Loading ...

Play interactive tourEdit tour

Analysis Report 22Wire Transfer.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:167263
Start date:25.08.2019
Start time:18:41:35
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 50s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:22Wire Transfer.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.evad.winEXE@3/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 29.9% (good quality ratio 27.7%)
  • Quality average: 71.6%
  • Quality standard deviation: 28.9%
HCA Information:
  • Successful, ratio: 78%
  • Number of executed functions: 194
  • Number of non-executed functions: 103
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Agent Tesla
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Management Instrumentation111Winlogon Helper DLLProcess Injection11Software Packing31Credential Dumping2System Time Discovery1Application Deployment SoftwareInput Capture1Data Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaExecution through API1Port MonitorsAccessibility FeaturesDisabling Security Tools1Input Capture1Query Registry1Remote ServicesData from Local System2Exfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection11Credentials in Registry1Process Discovery2Windows Remote ManagementClipboard Data1Automated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingDeobfuscate/Decode Files or Information1Credentials in Files1Application Window Discovery11Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information3Account ManipulationSecurity Software Discovery331Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceFile and Directory Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSystem Information Discovery126Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for sampleShow sources
Source: 22Wire Transfer.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 2.2.22Wire Transfer.exe.2260000.3.unpackAvira: Label: TR/Dropper.Gen
Source: 0.2.22Wire Transfer.exe.23f0000.2.unpackAvira: Label: TR/Dropper.Gen
Source: 2.2.22Wire Transfer.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 0.2.22Wire Transfer.exe.2a10000.3.unpackAvira: Label: TR/Dropper.Gen
Source: 2.2.22Wire Transfer.exe.2200000.2.unpackAvira: Label: TR/Dropper.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_00408FF8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408FF8

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 4x nop then lea edx, dword ptr [ebp-0Ch]0_2_004AC1EC
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 4x nop then mov eax, dword ptr [ebp-1Ch]0_2_004AC1EC
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 4x nop then cmp ebx, 0Bh0_2_004AC1EC
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 4x nop then mov eax, ecx0_2_004AC1EC
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]0_2_004AC1EC
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 4x nop then mov ebx, 00055A10h0_2_004AC368
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 4x nop then mov eax, ecx0_2_004AC194
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 4x nop then mov byte ptr [eax], dl0_2_004AC194
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 4x nop then pop esi0_2_004AC194

Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: 'qGFMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: 'qGFMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 3654AN equals www.hotmail.com (Hotmail)
Source: 22Wire Transfer.exe, 00000002.00000002.990040597.000000000070F000.00000004.00000020.sdmpString found in binary or memory: GMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Offic equals www.hotmail.com (Hotmail)
Source: 22Wire Transfer.exe, 00000002.00000002.990040597.000000000070F000.00000004.00000020.sdmpString found in binary or memory: GMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: 22Wire Transfer.exe, 00000002.00000002.990040597.000000000070F000.00000004.00000020.sdmpString found in binary or memory: MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 3656'6 equals www.hotmail.com (Hotmail)
Source: 22Wire Transfer.exe, 00000002.00000002.990040597.000000000070F000.00000004.00000020.sdmpString found in binary or memory: n Hotmail, Outlook Login, Windows Live, Office 365u(q equals www.hotmail.com (Hotmail)
Urls found in memory or binary dataShow sources
Source: 22Wire Transfer.exe, 00000002.00000002.990040597.000000000070F000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/
Source: 22Wire Transfer.exe, 00000002.00000002.990040597.000000000070F000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
Source: 22Wire Transfer.exe, 00000002.00000002.990040597.000000000070F000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp08
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp4AN
Source: 22Wire Transfer.exe, 00000002.00000002.990040597.000000000070F000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEMp
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/D
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/P
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: 22Wire Transfer.exe, 00000002.00000002.990040597.000000000070F000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp0
Source: 22Wire Transfer.exe, 00000002.00000002.989948662.00000000006D8000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpYLMEMxP%up%ui
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/D
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/P
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf
Source: 22Wire Transfer.exe, 00000002.00000002.990040597.000000000070F000.00000004.00000020.sdmp, 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfD
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfP
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=10334AN
Source: 22Wire Transfer.exe, 00000002.00000002.990040597.000000000070F000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033lLMEM
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfD
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfP
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfP
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.php
Source: 22Wire Transfer.exe, 00000002.00000002.990040597.000000000070F000.00000004.00000020.sdmp, 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.php?produkt=dsl
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.php?produkt=dsl4AN
Source: 22Wire Transfer.exe, 00000002.00000002.990040597.000000000070F000.00000004.00000020.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.php?produkt=dslLMEM
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.phpD
Source: 22Wire Transfer.exe, 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.phpP

