Loading ...

Play interactive tourEdit tour

Analysis Report 3cyvl4sj.3o3.exe

Overview

General Information

Sample Name:3cyvl4sj.3o3.exe
MD5:0961848121037b2a58a374d083a475da
SHA1:276e15a8fd24cffd84abccf48434c8fa0c63895d
SHA256:1375cfa18b2ae48fbc255fb0d6031f4c9924c4b9cf496d54c6ea198527d12484

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AgentTesla
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Malware Configuration

Threatname: Agenttesla

{"Username: ": "=0AQbLAXh", "URL: ": "https://2Ptd0XaaPT7Amm.net", "To: ": "info@oxolook.com", "ByHost: ": "mail.oxolook.com:5878", "Password: ": "xIwP44", "From: ": "info@oxolook.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1127878174.0000000003C95000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.1127033582.0000000003A09000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.1127718705.0000000003C05000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.1521700111.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000002.00000002.1523810287.0000000002C90000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.3cyvl4sj.3o3.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\Desktop\3cyvl4sj.3o3.exe, ParentImage: C:\Users\user\Desktop\3cyvl4sj.3o3.exe, ParentProcessId: 1664, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 5136

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 3cyvl4sj.3o3.exe.1664.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "=0AQbLAXh", "URL: ": "https://2Ptd0XaaPT7Amm.net", "To: ": "info@oxolook.com", "ByHost: ": "mail.oxolook.com:5878", "Password: ": "xIwP44", "From: ": "info@oxolook.com"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: 3cyvl4sj.3o3.exeVirustotal: Detection: 63%Perma Link
              Source: 3cyvl4sj.3o3.exeReversingLabs: Detection: 74%
              Machine Learning detection for sampleShow sources
              Source: 3cyvl4sj.3o3.exeJoe Sandbox ML: detected
              Source: 2.2.3cyvl4sj.3o3.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 4x nop then inc dword ptr [ebp-14h]0_2_010763D0

              Source: global trafficTCP traffic: 192.168.2.6:49946 -> 77.245.159.20:587
              Source: Joe Sandbox ViewASN Name: unknown unknown
              Source: global trafficTCP traffic: 192.168.2.6:49946 -> 77.245.159.20:587
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1523810287.0000000002C90000.00000004.00000001.sdmpString found in binary or memory: :["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java-bean","application/x-java-bean;jpi-version=1.7.0_05","application/x-java-bean;version=1.1","application/x-java-bean;version=1.1.1","application/x-java-bean;version=1.1.2","application/x-java-bean;version=1.1.3","application/x-java-bean;version=1.2","application/x-java-bean;version=1.2.1","application/x-java-bean;version=1.2.2","application/x-java-bean;version=1.3","application/x-java-bean;version=1.3.1","application/x-java-bean;version=1.4","application/x-java-bean;version=1.4.1","application/x-java-bean;version=1.4.2","application/x-java-bean;version=1.5","application/
              Source: unknownDNS traffic detected: queries for: mail.oxolook.com
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1523810287.0000000002C90000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1523810287.0000000002C90000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1524353074.0000000002DD4000.00000004.00000001.sdmpString found in binary or memory: http://mail.oxolook.com
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1524353074.0000000002DD4000.00000004.00000001.sdmpString found in binary or memory: http://oxolook.com
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1523810287.0000000002C90000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1524353074.0000000002DD4000.00000004.00000001.sdmpString found in binary or memory: https://2Ptd0XaaPT7Amm.net
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1523810287.0000000002C90000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1523810287.0000000002C90000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1523810287.0000000002C90000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1523810287.0000000002C90000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
              Source: 3cyvl4sj.3o3.exeString found in binary or memory: https://www.pelock.com/api/aztec-decoder/v1

