00124B37

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_01272320 mov eax, dword ptr fs:[00000030h]	0_2_01272320
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_01272380 mov eax, dword ptr fs:[00000030h]	0_2_01272380
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_01270CF0 mov eax, dword ptr fs:[00000030h]	0_2_01270CF0

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_001780A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_001780A9

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0014A124 SetUnhandledExceptionFilter,	0_2_0014A124
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_0014A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0014A155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004123F1 SetUnhandledExceptionFilter,	1_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 851008

Jump to behavior

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_001787B1 LogonUserW,

0_2_001787B1

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_00123B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00123B3A

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_001248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_001248D7

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_00184C27 mouse_event,

0_2_00184C27

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\25EAU0258.pdf.bat.exe"

Jump to behavior

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_00177CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00177CAF

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_0017874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0017874B

Source: 25EAU0258.pdf.bat.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 25EAU0258.pdf.bat.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_0014862B cpuid

0_2_0014862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

1_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_00154E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00154E87

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_00161E06 GetUserNameW,

0_2_00161E06

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_00153F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00153F3A

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe

Code function: 0_2_001249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001249A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 1.2.RegSvcs.exe.5280ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5280000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3ed6e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3e22b90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5310000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3e22b90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3ed6e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3fc56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3fc56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5280000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5280ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3795830716.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3798311890.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3797407682.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3797896216.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3795592744.00000000029FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3795830716.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7548, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 1.2.RegSvcs.exe.5280ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5280000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3ed6e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3e22b90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5310000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3e22b90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3ed6e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3fc56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3fc56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5280000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5280ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3798311890.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3797407682.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3797896216.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3795592744.00000000029FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: 25EAU0258.pdf.bat.exe	Binary or memory string: WIN_81
Source: 25EAU0258.pdf.bat.exe	Binary or memory string: WIN_XP
Source: 25EAU0258.pdf.bat.exe	Binary or memory string: WIN_XPe
Source: 25EAU0258.pdf.bat.exe	Binary or memory string: WIN_VISTA
Source: 25EAU0258.pdf.bat.exe	Binary or memory string: WIN_7
Source: 25EAU0258.pdf.bat.exe	Binary or memory string: WIN_8
Source: 25EAU0258.pdf.bat.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 1.2.RegSvcs.exe.5280ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5280000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3ed6e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3e22b90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5310000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3e22b90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3ed6e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3fc56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3fc56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5280000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5280ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3798311890.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3797407682.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3797896216.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3795592744.00000000029FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3795830716.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7548, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 1.2.RegSvcs.exe.5280ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5280000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3ed6e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3e22b90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5310000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3e22b90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3ed6e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3fc56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3fc56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5280000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5280ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3795830716.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3798311890.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3797407682.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3797896216.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3795592744.00000000029FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3795830716.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7548, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 1.2.RegSvcs.exe.5280ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5280000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3ed6e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3e22b90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5310000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5310000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3e22b90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3ed6e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3fc56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2a3fc56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5280000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5280ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3dd5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3798311890.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3797407682.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3797896216.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3795592744.00000000029FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00196283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00196283
Source: C:\Users\user\Desktop\25EAU0258.pdf.bat.exe	Code function: 0_2_00196747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00196747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	12 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	2 Software Packing	NTDS	148 System Information Discovery	Distributed Component Object Model	121 Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	121 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 50.87.144.157 50.87.144.157

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 25EAU0258.pdf.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
25EAU0258.pdf.bat.exe