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_004283F0 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_004283F0
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: 22Wire Transfer.exe, 00000000.00000002.625489141.00000000007E0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Yara detected Agent Tesla TrojanShow sources
Source: Yara matchFile source: 00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmp, type: MEMORY
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0045B9D0 NtdllDefWindowProc_A,0_2_0045B9D0
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0045C14C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045C14C
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0045C1FC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045C1FC
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_004342D0 NtdllDefWindowProc_A,0_2_004342D0
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_004505A0 GetSubMenu,SaveDC,RestoreDC,72F9B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_004505A0
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_004408B4 NtdllDefWindowProc_A,GetCapture,0_2_004408B4
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_004560A40_2_004560A4
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_004505A00_2_004505A0
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0049B2140_2_0049B214
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_004953B00_2_004953B0
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0045B9762_2_0045B976
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0046113D2_2_0046113D
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C50C582_2_04C50C58
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C510382_2_04C51038
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C5092D2_2_04C5092D
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C51E902_2_04C51E90
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C537B82_2_04C537B8
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C57B702_2_04C57B70
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C560D02_2_04C560D0
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C524AE2_2_04C524AE
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C554B82_2_04C554B8
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C524262_2_04C52426
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C5102B2_2_04C5102B
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C560342_2_04C56034
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C5503E2_2_04C5503E
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C561CF2_2_04C561CF
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C561782_2_04C56178
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C55ED82_2_04C55ED8
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C536402_2_04C53640
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C52E482_2_04C52E48
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C5527B2_2_04C5527B
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C52E382_2_04C52E38
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C55FDD2_2_04C55FDD
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C57FD82_2_04C57FD8
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C55F862_2_04C55F86
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C537B82_2_04C537B8
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_04C55F2F2_2_04C55F2F
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05548DFA2_2_05548DFA
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055441802_2_05544180
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05546C712_2_05546C71
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0554A4982_2_0554A498
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0554ECA02_2_0554ECA0
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055473202_2_05547320
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0554E3D02_2_0554E3D0
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055447982_2_05544798
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0554D6D02_2_0554D6D0
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055432F82_2_055432F8
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547A902_2_05547A90
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055485562_2_05548556
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055481512_2_05548151
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055481782_2_05548178
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547D612_2_05547D61
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055489612_2_05548961
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055489042_2_05548904
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547D342_2_05547D34
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0554852F2_2_0554852F
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0554812A2_2_0554812A
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055489D02_2_055489D0
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055489F32_2_055489F3
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055485FB2_2_055485FB
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547DE52_2_05547DE5
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055481E12_2_055481E1
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547D9A2_2_05547D9A
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0554858F2_2_0554858F
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055485B62_2_055485B6
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547C5C2_2_05547C5C
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055488442_2_05548844
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055480492_2_05548049
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055480702_2_05548070
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055484602_2_05548460
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05544C002_2_05544C00
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0554A8012_2_0554A801
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0554880B2_2_0554880B
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547C352_2_05547C35
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055480222_2_05548022
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055484D22_2_055484D2
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055488DD2_2_055488DD
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547CC22_2_05547CC2
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055480CD2_2_055480CD
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547CE92_2_05547CE9
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547C952_2_05547C95
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0554888F2_2_0554888F
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0554A4882_2_0554A488
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055488B62_2_055488B6
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055484A52_2_055484A5
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055487512_2_05548751
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547F532_2_05547F53
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0554834C2_2_0554834C
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055473102_2_05547310
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055487032_2_05548703
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547B0C2_2_05547B0C
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055483222_2_05548322
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0554872A2_2_0554872A
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055487D22_2_055487D2
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547BC62_2_05547BC6
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547FCE2_2_05547FCE
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547FFB2_2_05547FFB
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547B8D2_2_05547B8D
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055447882_2_05544788
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547FA72_2_05547FA7
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055483A92_2_055483A9
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0554865B2_2_0554865B
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547E752_2_05547E75
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055482682_2_05548268
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055482082_2_05548208
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055486342_2_05548634