              System Summary:

              barindex
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 0_2_007093300_2_00709330
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 0_2_010780A80_2_010780A8
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 0_2_010780B80_2_010780B8
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 0_2_0107A5390_2_0107A539
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 0_2_0107A5480_2_0107A548
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 0_2_04FD35380_2_04FD3538
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 0_2_04FD46810_2_04FD4681
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 0_2_04FD3E080_2_04FD3E08
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 0_2_04FD84380_2_04FD8438
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 0_2_04FD842A0_2_04FD842A
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 0_2_04FD867F0_2_04FD867F
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 0_2_04FD2DF00_2_04FD2DF0
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 0_2_04FD5EF00_2_04FD5EF0
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 0_2_04FDB9800_2_04FDB980
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_007E93302_2_007E9330
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F208F82_2_00F208F8
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F211C82_2_00F211C8
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F242F62_2_00F242F6
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F205B02_2_00F205B0
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F22DB02_2_00F22DB0
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F285202_2_00F28520
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F27EEA2_2_00F27EEA
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F248E22_2_00F248E2
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F2489A2_2_00F2489A
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F248522_2_00F24852
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F249D02_2_00F249D0
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F249882_2_00F24988
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F249402_2_00F24940
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F22DB02_2_00F22DB0
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F24AEA2_2_00F24AEA
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F23AB92_2_00F23AB9
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F24A5D2_2_00F24A5D
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F242202_2_00F24220
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F24BBF2_2_00F24BBF
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F23B452_2_00F23B45
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F24B322_2_00F24B32
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F24CDF2_2_00F24CDF
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F24C972_2_00F24C97
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F24C4F2_2_00F24C4F
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F24C072_2_00F24C07
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F23DB42_2_00F23DB4
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F24D272_2_00F24D27
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F247C52_2_00F247C5
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F2477D2_2_00F2477D
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_052E45402_2_052E4540
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_052E16302_2_052E1630
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_052E11A82_2_052E11A8
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_052E52082_2_052E5208
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_052E9EF82_2_052E9EF8
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_052E89802_2_052E8980
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_052E44D02_2_052E44D0
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_052E16212_2_052E1621
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_052E56302_2_052E5630
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_052E11982_2_052E1198
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_052E90D02_2_052E90D0
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_052E8DA62_2_052E8DA6
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_052E8E212_2_052E8E21
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_052E9EE92_2_052E9EE9
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_052E89702_2_052E8970
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_052ED9B02_2_052ED9B0
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_061666002_2_06166600
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_061656782_2_06165678
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_0616C2E82_2_0616C2E8
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06161FC82_2_06161FC8
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_061690902_2_06169090
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_061676002_2_06167600
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06167E282_2_06167E28
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_0616DA522_2_0616DA52
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_0616566A2_2_0616566A
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06168AD82_2_06168AD8
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06168AC82_2_06168AC8
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_061652F82_2_061652F8
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_061653082_2_06165308
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_0616AF932_2_0616AF93
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06161FB92_2_06161FB9
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_0616AC5F2_2_0616AC5F
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_0616C44F2_2_0616C44F
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_061644902_2_06164490
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_061690802_2_06169080
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_061644812_2_06164481
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_0616D8F72_2_0616D8F7
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_0616B1732_2_0616B173
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_061611882_2_06161188
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_061665F02_2_061665F0
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_062363002_2_06236300
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_0623B3782_2_0623B378
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_0627BE602_2_0627BE60
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_062787882_2_06278788
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_0627C7E02_2_0627C7E0
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06273C162_2_06273C16
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_062700402_2_06270040
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_0627C1E82_2_0627C1E8
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_0627CE782_2_0627CE78
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_062787C02_2_062787C0
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_062787CE2_2_062787CE
              Source: 3cyvl4sj.3o3.exeBinary or memory string: OriginalFilename vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exe, 00000000.00000002.1127033582.0000000003A09000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMYDLLSTUBSHARED.dll4 vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exe, 00000000.00000002.1127033582.0000000003A09000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamejsjenjVFcQJjTawISHszZsLsGdB.exe4 vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exe, 00000000.00000002.1129380821.0000000004FA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUnhook.dll. vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exe, 00000000.00000002.1126978349.0000000002C38000.00000004.00000001.sdmpBinary or memory string: OriginalFilename26.dll4 vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exe, 00000000.00000000.1097545145.00000000006C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZImBOZX.dll< vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exe, 00000000.00000000.1097545145.00000000006C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKJDHWAKD.exe2 vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exeBinary or memory string: OriginalFilename vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1527248874.0000000006170000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1527430544.0000000006200000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1521817754.00000000007A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZImBOZX.dll< vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1521817754.00000000007A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKJDHWAKD.exe2 vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1522671847.0000000000F40000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1521777583.000000000044E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamejsjenjVFcQJjTawISHszZsLsGdB.exe4 vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1521963964.0000000000B87000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1527465134.0000000006210000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1526387301.0000000005250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exeBinary or memory string: OriginalFilenameZImBOZX.dll< vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exeBinary or memory string: OriginalFilenameKJDHWAKD.exe2 vs 3cyvl4sj.3o3.exe
              Source: 3cyvl4sj.3o3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/1@2/1
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3cyvl4sj.3o3.exe.logJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5340:120:WilError_01
              Source: 3cyvl4sj.3o3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: 3cyvl4sj.3o3.exeVirustotal: Detection: 63%
              Source: 3cyvl4sj.3o3.exeReversingLabs: Detection: 74%
              Source: unknownProcess created: C:\Users\user\Desktop\3cyvl4sj.3o3.exe 'C:\Users\user\Desktop\3cyvl4sj.3o3.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\3cyvl4sj.3o3.exe C:\Users\user\Desktop\3cyvl4sj.3o3.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess created: C:\Users\user\Desktop\3cyvl4sj.3o3.exe C:\Users\user\Desktop\3cyvl4sj.3o3.exeJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: 3cyvl4sj.3o3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: 3cyvl4sj.3o3.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: Unhook.pdb source: 3cyvl4sj.3o3.exe, 00000000.00000002.1129380821.0000000004FA0000.00000004.00000001.sdmp
              Source: Binary string: 26.pdb source: 3cyvl4sj.3o3.exe, 00000000.00000002.1126978349.0000000002C38000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Raz\Documents\Visual Studio 2015\Projects\STUB214\ClassLibrary1\obj\Debug\ZImBOZX.pdbP-j- \-_CorDllMainmscoree.dll source: 3cyvl4sj.3o3.exe
              Source: Binary string: 26.pdbx source: 3cyvl4sj.3o3.exe, 00000000.00000002.1126978349.0000000002C38000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Raz\Documents\Visual Studio 2015\Projects\STUB214\ClassLibrary1\obj\Debug\ZImBOZX.pdb source: 3cyvl4sj.3o3.exe