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0554822F2_2_0554822F
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547E2A2_2_05547E2A
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547ED22_2_05547ED2
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055486DC2_2_055486DC
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_055482FB2_2_055482FB
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05547AE22_2_05547AE2
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05630C682_2_05630C68
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_056308E82_2_056308E8
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05633E582_2_05633E58
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05631A002_2_05631A00
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_056313902_2_05631390
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_056321902_2_05632190
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_056335902_2_05633590
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05633EE52_2_05633EE5
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_056319F02_2_056319F0
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05633F742_2_05633F74
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_0563407D2_2_0563407D
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05633FC02_2_05633FC0
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05633E492_2_05633E49
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_056341D32_2_056341D3
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_056308D82_2_056308D8
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05630C582_2_05630C58
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05633F3F2_2_05633F3F
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_056313812_2_05631381
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_056321812_2_05632181
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_056335812_2_05633581
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05633F8A2_2_05633F8A
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_056341172_2_05634117
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_05630E9D2_2_05630E9D
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: String function: 004045A0 appears 53 times
PE file contains strange resourcesShow sources
Source: 22Wire Transfer.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 22Wire Transfer.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: 22Wire Transfer.exe, 00000000.00000002.629919291.0000000002A6B000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs 22Wire Transfer.exe
Source: 22Wire Transfer.exe, 00000000.00000002.629919291.0000000002A6B000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameZMLVQPVNIBYRXFALABVOWHODGKMROPZCYWMYLTNR_20190808160518933.exe4 vs 22Wire Transfer.exe
Source: 22Wire Transfer.exe, 00000000.00000002.625468438.00000000007D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 22Wire Transfer.exe
Source: 22Wire Transfer.exeBinary or memory string: OriginalFilename vs 22Wire Transfer.exe
Source: 22Wire Transfer.exe, 00000002.00000002.989175167.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs 22Wire Transfer.exe
Source: 22Wire Transfer.exe, 00000002.00000002.996035927.0000000005620000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs 22Wire Transfer.exe
Source: 22Wire Transfer.exe, 00000002.00000002.994947375.0000000004C20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs 22Wire Transfer.exe
Source: 22Wire Transfer.exe, 00000002.00000002.989436013.00000000004BD000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameZMLVQPVNIBYRXFALABVOWHODGKMROPZCYWMYLTNR_20190808160518933.exe4 vs 22Wire Transfer.exe
Source: 22Wire Transfer.exe, 00000002.00000002.990003132.00000000006F2000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs 22Wire Transfer.exe
Source: 22Wire Transfer.exe, 00000002.00000002.996075457.0000000005640000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs 22Wire Transfer.exe
Source: 22Wire Transfer.exe, 00000002.00000002.995106885.0000000004EE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 22Wire Transfer.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@0/0
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_00409170 GetDiskFreeSpaceA,0_2_00409170
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0040E054 FreeResource,0_2_0040E054
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\22Wire Transfer.exe 'C:\Users\user\Desktop\22Wire Transfer.exe'
Source: unknownProcess created: C:\Users\user\Desktop\22Wire Transfer.exe 'C:\Users\user\Desktop\22Wire Transfer.exe'
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess created: C:\Users\user\Desktop\22Wire Transfer.exe 'C:\Users\user\Desktop\22Wire Transfer.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: 22Wire Transfer.exeStatic file information: File size 1119234 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: 22Wire Transfer.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeUnpacked PE file: 2.2.22Wire Transfer.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeUnpacked PE file: 2.2.22Wire Transfer.exe.2200000.2.unpack
Source: C:\Users\user\Desktop\22Wire Transfer.exeUnpacked PE file: 2.2.22Wire Transfer.exe.2260000.3.unpack
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeUnpacked PE file: 2.2.22Wire Transfer.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0047EC80 RtlEnterCriticalSection,RegQueryValueA,LoadLibraryA,GetProcAddress,RtlLeaveCriticalSection,0_2_0047EC80
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_004AC1EC push 004AC32Eh; ret 0_2_004AC326
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_004AC368 push 004AC4E8h; ret 0_2_004AC4E0
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_00447D00 push 00447D8Dh; ret 0_2_00447D85
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_00436144 push 0043617Ch; ret 0_2_00436174
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0048E154 push 0048E187h; ret 0_2_0048E17F
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_004361D8 push 00436204h; ret 0_2_004361FC
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0042C1F0 push 0042C21Ch; ret 0_2_0042C214
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0040E1FC push ecx; mov dword ptr [esp], edx0_2_0040E201
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0048E1B4 push 0048E1E0h; ret 0_2_0048E1D8
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0048E26C push 0048E2AFh; ret 0_2_0048E2A7
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0048E204 push 0048E247h; ret 0_2_0048E23F
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0048E2D0 push 0048E31Ch; ret 0_2_0048E314
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_004A02A4 push ecx; mov dword ptr [esp], edx0_2_004A02A9
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_00474344 push ecx; mov dword ptr [esp], edx0_2_00474345
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_00436340 push 0043636Ch; ret 0_2_00436364
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_00480354 push 00480380h; ret 0_2_00480378
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0048E328 push 0048E354h; ret 0_2_0048E34C
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_004AC338 push 004AC364h; ret 0_2_004AC35C
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_004AC4EC push 004AC512h; ret 0_2_004AC50A
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_004A65E0 push ecx; ret 0_2_004A660F
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0042265C push 00422702h; ret 0_2_004226FA
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_004A6610 push ecx; ret 0_2_004A6624
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0045E6C8 push 0045E6F4h; ret 0_2_0045E6EC
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0048C744 push ecx; mov dword ptr [esp], ecx0_2_0048C749
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_00464714 push 0046474Ch; ret 0_2_00464744
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0045E738 push 0045E764h; ret 0_2_0045E75C
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_004A47EC push 004A482Eh; ret 0_2_004A4826
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_00464794 push 004647C0h; ret 0_2_004647B8
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_00414870 push ecx; mov dword ptr [esp], ecx0_2_00414872
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0040E8F0 push 0040ED3Ch; ret 0_2_0040ED34
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0042C970 push 0042C99Ch; ret 0_2_0042C994

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0045BA58 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_0045BA58
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0045C14C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045C14C
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0045C1FC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045C1FC
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0042C428 IsIconic,GetWindowPlacement,GetWindowRect,0_2_0042C428
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_00442830 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_00442830
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_00458B4C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_00458B4C
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_00443114 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_00443114
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sandboxes (mouse cursor move detection)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: GetTickCount,GetCursorPos,GetKeyboardType,GetCursorPos,Sleep,GetTickCount,GetTickCount,GetVersion,ExitProcess,0_2_004AC1EC
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_0045B02C
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_00436EB00_2_00436EB0
Found API chain indicative of sandbox detectionShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeSandbox detection routine: GetCursorPos, DecisionNode, Sleepgraph_0-36926
Found stalling execution ending in API Sleep callShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeStalling execution: Execution stalls by calling Sleepgraph_0-36928
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeThread delayed: delay time: 922337203685477Jump to behavior
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeAPI coverage: 7.7 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exe TID: 4980Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exe TID: 4104Thread sleep count: 84 > 30Jump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exe TID: 4104Thread sleep time: -42000s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\22Wire Transfer.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_00408FF8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408FF8
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0042604C GetSystemInfo,0_2_0042604C
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: 22Wire Transfer.exe, 00000002.00000002.995106885.0000000004EE0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: 22Wire Transfer.exe, 00000002.00000002.995106885.0000000004EE0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: 22Wire Transfer.exe, 00000002.00000002.995106885.0000000004EE0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 22Wire Transfer.exe, 00000002.00000002.995106885.0000000004EE0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeAPI call chain: ExitProcess graph end nodegraph_0-36933
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess queried: DebugObjectHandleJump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0047EC80 RtlEnterCriticalSection,RegQueryValueA,LoadLibraryA,GetProcAddress,RtlLeaveCriticalSection,0_2_0047EC80
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_00461412 mov eax, dword ptr fs:[00000030h]2_2_00461412
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 2_2_004614D0 mov eax, dword ptr fs:[00000030h]2_2_004614D0
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeSection loaded: unknown target pid: 4668 protection: execute and read and writeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 22Wire Transfer.exe, 00000002.00000002.990882680.0000000000D60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: 22Wire Transfer.exe, 00000002.00000002.990882680.0000000000D60000.00000002.00000001.sdmpBinary or memory string: Progman
Source: 22Wire Transfer.exe, 00000002.00000002.990882680.0000000000D60000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: 22Wire Transfer.exe, 00000002.00000002.990882680.0000000000D60000.00000002.00000001.sdmpBinary or memory string: Program Manager>