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: 3cyvl4sj.3o3.exe, RUeR.cs.Net Code: kFbd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.3cyvl4sj.3o3.exe.6c0000.0.unpack, RUeR.cs.Net Code: kFbd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.3cyvl4sj.3o3.exe.6c0000.0.unpack, RUeR.cs.Net Code: kFbd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.3cyvl4sj.3o3.exe.7a0000.1.unpack, RUeR.cs.Net Code: kFbd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.0.3cyvl4sj.3o3.exe.7a0000.0.unpack, RUeR.cs.Net Code: kFbd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 0_2_04FDC42D push ds; retf 0_2_04FDC433
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 0_2_04FDCBAE pushfd ; ret 0_2_04FDCBB5
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F2DD47 push edi; retn 0000h2_2_00F2DD49
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_0616DE32 push edi; iretd 2_2_0616DE3D
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06163F89 push es; iretd 2_2_06163F94
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_0616DDEE push es; retf 2_2_0616DE04
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_062396E1 push es; ret 2_2_062396F0
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06276E8B push edi; ret 2_2_06276E8D
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_0627969B push eax; retf 2_2_062796A0
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06272AC8 push cs; iretd 2_2_06272AD0
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06276ED3 push edi; ret 2_2_06276EDA
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06273313 push es; iretd 2_2_0627331A
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06272BA0 push cs; iretd 2_2_06272BA4
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06272FE4 pushad ; retf 2_2_06272FE5
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06270BFA push edx; ret 2_2_06270BFB
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06277BD6 push es; retf 2_2_06277BD8
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06277BD2 push es; retf 2_2_06277BD4
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06277C22 push es; retf 2_2_06277C24
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06277C6E push es; retf 2_2_06277C70
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_06277091 push 8BFFFFFFh; retf 2_2_0627709D
              Source: initial sampleStatic PE information: section name: .text entropy: 7.79815480205