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_004060AC
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: GetLocaleInfoA,0_2_0040C1FC
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: GetLocaleInfoA,0_2_0040C1B0
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_004061B8
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_0040AAF0 GetLocalTime,0_2_0040AAF0
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeCode function: 0_2_004AC1EC GetTickCount,GetCursorPos,GetKeyboardType,GetCursorPos,Sleep,GetTickCount,GetTickCount,GetVersion,ExitProcess,0_2_004AC1EC
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\Desktop\22Wire Transfer.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Source: C:\Users\user\Desktop\22Wire Transfer.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 167263 Sample: 22Wire Transfer.exe Startdate: 25/08/2019 Architecture: WINDOWS Score: 100 12 Antivirus or Machine Learning detection for sample 2->12 14 Detected unpacking (changes PE section rights) 2->14 16 Detected unpacking (creates a PE file in dynamic memory) 2->16 18 7 other signatures 2->18 6 22Wire Transfer.exe 2->6         started        process3 signatures4 20 Maps a DLL or memory area into another process 6->20 9 22Wire Transfer.exe 16 6->9         started        process5 signatures6 22 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 9->22 24 Tries to steal Mail credentials (via file access) 9->24 26 Tries to harvest and steal ftp login credentials 9->26 28 Tries to harvest and steal browser information (history, passwords, etc) 9->28

Simulations

Behavior and APIs

TimeTypeDescription
18:42:50API Interceptor3x Sleep call for process: 22Wire Transfer.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
22Wire Transfer.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.2.22Wire Transfer.exe.2260000.3.unpack100%AviraTR/Dropper.GenDownload File
0.2.22Wire Transfer.exe.23f0000.2.unpack100%AviraTR/Dropper.GenDownload File
2.2.22Wire Transfer.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
0.2.22Wire Transfer.exe.2a10000.3.unpack100%AviraTR/Dropper.GenDownload File
2.1.22Wire Transfer.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.2.22Wire Transfer.exe.400000.0.unpack100%AviraHEUR/AGEN.1023602Download File
2.2.22Wire Transfer.exe.2200000.2.unpack100%AviraTR/Dropper.GenDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.994211751.00000000029E0000.00000004.00000001.sdmpJoeSecurity_Agenttesla_Smtp_VariantYara detected Agent Tesla TrojanJoe Security

    Unpacked PEs

    No yara matches

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.