              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeWindow / User API: threadDelayed 780Jump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 4564Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 5952Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 2764Thread sleep count: 780 > 30Jump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -59814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -59594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -57314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -56220s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -55814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -55626s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -55126s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -54720s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -53814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -53626s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -53314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -53126s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -52626s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -52438s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -48408s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -48220s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -47314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -46500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -45532s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -45126s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -44626s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -44438s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -44220s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -44032s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -43720s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -43314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -41220s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -39720s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -35314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -32408s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -31908s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -31720s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -30314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -51500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exe TID: 3628Thread sleep time: -41500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeLast function: Thread delayed
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1527738811.0000000006460000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess information queried: ProcessInformationJump to behavior

              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F242F6 LdrInitializeThunk,2_2_00F242F6
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeMemory written: C:\Users\user\Desktop\3cyvl4sj.3o3.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess created: C:\Users\user\Desktop\3cyvl4sj.3o3.exe C:\Users\user\Desktop\3cyvl4sj.3o3.exeJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1523006639.00000000014D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1523006639.00000000014D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1523006639.00000000014D0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: 3cyvl4sj.3o3.exe, 00000002.00000002.1523006639.00000000014D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeQueries volume information: C:\Users\user\Desktop\3cyvl4sj.3o3.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeQueries volume information: C:\Users\user\Desktop\3cyvl4sj.3o3.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeCode function: 2_2_00F220F8 GetUserNameW,2_2_00F220F8
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings:

              barindex
              Uses netsh to modify the Windows network and firewall settingsShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000002.1127878174.0000000003C95000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1127033582.0000000003A09000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1127718705.0000000003C05000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1521700111.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1523810287.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1126304621.0000000002A00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 3cyvl4sj.3o3.exe PID: 1664, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 3cyvl4sj.3o3.exe PID: 4508, type: MEMORY
              Source: Yara matchFile source: 2.2.3cyvl4sj.3o3.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal WLAN passwordsShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Users\user\Desktop\3cyvl4sj.3o3.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: Yara matchFile source: Process Memory Space: 3cyvl4sj.3o3.exe PID: 1664, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000002.1127878174.0000000003C95000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1127033582.0000000003A09000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1127718705.0000000003C05000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1521700111.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1523810287.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1126304621.0000000002A00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 3cyvl4sj.3o3.exe PID: 1664, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 3cyvl4sj.3o3.exe PID: 4508, type: MEMORY
              Source: Yara matchFile source: 2.2.3cyvl4sj.3o3.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation221Winlogon Helper DLLProcess Injection112Masquerading1Credential Dumping2Virtualization/Sandbox Evasion13Application Deployment SoftwareEmail Collection1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing13Credentials in Registry1Process Discovery2Remote ServicesData from Local System2Exfiltration Over Other Network MediumUncommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools11Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion13Credentials in FilesAccount Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol11SIM Card SwapPremium SMS Toll Fraud
              Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection112Account ManipulationSystem Owner/User Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information3Brute ForceSecurity Software Discovery121Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
              Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryFile and Directory Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Information Discovery114Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process